On 12/2/10 4:16 AM, Paul Hill wrote: > On Wed, Dec 1, 2010 at 11:17 PM, Paul McNett<[email protected]> wrote: >> Some vpn clients tweak the default route to be over the VPN, but I think >> that is >> silly unless the workstation is supposed to be totally locked down by the >> company's >> network. > > The problem with not tweaking the default route is that it opens up a > security hole into your network. > If a compromised PC connects to your VPN then your internal network is > also compromised, > making your expensive firewall useless...
Well, you have to be very careful about what ports you allow over the VPN. For instance, most of my VPNs only allow SSH (port 22) and vnc (5900). In a couple instances, people have needed (shudder) access to a windows share from home, so I had to enable (shudder) ports 137-139. But I enabled it only for them, and disabled their $IPC access completely. But common ports like 80 are explicitly disabled over the vpn. You already open a security hole by putting remote systems on vpn. Properly mitigated, I don't see how not redirecting the default route is any less secure. Paul _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
