Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How secure is VPN access?

from [Jimi Thompson] Network Security [Permanent Link]
Subject: Re: How secure is VPN access?
Date: Thu, 18 Nov 2004 22:43:03 -0600 
This is definitely a legitimate concern.  However, many of the newer
commercial VPN clients come with a "policy enforcement" add-on
specifically to address this.  What this does is check  your OS patch
levels to be sure they are current and that the OS version is
acceptable.  For example, we don't allow Windows 95 or 98.  It also
checks to see if the antivirus software is 1) installed 2) the correct
version 3) active 4) has updates no older than <fill in # of days that
makes you feel warm and fuzzy) and 5) has scanned the machine with in
an appropriate time frame.   The list of things that must be
"acceptable" is quite long.

My advice is that you should continue to allow your home users to use
VPN. HOWEVER, you should shift as many services to web based
applications as possible.  You should also be handing out a free copy
of AV software to your employees to be installed on the machine along
with your new policy-based VPN client.  You may also wish to have them
install some patch management software so that you can force updates
to the OS and upgrades to the antivirus software remotely when they
connect via VPN.

In addition, laptops don't alleviate the issue.  They worsen it.  Now
you have users that aren't just using the computer at home.  They go
up to the public library.  They go to Starbucks.  They go to the
apartment complex pool and use the wireless there.  Now, instead of
only being exposed to whatever's on their cable modem segment like a
static computer, they're mobile now so they end up exposed to order of
magnitude more nasty little critters. I know because I work for a
University with a large wireless network.  I've seen what floats
around out there.  The really lovely part is that once they're done
gathering up every virus, downloading every Trojan, and installing
every back door and piece of spyware known to man, they're going to
bring that in to the office, sans the policy based VPN client, and
plug straight in to the wall socket.  That's what laptops do for you.

Prime example, we had one laptop user who returned from a rambling
trip abroad.  He came to the Help Desk because his computer "was
really slow".  He'd picked up 746 different viruses over the course of
the summer and mostly from using dial up access in various hotels in
Europe and Asia.   Oddly, right after this (like 5 minutes later), we
had an extreme virus outbreak that took down a portion of one of our
network segments.  It seems that the 746 viruses that laptop was
carrying weren't content to live on his hard drive and squabble
amongst themselves.  Since his laptop was slow, he decided to forgo
his wireless card and use the cable from his computer to plug in his
on board NIC.


On Thu, 18 Nov 2004 00:11:58 -0500, dave kleiman <dave@isecureu.com> wrote:

Cesar,

Would allow a user to bring their home computer to the office, and just hand
them an IP and allow them full network access?

Do your users have access to network resources through the VPN?

They can spread viruses, Trojans etc. to the network from the VPN.

No, you definitely should not let home computers access the VPN, you should
have complete control of the systems that do access via VPN and keep them
up-to-date, etc.

Citrix is a different story, as long as you restrict drive and port
redirection, it can be a "better-controlled" situation.

______________________________________
Dave Kleiman, CISSP, CISM, CIFI, MCSE
www.SecurityBreachResponse.com

-----Original Message-----
From: Cesar Diaz [mailto:cdiaz00@gmail.com]
Sent: Wednesday, November 17, 2004 11:39
To: security-basics@securityfocus.com
Subject: How secure is VPN access?

List,

After years of having VPN access for our remote users without a single know
security incident, my boss and I have to justify to her boss why VPN is
secure.

The CIO wants us to only allow users to access the network from company
laptops, not from their own home computers.  We currently will allow users
to install the VPN client software on their home computers to connect
remotely, or they can use Citrix through SSL access to get to network
resources.  His concern is that if a users home PC is compromised, that
compromise can spread to our network.

Is this a legitimate concern?  Can anyone point me in the direction of some
documentation backing either argument?

Thanks in advance for any help.

C





-- 
Thanks,

Jimi
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Designing a Security Operations Center - Looking for Ideas, Hayden Searle
Next by Date:  Re: radius+ wireless, Kenzo
Previous by Thread:  RE: How secure is VPN access?, dave kleiman
Next by Thread:  Re: How secure is VPN access?, GuidoZ
Indexes:  [Date] [Thread] [Top] [All Lists]