Andy,
I understand the difficulties. But, the issue is if one can not garrentee
at least some level of security that is in compliance with the security at
the corporate site, then you are affectivly opening a backdoor into the
corporate LAN, and/or that tunnel is a trojan/virus vector. VPN's are
good and all that, but, tossing one into each and every situation is not
an end all to cure all solution. When implementing one, you have
effectivly extended your defense perimiter and accepted a remote site
policy as an addition to your own. Anything that has compromised the
security of your home users systems or networks has complete access to
cross the tunnel that you open here. There's a side line to this for
HIPPA compliance; You can control access to use records and information
from your immediate networked devices, but, once you allow it to be stored
on a remote system, say a home users system or their work laptop, you have
effectivly lost control of the information you are charged with
protecting. This has to be part of the risk assessment and considered and
dealt with in site policies, since afterall we are extending site policy
and risk.
Thanks,
Ron DuFresne
On Wed, 1 May 2002, Andy Taylor wrote:
> Ron,
>
> Forcing software on home users machines is often quite difficult, especially as they
>have
> admin rights on their own machines and can remove or disable what they please.
>
> A good start is to use client VPN software as most client software from vendors such
>as
> Nortel have enhanced functionality where you can disable "split tunnelling",
>therefore
> clients can only connect back the office network, and can't connect to Internet
>sites, or
> local nets at the same time.
>
> The Nortel Contivity client can also check for a screen saver password etc. before
> allowing connectivity.
>
> Kind regards,
>
> Andy
>
> *********************************************
> Andy Taylor
> Principal Security Consultant
> netProtect Solutions Limited
> http://www.netprotectsolutions.co.uk
> Tel: +44 (0)207 877 4026
> [EMAIL PROTECTED]
> *********************************************
>
> Ron DuRensne wrote:
>
> alright, here's a question:
>
> How do you assuer her home network does not violate your corporate
> security policies? Afterall, she could well be routing off both NICs, the
> wireless and the DSL/ethernet there at home. This makes all the home
> machines potential backdoors into the corporate LAN should one of them be
> compromised and or trojaned. I can't list how many times recently I've
> seen folks 'VPN' tunneled into work without even anti-viri software let
> alone even a personal firewall with some kind of security policy being
> enforced, while they also sat in IRC and surfed the net in other
> protocols outside the corporate tunnel. the more machines her VPN'ed box
> is connected to, the more the risk and the greater the number of potential weakest
>links.
>
> Thanks,
>
> Ron DuFresne
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
