> > Nortel's Contivity Extranet client has a feature that basically
re-routes
> > all traffic from and to the client through the secure tunnel.
>
> What this basically means is that in addition to the VPN, it has installed
> a firewall (to filter access to other services) and modified the routing
> table on the client. There's no reason other than marketing that this sort
> of functionality needs to be combined with a VPN... it would work just as
> well with a DUN connection instead of a VPN.
Not really. The dial-up server would have to support management of the
client software, including identifying what client software was running.
Currently, RAS does not support this. The Nortel and VPNet solutions, on the
other hand will verify that their client is being used to connect, and that
the clients are running the policies that you have created with the
management software (in both cases you can update the client on the fly;
they cannot connect with configurations different than the ones you choose).
I agree that there may be exploits against the VPN clients. However, it's a
far cry better than DUN, even if clients had firewalls installed on their
computers, unless you also had a way to centrally manage all of those client
firewalls (and verify that they really are what they claim to be).
In general, you shouldn't treat the VPN as if it's part of your corporate
network. I would suggest putting the VPN on the outside of your firewall (or
setting up appropriate filters on your VPN device if it has firewall
features).
Jen
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
