RE: Microsoft Win2k VPN server placement
From: Richard Brackett (rbrackett@DSM.net)Date: 05/01/02
- Previous message: Andrew.Patrick@kemperinsurance.com: "Re: Microsoft Win2k VPN server placement"
- Next in thread: Stuart Fox (DSL AK): "RE: Microsoft Win2k VPN server placement"
- Reply: Stuart Fox (DSL AK): "RE: Microsoft Win2k VPN server placement"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Richard Brackett <rbrackett@DSM.net> To: focus-ms <focus-ms@securityfocus.com> Date: Wed, 1 May 2002 16:09:50 -0400
I agree with your point on firewall policy, but don't VPN servers generally
allow this even when you don't penetrate the firewall with the VPN traffic?
Whether on the internal network alone, or attached to the public network
it's up to the VPN server to apply policies so that VPN users can only
access the appropriate network services. On the IDS side I also agree that
it makes it more difficult, the output from the VPN server may not be on the
same segment that the internal IDS sensor monitors. My compromise to that is
to place the VPN output wherever the sensor is without regard to the LAN
connection speed.
-----Original Message-----
From: Andrew.Patrick@kemperinsurance.com
[mailto:Andrew.Patrick@kemperinsurance.com]
Sent: Wednesday, May 01, 2002 1:09 PM
To: focus-ms; Richard Brackett
Subject: Re: Microsoft Win2k VPN server placement
Firewall policies exist for a reason. When you allow an encrypted tunnel
THRU your firewall and terminate it at an internal server, you are
effectively allowing all traffic flowing thru that tunnel to completely
bypass your firewall rules. That might be OK if you trust all traffic in
the tunnel 100%, but how likely is that?
Also, any kind of Intrusion Detection capability you may have in place will
be completely blind to the traffic in the PPTP tunnel, as it cannot decrypt
the packets.
Andy Patrick
KTS Security & Contingency Planning
x3621
I do the same thing for remote admin on my box (nt4 TS) at home, because
it's easier to set up, and my firewall at the time was not able to do
vpn. Imagine my chagrin when someone attempted to connect to it, with
the administrator's account. A quick check of the logs just showed the
attempt, no logging of IP, nothing.
Now, with only one account having dial-in permissions (and not the admin
one) it is fairly easy to do accounting. But when you have even five
users connecting, things could get ugly.
Richard Brackett wrote:
> I have a customer who is steadily deploying Win2k VPN servers on the
inside
> networks by allowing PPTP through the firewall to the inside VPN server.
>
> Aside from a poor defense in depth argument, I'm not sure what I can use
to
> disuade them from this course. Having the VPN server screened by the
> firewall is a good thing, no netbios vulnerabilities for one thing. I'm
not
> sure though how invulnerable PPTP is to remote access issues.
>
> Can anyone help me with some solid arguments against this?
>
>
> Richard Brackett
> Chief Technology Officer
> DSM
> Phone: 863-802-8888
> Fax: 863-802-8887
> www.DSM.net
>
- Previous message: Andrew.Patrick@kemperinsurance.com: "Re: Microsoft Win2k VPN server placement"
- Next in thread: Stuart Fox (DSL AK): "RE: Microsoft Win2k VPN server placement"
- Reply: Stuart Fox (DSL AK): "RE: Microsoft Win2k VPN server placement"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
