As Crispin says, you can't protect the dufus users from themselves. One of the ideas we are kicking around provides protection to the network from potential viruses/worms etc that the client picks up while on the road, and to some degree the data on the network. It goes like this 1. You install the VPN client (use one that allows us to turn off split tunneling) If they don't use our client they don't get a connection. 2. The VPN server is placed in a protected zone (DMZ) 3. The VPN server provide access to terminal services, which then makes a connection to an internal terminal server. 4. The only traffic that passes from the VPN server to the inside is ICA traffic. 5. Do not allow backward mounting of drives. The client will be able to acces, create and read files on the network, but nothing move into or out of the network except ICA traffic. This can cause some client heartburn in that they can't actually pull files from the office down to their machines. But we would teach the client to use e-mail to or and FTP server process to pass any files that they really need to themselves. It sounds complicated, and it is just in the thought stages at this time. Technology may provide a better solution before we get to any implementation. Or the plan may change drastically (more likely) None of the above will protect the data in transit. For that you still rely on the available encoding and encryption available via the VPN and wireless tools you use. K.d> Kevin E. Dorning Chief Information Security Officer Office of the CIO DI-3 Bonneville Power Administration - USDOE 503-230-3082 -----Original Message----- From: Crispin Cowan [mailto:crispin@private] Sent: Monday, June 02, 2003 9:37 PM To: Nick Murphy Cc: crime@private Subject: Re: CRIME Software firewall recommendations Nick Murphy wrote: >I have a client who is demanding VPN access over a public wireless network >while they are traveling (T-Mobil hot spots, etc.). This will require the >installation of a software VPN client on the laptop. After warning them of >the potential risks they still demand that they have this available, but >they are allowing me to put together a "as secure as can be" solution. > "Risks"?! This is best practice. There is nothing inherently insecure about wireless networks, as long as you assume that the bad guy is always listening. VPN protocols (the good ones at least: IPSec, and less transparently, SSH and SSL) can withstand that. "Risk" is assuming that WEP is any stronger than a moistend Kleenex :-) The main actual risk factor here is in allowing a Windows user to have any kind of remote access through your firewall, even if it is done with a direct dialup connection using a highly secure call-back modem. The common failure mode is that the dufus ^W windows user will go surfing the Web, download some trojan or virus of some kind, and then infect the internal LAN when they connect. This risk happens even with no remote access to the LAN at all. Dufus goes out surfing the web while on the road, gets infected, and then carries the trojan back inside the LAN and infects your network from the inside. This actually happened to IBM, who had Code Red ranging across their internal network for *months* after it had been more or less stamped out in the wild. So your real risk factor is letting dufus Windows users out of the room. The VPN (or most any other form of reasonable remote access) is a small risk factor compared to that. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/
This archive was generated by hypermail 2b30 : Tue Jun 03 2003 - 08:23:33 PDT