RE: CRIME Software firewall recommendations

From: Dorning, Kevin E - DI-3 (kedorning@private)
Date: Tue Jun 03 2003 - 08:02:43 PDT

  • Next message: Ramsdell, Jack E: "RE: CRIME Interesting way around spam filter"

    As Crispin says, you can't protect the dufus users from themselves.
    
    One of the ideas we are kicking around provides protection to the network from potential viruses/worms etc that the client picks up while on the road, and to some degree the data on the network.
    
    It goes like this
    1.  You install the VPN client (use one that allows us to turn off split tunneling) If they don't use our client they don't get a connection.
    2.  The VPN server is placed in a protected zone (DMZ)
    3.  The VPN server provide access to terminal services, which then makes a connection to an internal terminal server.
    4.  The only traffic that passes from the VPN server to the inside is ICA traffic.
    5.  Do not allow backward mounting of drives.  The client will be able to acces, create and read files on the network, but nothing move into or out of the network except ICA traffic.
    This can cause some client heartburn in that they can't actually pull files from the office down to their machines.  But we would teach the client to use e-mail to or and FTP server process to pass any files that they really need to themselves.
    
    It sounds complicated, and it is just in the thought stages at this time.  Technology may provide a better solution before we get to any implementation.  Or the plan may change drastically (more likely) 
    
    None of the above will protect the data in transit.  For that you still rely on the available encoding and encryption available via the VPN and wireless tools you use.
    
    K.d>
    
    Kevin E. Dorning
    Chief Information Security Officer
    Office of the CIO  DI-3
    Bonneville Power Administration - USDOE
    503-230-3082
    
    
    -----Original Message-----
    From: Crispin Cowan [mailto:crispin@private]
    Sent: Monday, June 02, 2003 9:37 PM
    To: Nick Murphy
    Cc: crime@private
    Subject: Re: CRIME Software firewall recommendations
    
    
    Nick Murphy wrote:
    
    >I have a client who is demanding VPN access over a public wireless network
    >while they are traveling (T-Mobil hot spots, etc.).  This will require the
    >installation of a software VPN client on the laptop.  After warning them of
    >the potential risks they still demand that they have this available, but
    >they are allowing me to put together a "as secure as can be" solution.
    >
    "Risks"?! This is best practice. There is nothing inherently insecure 
    about wireless networks, as long as you assume that the bad guy is 
    always listening. VPN protocols (the good ones at least: IPSec, and less 
    transparently, SSH and SSL) can withstand that.
    
    "Risk" is assuming that WEP is any stronger than a moistend Kleenex :-)
    
    The main actual risk factor here is in allowing a Windows user to have 
    any kind of remote access through your firewall, even if it is done with 
    a direct dialup connection using a highly secure call-back modem. The 
    common failure mode is that the dufus ^W windows user will go surfing 
    the Web, download some trojan or virus of some kind, and then infect the 
    internal LAN when they connect.
    
    This risk happens even with no remote access to the LAN at all. Dufus 
    goes out surfing the web while on the road, gets infected, and then 
    carries the trojan back inside the LAN and infects your network from the 
    inside. This actually happened to IBM, who had Code Red ranging across 
    their internal network for *months* after it had been more or less 
    stamped out in the wild.
    
    So your real risk factor is letting dufus Windows users out of the room. 
    The VPN (or most any other form of reasonable remote access) is a small 
    risk factor compared to that.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.           http://immunix.com/~crispin/
    Chief Scientist, Immunix       http://immunix.com
                http://www.immunix.com/shop/
    



    This archive was generated by hypermail 2b30 : Tue Jun 03 2003 - 08:23:33 PDT