RE: [fw-wiz] worm + VPN + firewall

• Previous message: Crissup, John (MBNP is): "RE: [fw-wiz] PIX 6.3.2 Upgrade?"
• In reply to: Mordechai T. Abzug: "[fw-wiz] worm + VPN + firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@honor.icsalabs.com>
Date: Fri, 15 Aug 2003 12:52:34 -0400

No matter where the VPN tunnel actually terminates, it's the unencrypted
side that you have to worry about.

I've used VPNs in many fashions:
Terminate on the outside, Cleartext on the inside around a firewall.
Generally bad unless you can regulate traffic on VPN device.

Tunnel through a firewall to VPN in a DMZ, Cleartext direct to internal
network.
Firewall can only block tunnel, can't discriminate connections within
tunnel. Still generally bad.

Terminate on the outside, Cleartext into a DMZ through the firewall.
Firewall can regulate ports to internal network. Much better.

Terminate at the firewall, Cleartext to internal network.
Firewall can regulate ports to internal network. Same as above.

No matter what, with any of the scenarios above, if you have 135/tcp
wide open from VPN client to internal networks, the worm will propagate
to the internal machines. The only way to prevent this is getting the
firewall to block 135/tcp once the tunnel is unencrypted.

The problem with blocking 135 with most VPN users is it will probably
break the native Outlook/Exchange connection and remote users will be
unable to connect to exchange server (just like when they are in the
office).

Is this an accurate assessment everyone? (I could be wrong)

Erik

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of
Mordechai T. Abzug
Sent: Wednesday, August 13, 2003 7:30 PM
To: firewall-wizards@nfr.com
Subject: [fw-wiz] worm + VPN + firewall

Has anyone had a user's external Blasterized system that VPNd past a
firewall and compromised an internal network? It would be nice to
have conrete examples for the "VPNs should terminate outside
firewalls" argument.

- Morty
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Crissup, John (MBNP is): "RE: [fw-wiz] PIX 6.3.2 Upgrade?"
• In reply to: Mordechai T. Abzug: "[fw-wiz] worm + VPN + firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Turn-Key Installation Question: SBS 2003 Standard + Hardware VPN ... The clients I have found so far that like the SBS setup have been graphic ... Setting up a VPN tunnel is easy under ... A firewall appliance sounds like the ... (microsoft.public.windows.server.sbs) Re: Security concerns with VPN over IPSEC passthrough ... >through a corporate firewall if the firewall supports IPSEC passthrough, ... Depends on the VPN server/software. ... >private LAN has a VPN tunnel to the public Internet server, ... Potentially, if the client is setup with a split tunnel, most definitely. ... (comp.security.firewalls) Re: Please help with my lack of understanding ... I never said to open the firewall to all traffic. ... That's for the actual tunnel, but what about inside the tunnel, does the ... VPN users can reach, the server, once they get a VPN, is doing the ... (microsoft.public.windows.server.sbs) RE: [fw-wiz] VPN concentrators ... unless you can control what traffic goes into the tunnel at the ... Depending on the internals of the firewall, I'd say it is just as safe to ... terminate the VPN in a DMZ as it is to terminate it in the Firewall. ... Terminating the VPN parrallel to the firewall, ... (Firewall-Wizards) Re: [fw-wiz] VPN concentrators ... > Current best thinking is to terminate VPN tunnels inside an ... > through this or another firewall before entering the internal ... > thoughts on termination of vpn tunnels on the firewall itself? ... three NICs: Outside, Inside, and DMZ. ... (Firewall-Wizards)