On Wed, 3 Oct 2001 [EMAIL PROTECTED] wrote:
> 4. This is an incredibly BAD idea from a security standpoint. Your
> user's PC is probably not locked down very well and with this VPN
> basically bypasses all of your security measures between the PC and
> the Internet. What I usually do in situations like this is establish
> a VPN connection from a VPN device in the DMZ to the other firewall
> and then I can filter the traffic through my firewall.
this is very true. a number of clients can force no other communications
while the VPN is in use, the former axent client being one and the cisco
client being another. its a wise option to use, as it will help stiffle
attacks that actively tunnel through the weakest link (the redheaded
laptop with a british accent). of course it will do nothing to stiffle
attacks that are automated (ie worms), so the dmz hop is also wise.
____________________________
jose nazario [EMAIL PROTECTED]
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls