You are absolutely right. Not only that but we have been astounded
about how lightly many vendors take this issue. When we pointed out
this "round the horn" attack to one vendor, they frankly told us they
hadn't thought of that! Others, such as Nortel the last time I looked,
use split tunneling but this is not quite safe either. SSH includes a
packet filter in their product but it is strictly a packet filter. I
believe they intend to add a stateful inspection engine at some point.
There are a couple of options. We have investigated personal firewalls
but have frequently found them little more than packet filters and they
tend to destabilize the system. We found a very good product in pcViper
but it created some intolerable instability issues on Windows98. They
may have improved since we last tested.
For home users as opposed to truly mobile users one can implement a
hardware firewall in the broadband router. We have been reasonably
pleased with these but there is a management issue if there are a large
number of users and a lack of flexibility.
A final option is to haul all Internet traffic through the VPN, i.e.,
disable all direct Internet access except the VPN and let them access
the Internet as if they were using a dial-up connection to the office.
One last obscure security hole. Some products require that even the
post IPSec decrypted traffic be passed through a filter. This typically
means opening access to the RFC 1918 addresses (10, 172.16, 192.168).
Many ISP's use these addresses internally and one can inadvertently give
access to a VPN client desktop from the ISP's internal network by
allowing this access.
Most of our clients are low security clients so we have allowed
ourselves to be satisfied that this exposure is not unacceptable, we use
a hardware firewall where feasible and the Sentinel packet filter where
it is not.
Hope this helps - John
On Sun, 2002-04-14 at 05:35, Dave Cotton wrote:
> I have succesfully set up freeswan connections between two offices and
> therefore thank the team for their hard work.
>
> The next step would be to allow RoadWarriors. But I am worried about a
> possible security problem. Because the RoadWarriors have to use MS products
> I will have to allow these machines to connect while running W98/W2K. Some
> will connect using modems others ADSL. Once they have established a
> connection to Internet they will fire up the secure connection. If they have
> no firewall, or maybe a badly configured one, between them and their Internet
> connection, if someone now connects to their machine from the outside world
> will they be able to enter the secure connection? If they can, then they
> will enter the company LAN via the IPSEC interface and will therefore be a
> legitimate user.
> --
> Dave Cotton
> Avignon France
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
-- John A. Sullivan III Group Technology Director Nexus Management +1 207-985-7880 John.Sullivan_at_nexusmgmt.com_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:51 CEST