Re: How safe is a VPN connexion from within an internal network?

PIERRE.DUFRESNE@MESS.GOUV.QC.CA wrote:
> Hi all!
>
> I have been asked to install a vpn client on a workstation inside our
> network that would access another network through our firewall.
> Besides the technical details of allowing IPSec traffic through a NATed
> device,  I was wondering how safe is this practice? Is it done often?
> Once the connexion is established, can a host on the external network
> access the workstation inside my network, ie initiate a connexion?
> Should I rather go with a "site to site" vpn connexion?
>
> Thanks for your time
>
> Pierre 
>
>
> ---------------------------------------------------------------------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic Excellence 
> in Information Security. Our program offers unparalleled Infosec management 
> education and the case study affords you unmatched consulting experience. 
> Using interactive e-Learning technology, you can earn this esteemed degree, 
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
>   
Bonjour,
et un salut au quebec, un pays que j'aime bien.

Yes, it si often done. I've put in place a such network. A crypted VPN 
inside my wlan. My freebsd box has a vpn server, in order to route/nat 
all subnets.

I suppose that your hosts, are separed, In which case, I would suggest 
you a "site to site" setting. That avoid any firewall and routing 
complication, and the traffics are pretty clear in both distant 
networks, so that you can investigate any time you want.

Many of my clients have a host who has vpn acces to the main intranet. 
These hosts are HIGHLY safe. Remember, only a end to end security policy 
makes a sens.

If your aren't absolutly sure workstation, please don't do that. If the 
workstation's security is compromised, you'll not be able to 
investigate, because of crypting vpn. So that you would be forced to 
looking for what's going on, on the other side... but it's too late. The 
"guy" had passed through vpn before.

A good idea, would be, to avoid any web acces while vpn is up.

I'd like to highliy recommand openvpn, a full UDP/ssl/simple and robust 
vpn solution.

et, désolé pour mon anglais.

--

Richard VENNE
www.dental-on-line.com
Phone: 01 43 27 94 24
fax: 01 43 27 66 85


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------