On Thu, Dec 2, 2010 at 7:12 PM, Paul McNett <[email protected]> wrote: > On 12/2/10 10:06 AM, Leland Jackson wrote: >> On 12/02/2010 11:17 AM, Paul McNett wrote: >>> You already open a security hole by putting remote systems on vpn. Properly >>> mitigated, I don't see how not redirecting the default route is any less >>> secure. >> >> If you're connecting to the client's network using vpn, then you should >> be part of the client local network, just like everyone else in the >> local network. > > Yes, the remote has an ip on the same subnet as those computers in the > corporate network. > >> If you're just another computer in the client's local >> network, then it seems you should be able to vnc to any desktop within >> the local network without regards to the router's/gateway's incoming or >> outgoing rules. In other words, once you connect over a vpn tunnel, the >> router/gateway firewall become irrelevant. > > No, the perimeter firewall should still control traffic in and out, whether > or not it > is over the vpn.
Should, but often (normally?) doesn't. Your firewall allows the vpn connection in. Unless the firewall (e.g. a cisco box) provides the vpn service it cannot filter the traffic as it's encrypted. For example, you have a Windows/Linux box in the office that provides the vpn. The router simply directs the vpn port to this server. If a compromised workstation has an open telnet port an attacker could telnet into the workstation and have un-firewalled access to the corporate network. Scary stuff. Which is often why the default route is forced over the vpn. For Windows PPTP this is the default setting[1]. It's been a while since I used a CISCO vpn but I think the same is true there. p.s. it's the day I make my Christmas puddings, so I'm a bit pissed :-) [1] I don't use this as our vpn is shaky, to say the least and I've been vpn'ing extensively today as I'm snowed in. South London has about a foot of snow. West London (where the office lies) is totally snow-free. London doesn't work well if so much as an inch falls. -- Paul _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
