RE: Security from VPN connections

From: Anstett, Brad (Brad.Anstett_at_quill.com)
Date: 08/28/03

  • Next message: Zachary Mutrux: "RE: Physical Computer Location" 
    To: "Security-Basics SecurityFocus.com" <security-basics@securityfocus.com>, "Firewalls SecurityFocus.org" <firewalls@securityfocus.com>
Date: Thu, 28 Aug 2003 10:59:07 -0500

    You could also put you internal VPN interface out side of the firewall on
    another port (creating another DMZ). Maybe only access for terminal services
    through that DMZ into your internal network.

    Brad

      On Tue, 26 Aug 2003 11:57:24 -0400, Christopher
    Joles wrote:
    >Good Day All!
    >
    >I'm looking for design advice.
    >
    >Currently, I have a network that is protected by a
    Cisco PIX 515 = firewall.
    >We have it configured to protect our internal
    network along = with supplying
    >access to our DMZ which holds our email and web
    servers.
    >
    >My concern arises from the spread of the blaster
    worm. Currently we = give a
    >couple employees (the boss, the CFO and myself) VPN
    access from = home. In
    >this scenario, the bosses home computer was
    compromised by the = blaster worm
    >and luckily for me, he was on vacation in Germany at
    the = time. If he
    >wasn't, he most assuridly would have made a VPN
    connection = and the lovely
    >blaster worm would have gotten through our defenses.
     = Keep in mind, I had
    >applied the MS patch to our servers and =
    workstations, however, it would have
    >still gotten "inside". How can I = redesign my
    network to either firewall the
    >VPN connections or at a = minimum filter them.
    >
    >Thanx for your opinions in advance!
    >
    >
    >Christopher J. Joles Chief Information Officer

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
    October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
    ----------------------------------------------------------------------------

  • Next message: Zachary Mutrux: "RE: Physical Computer Location"

    Relevant Pages

    • Ang: RE: Firewall and DMZ topology
      ... Network Engineer ... Subject: Firewall and DMZ topology ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
      ... part of the same network as the LAN. ... Each interface of a firewall should be distinct from ... interfaces, so a "DMZ interface" is not a requirement. ...
      (comp.security.firewalls)
    • Re: Firewall and DMZ topology
      ... > network, Windows and Linux. ... > laptop used as a simple firewall setup. ... > machine and placing it in a DMZ. ... > internal network, one for the DMZ and one for the Internet. ...
      (Security-Basics)
    • RE: Basic Network Configuration
      ... > IMHO the second rule is void, since no traffic should bypass the DMZ. ... that originates from your internal network. ... There is no point in implementing the same firewall ... >> really achieve this benefit if the boxes run different OS ...
      (Security-Basics)
    • RE: can ping but not browse
      ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
      (Fedora)