Re: Security and VPN

[Robert Hagen <rdh () stealthllama org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sohail,

As you've pointed out, the risks are much greater than authentication  
and access control.  Each endpoint is a potential exposure.  User  
workstations (particular personally owned computers) are often  
unpatched, unprotected, and exposed to a constant barrage of  
intrusion attempts over broadband connections.  In order to secure  
the VPN connection, you have to secure that endpoint.

Network admission control is a nice fit here.  There are many  
different desktop agents that can be used to verify the integrity of  
its host computer before being allowed through the VPN.  It can be  
customized to check for patches, a working anti-virus agent, and any  
other conditions you deem necessary.  Many of these NAC solution will  
even provide a mechanism to automatically remediate hosts that fail  
their integrity checks or put them in a network quarantine where help- 
desk or IT support personnel can work with the user to correct their  
configuration.

Another consideration would be to disable "split-tunneling" on your  
VPN solution.  If split-tunneling is enabled, the host can  
simultaneously route traffic to their local network (and the  
Internet) as well as through the VPN tunnel.  This effectively  
extends your network perimeter to that host.  Are you willing to make  
that host a perimeter firewall?  Probably not.  If a user needs to  
connect to the VPN, that should be the only network access they have  
for the duration of that VPN session.

This combination of endpoint security and network segregation has  
worked well for me.  I'm sure there are other considerations out  
there that may help as well.  Hopefully this helps to address your  
concerns.

Regards,
- -Bob-


On Jun 18, 2007, at 9:08 AM, Sohail Sarwar wrote:

> Hi there,
>
>         I just wanted to put this out there.  How secure is VPN.
> Meaning, if my users take home the client and install it on their
> desktop at home, and connect to the corporate network and production
> network, wheat are we really looking at.  Are they secure or not.
>
>         Two factor authentication would only help the authentication
> purpose and to protect the user name and password ?
>
>         How about restricting them to access, and how about worrying
> about their home computer that can be effected.
>
>         Has anyone been through this.  Any one give home users a list of
> requirements that they must have before vpn can be offered to them ?
>
>         Should there be some type of desktop policy installed on their
> home computer, just to protect the company network ?  Any help and
> guidance would be great
>
> Regards,
> Sohail
>
> ---------------------------------------------------------------------- 
> --
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
> ---------------------------------------------------------------------- 
> --

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFGd+VEH/ts2mEf2fMRAuyLAKDeuC6+3nOweKd117Cikqe/SOYg6ACg15UK
YELat7w0cKiehUKEEbmxU80=
=lXyq
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------