Yes, it's legitimate.
Many companies terminate their VPNs directly on the internal network.
A better practice is to terminate in a DMZ, so that traffic between VPN
clients and the secured network is filtered through a firewall and/or
IDS.
Some VPNs can be configured to allow "split tunnelling", where the
remote client only uses the tunnel for traffic to/from the secured
network, and doesn't use the tunnel for other Internet traffic. Although
this makes efficient use of bandwidth, it opens up the possibility that
a VPN client machine, if compromised, could act as a proxy gateway between
the two, bypassing your other perimeter security measures. Split
tunnelling,
if available, should be turned off.
Several recent VPN offerings have begun including facilities to verify
up-to-date antivirus and other security configuration on remote clients
before allowing connection. I think that this is a good way to address
your CIO's concerns while continuing to provide access for your users.
David Gillett
-----Original Message-----
From: Cesar Diaz [mailto:cdiaz00@gmail.com]
Sent: Wednesday, November 17, 2004 8:39 AM
To: security-basics@securityfocus.com
Subject: How secure is VPN access?
List,
After years of having VPN access for our remote users without a single
know security incident, my boss and I have to justify to her boss why
VPN is secure.
The CIO wants us to only allow users to access the network from
company laptops, not from their own home computers. We currently will
allow users to install the VPN client software on their home computers
to connect remotely, or they can use Citrix through SSL access to get
to network resources. His concern is that if a users home PC is
compromised, that compromise can spread to our network.
Is this a legitimate concern? Can anyone point me in the direction of
some documentation backing either argument?
Thanks in advance for any help.
C
