RE: SSL VPN's from LAN to WAN



1. Isolate their desktops in a separate vlan and redirect all vpn traffic
originating from their subnet to a honeypot or some kind of monitoring
system so you can try to understand what they are doing.

2. You are not overacting!!! You are simply doing your job.

Cheers,
Serge Vondandamo, CISSP

-----Message d'origine-----
De : listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] De
la part de fac51
Envoyé : mardi 11 décembre 2007 11:09
À : security-basics@xxxxxxxxxxxxxxxxx
Objet : SSL VPN's from LAN to WAN

Hi All,

I would like some advice on a situation that is new to me.

I have just discovered that some contractors that are on our corporate LAN
have managed to install (Half Install) VPN Clients that allow them to
connect directly back to their LAN (RDP'ing into their Desktops etc.) The
desktops they are using here are locked down but still allow some VPN
functionality.

The VPN connects over 443 out of our network then to their Firewall as
concentrator.

Implications that I can think of are;

1. All traffic to and from us is encrypted and therefore we cannot monitor.
2. They can see network drives and could be stealing info. (although they
don't have much access)
3. Any infections at their site could propogate to us (that could happen
anyway I suppose via email)

My first reaction is one of horror but am I over reacting?

If my worst fears are confirmed I will need to block them. To do this I was
thinking of blocking all traffic to and from their firewall however
apparently some access to remote services is required by other staff.

Help!?!?

kind regards,

S



____________________________________________________________________________
________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs



Relevant Pages

  • Re: White Paper On Connecting Remote Clients and Syncing
    ... > firewall and then close it down when we get the VPN setup. ... I'd do a trial run on one of the desktops in question w/the new VPN ... have access to the company directory while offline. ... >> mailbox, the GAL, and any public folders they wish (drag the PFs to ...
    (microsoft.public.exchange.clients)
  • Need remote networking solution
    ... CONF--go through the wizard (enter name, email addy, ... then you can share desktops. ... >They both have dial-up internet access. ... > server or something like that to use VPN? ...
    (microsoft.public.windowsxp.general)
  • Re: Newbee VPN question
    ... Pro laptop to one of my LAN desktops - at least it said a ... connection was made. ... Are you sure you want a Virtual Private Network (VPN)? ... sharing over the Local Area Network (LAN). ...
    (microsoft.public.windowsxp.network_web)
  • Re: VPN on SBS 2003
    ... We only have 2 laptops and 4 desktops. ... Another server is not really an ... Is there a way to make the VPN a faster? ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN routing from NAT to NAT
    ... if you are willing to lose all LAN connectivity while on ... the VPN, you can perhaps coexist on the same subnet.. ... If you are both using the same private network for your LANs, ... >VPN adapter, because that address is now bound to the VPN adapter and ...
    (microsoft.public.windowsxp.work_remotely)