the security of a network is defined by its weakest link.
if an outside vendor needs access to your network for some reason, and
you decide to allow this through a VPN...if you also allow the vender's
desktop PC to access it's local network, then anyone on his/her local
network, has access to your network, through the vendors desktop...now
your network security depends on the vendor's network being completely
secure too...the vendor's dekstop is a bridge between the two networks,
and odds are good that there is no local firewall on his/her desktop.
an unlucky vpn configuration could result in your vendors internal dhcp
server giving out ip addresses to all computers on your network...all
your internet web page requests going over the vpn to the vendors
network, and going out through your vendors internet connection instead
of yours.. (quick and dirty proxy server)....you'd have to be really
unlucky or stupid to end up with this configuration...but the potential
is there.
i figure most VPN admins would err on the cautious side and isolate that
one machine that needs to connect.
Curt Hagenlocher wrote:
On 7/5/06, Phil Sayers <[EMAIL PROTECTED]> wrote:
any VPN connection software i have used ...for example cisco vpn
dialer...
once i have the connection open, i am unable to access anything on the
local LAN, the only network i can interact with has been the one at the
other endpoint of the VPN.
For Cisco and other VPNs, this is configurable on the server side.
Some of
our customers refuse to enable LAN access for us, which makes supporting
them fairly painful. We've actually had someone tell us that
"Sarbanes-Oxley requires that we do this."
The only security benefit I can see to disabling LAN access is that it
prevents a hacked PC from being remotely controlled while VPNed in.
--
Curt Hagenlocher
[EMAIL PROTECTED]
===================================
This list is hosted by DevelopMentorĀ® http://www.develop.com
View archives and manage your subscription(s) at
http://discuss.develop.com
===================================
This list is hosted by DevelopMentorĀ® http://www.develop.com
View archives and manage your subscription(s) at http://discuss.develop.com
