Pierre,
A VPN connection between business partners if very common. Is it safe?
The session will be encrypted between end points of the connection, so
it is safe from eavesdropping between end points.
However, to ensure it is safe for the workstation on your network, you
will want to disable split tunneling. This means that all of the
network traffic will go through the VPN, none on your LAN. So, the
workstation on your LAN will in essence no longer be on your LAN during
the connection. This will prevent "IP reachablility" (TM) from their
LAN into yours. The workstation also will not be able to print to your
LAN during this time.
Once the connection is established, you will have an IP address on their
network, so yes, a host on the external network can access your box if
their router|firewall rules allow it. Make sure your box is fully
patched and shares secured. If you know the IP addresses that you need
to reach, you should configure a firewall to allow traffic only to and
from those IPs on the ports you'll need.
Frequently, the VPN IP addressing scheme is different from the internal
LAN IP addressing scheme and a router|firewall is used to control access
on both ends.
The VPN client initiates the connection, and during the session, you are
exposed to the other LAN. Once the client terminates the session, the
other end cannot re-initiate the session. The VPN connection will most
likely be terminating at a firewall or concentrator. As you will be the
client, not the server, they cannot attach to you, you attach to them.
A site to site VPN would allow connectivity for more than one host. If
you only need access from one workstation, go with the VPN client
solution.
Kind Regards,
Scott Ramsdell
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of PIERRE.DUFRESNE@MESS.GOUV.QC.CA
Sent: Monday, November 20, 2006 10:47 AM
To: security-basics@lists.securityfocus.com
Subject: How safe is a VPN connexion from within an internal network?
Hi all!
I have been asked to install a vpn client on a workstation inside our
network that would access another network through our firewall.
Besides the technical details of allowing IPSec traffic through a NATed
device, I was wondering how safe is this practice? Is it done often?
Once the connexion is established, can a host on the external network
access the workstation inside my network, ie initiate a connexion?
Should I rather go with a "site to site" vpn connexion?
Thanks for your time
Pierre
------------------------------------------------------------------------
---
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence
in Information Security. Our program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
