RE: VPN's - Firewall's and Security

From: Christopher Joles (CJoles_at_proteabhs.com)
Date: 08/26/03

  • Next message: Halverson, Chris: "RE: VPN's - Firewall's and Security" 
    Date: Tue, 26 Aug 2003 12:28:44 -0400
To: "Halverson, Chris" <chris.halverson@encana.com>, <security-basics@securityfocus.com>

    Chris

    I'm relatively sure that I can apply an access list to the VPN network
    (it gets a different subnet when connected which differs from our
    internal network). As I think about it, the VPN network (as currently
    configured) can only talk to the internal network, It cant talk to the
    DMZ, nor can it talk to any of my remote satellite locations that
    connect via VPN links. Would putting my servers on a separate subnet
    help? I'm just sitting here, thinking that my current configuration
    works for today, but I'm not so sure for tomorrow or the next day.
    There must be some way to block / firewall even my VPN connections to
    limit their internal access and thus allow connectivity to only what
    they need.

    Maybe ACL's is what I need to be looking at?

    Christopher J. Joles
    Chief Information Officer

    -----Original Message-----
    From: Halverson, Chris [mailto:chris.halverson@encana.com]
    Sent: Tuesday, August 26, 2003 12:19 PM
    To: Christopher Joles; security-basics@securityfocus.com
    Subject: RE: VPN's - Firewall's and Security

    Would it be possible to block within an access list the tcp port 135 for
    VPN Access? I haven't configured the PIX devices, so I am not sure if
    you can do it...

    chris

    -----Original Message-----
    From: Christopher Joles [mailto:CJoles@proteabhs.com]
    Sent: Tuesday, August 26, 2003 9:09 AM
    To: security-basics@securityfocus.com
    Subject: VPN's - Firewall's and Security

    Good Day All!

    I'm looking for design advice.

    Currently, I have a network that is protected by a Cisco PIX 515 =
    firewall. We have it configured to protect our internal network along =
    with supplying access to our DMZ which holds our email and web servers.

    My concern arises from the spread of the blaster worm. Currently we =
    give a couple employees (the boss, the CFO and myself) VPN access from =
    home. In this scenario, the bosses home computer was compromised by the
    = blaster worm and luckily for me, he was on vacation in Germany at the
    = time. If he wasn't, he most assuridly would have made a VPN
    connection = and the lovely blaster worm would have gotten through our
    defenses. = Keep in mind, I had applied the MS patch to our servers and
    = workstations, however, it would have still gotten "inside". How can I
    = redesign my network to either firewall the VPN connections or at a =
    minimum filter them.

    Thanx for your opinions in advance!

    Christopher J. Joles
    Chief Information Officer

    PROTEA Behavioral Health Services
    187 Exchange St.
    Bangor, ME 04401
    Phone: (207)992-7010 Ext: 245 Fax:(207)992-7011

    ------------------------------------------------------------------------ 

    ---
Attend Black Hat Briefings & Training Federal, September 29-30
(Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event
in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September
6.Visit us: www.blackhat.com
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
  • Next message: Halverson, Chris: "RE: VPN's - Firewall's and Security"

    Relevant Pages

    • Re: VPN with Netopia R910, private lan ip
      ... client's network to be able to develop the things I do. ... I'm getting Sql Server Developer ... > worked with Netopia routers before with a dedicated VPN and dynamic IP. ... I wanted to use it to make automatic VPN connections so that ...
      (microsoft.public.backoffice.smallbiz2000)
    • Re: VPN between office and Home
      ... Hard Drive as my second location backup for my SBS2003. ... On the XP box at home, go to Control Panel -> Network Connections. ... That is why I want to get a VPN ternnel instead of client VPN or RWW. ...
      (microsoft.public.windows.server.sbs)
    • Re: Windows XP Networking Question (with Linksys Home VPN Router)
      ... You bought one router. ... to share this router in a wireless network? ... you don't need to be thinking of VPN - you can be all on the same ... and the other's set up 'outgoing connections' to connect to it. ...
      (microsoft.public.isa.vpn)
    • Re: I got it working!!
      ... If you use VPN software you may experience a problem. ... network administrators do not allow other network connections such as the ... ActiveSync 4.x Troubleshooting Guide - ... check to make sure it is allowing multiple network connections. ...
      (microsoft.public.pocketpc.activesync)
    • Re: Site to Site Access on ISA Server
      ... I added the melbourne range to the internal Network and added that static ... and I am now able to Ping the vpn device in the melbourne office.. ... The internal network object definition on ISA is currently 192.168.1.0 to ...
      (microsoft.public.isa)