RE: VPN's - Firewall's and Security

• Previous message: Wesley Troy Scott: "RE: Minimum password requirements"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: 'Christopher Joles' <CJoles@proteabhs.com>, security-basics@securityfocus.com
Date: Mon, 19 Jul 2004 12:01:44 -0400

Hi Chris:

From a design perspective, terminating remote-access VPN tunnels at the PIX
firewall(that also act as a packet-filtering/inspection device) is not
recommended. As you might have already heard, Cisco is coming out with
Network Admission Control (NAC),but it's still (kind of) in its infancy. Go
to Cisco site and do a search on NAC for more information. It currently
supports the IOS-based devices (not PIXs or VPN concentrator 3000 series
yet) and requires that you have Cisco Security Agent installed on the
remote-user PCs/laptops to check OS patch level, personal firewall
version,etc. When NAC is supported on PIX firewals, you can enforce NAC on
it so that when the clients try to tunnel into your NAS (in this case the
PIX), his/her laptop/PC will be checked against a policy-compliance server
to make sure he/she has the latest OS patches, anti-virus signature version
and personal firewall.
At the Cisco Networkers conference last week, Cisco said that they will have
NAC support for the VPN concentrator 3000 series but they didn't say when or
whether they will have NAC support for the PIXs.

In the mean time, I recommend that you revisit your network architecture,
and maybe, redesign your security zones. As some one recommended earlier,
you probably want to put a VPN concentrator on a separate leg of the PIX
firewall. This concentrator would normally have a higher security level than
your public zone (DMZ). From there, you can apply your traffic filtering
policy on these security zones, allowing only certain types of traffic from
the VPN leg to the inside,etc,etc. Depending on your budget and number of
other creteria(# of users,connections), you can get a fairly inexpensive
remote access VPN contrator or even open-source VPN solutions one such as
FreeSWan(IPSec-based) or OPenVPN(SSL-based).Futhermore,you can apply
downloadable ACLs on per user/group using RADIUS authentication for your VPN
device.

Hope this helps.

Best regards,

Binh Hoang,CCSP

-----Original Message-----
From: Christopher Joles [mailto:CJoles@proteabhs.com]
Sent: Tuesday, August 26, 2003 8:09 AM
To: security-basics@securityfocus.com
Subject: VPN's - Firewall's and Security

Good Day All!

I'm looking for design advice.

Currently, I have a network that is protected by a Cisco PIX 515 = firewall.
We have it configured to protect our internal network along = with supplying
access to our DMZ which holds our email and web servers.

My concern arises from the spread of the blaster worm. Currently we = give
a couple employees (the boss, the CFO and myself) VPN access from = home.
In this scenario, the bosses home computer was compromised by the = blaster
worm and luckily for me, he was on vacation in Germany at the = time. If he
wasn't, he most assuridly would have made a VPN connection = and the lovely
blaster worm would have gotten through our defenses. = Keep in mind, I had
applied the MS patch to our servers and = workstations, however, it would
have still gotten "inside". How can I = redesign my network to either
firewall the VPN connections or at a = minimum filter them.

Thanx for your opinions in advance!

Christopher J. Joles
Chief Information Officer

PROTEA Behavioral Health Services
187 Exchange St.
Bangor, ME 04401
Phone: (207)992-7010 Ext: 245 Fax:(207)992-7011

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September
6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: Wesley Troy Scott: "RE: Minimum password requirements"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]