lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: bwatson at nettracers.com (Bryan K. Watson)
Subject: CISCO Vpn

>Patrick Olsen wrote:
>I have been asked what the PROs and CONs of setting up a vpn would be. 
>Im trying to find security pros and cons. Basically to find out if it 
>is worth the risk. This individual would be using a desktop at home 
>which we would be setting up for her.
>

I consider the best practice to be an antivirus firewall like a Fortinet
Fortigate to either be the VPN tunnel endpoint, or in transparent mode on
the inside of the network between your Cisco VPN device and the internal
network.  This way you can enforce additional access controls and stop
virus/worm/hack activity from getting in or out to your VPN users.  The
Cisco alone will not stop this mal-activity.

An option that also provides access without opening up a full network tunnel
is the use of an SSL application gateway like Array Networks makes or like a
Neoteris (Netscreen/Juniper now) SSL gateway appliance.  This way you can
give limited access to client-server applications and not the whole network.
These devices also do allow you to selectively allow full TCPIP layer 3
VPN's...then you need to provide protection like I mentioned above.

Another consideration with IPSEC and PPTP versus SSL VPN's is that IPSEC and
PPTP will have problems traversing some network firewalls (even old PIX
versions), and your remote users will keep you on the help-desk phone trying
to figure out why the VPN doesn't work.  That is because IPSEC and PPTP
require special firewall rules to allow them to get out of a network.  SSL
only uses a single outbound channel (typically over port 443/HTTPS) for all
two way communication of VPN traffic.  Firewalls usually do not complain
about this unless they have specific traffic inspection policies to shut
down SSL VPN traffic (Checkpoint can do this).

If the remote user only needs a couple of apps, figure out a way to limit
access to only the needed resources or setup a remote access RDP/Terminal
Server to facilitate secure access.  Also consider that a home system will
store data locally and will not be under your company backup procedures.  A
terminal server will be on your local network and you can use you existing
backup systems to keep your corporate Intellectual Property secure.
Revocation of a home system in case of employee termination also becomes a
problem and you are likely to lose IP in such an event with a home system
with locally stored data.

And finally, opening up a remote access method of any kind will expose your
weak password policy to brute forcing. Multi-factor authentication should be
employed and enforced.  Client system certificates, SecurID and Authenex are
some ways to do this multifactor authentication.  

Have fun,
- Bryan K. Watson
- bwatson@...tracers.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ