Does anyone have a best practice written up concerning this? (I thought mooching a lot of the content would keep me from typing a lot!) : )
-Patrick >>> "Priscilla Oppenheimer" 11/30/01 01:19PM >>> The problem is usually between the keyboard and chair. ;-) Priscilla At 11:07 AM 11/30/01, Kent Hundley wrote: >Your right, but it is nearly impossible to secure the client. The problem >is that no matter how much education you give users, most will still do the >"wrong" thing given the right circumstances. For example, if they are in a >chat room and someone they are communicating with sends them a file, most >will open it, no matter how many times you tell them not to. > >If it is a virus or a trojan, their entire machine can become compromised >and no amount of firewall software and strong authentication can completely >fix that. When prompted about a new app trying to reach the Internet, they >may just answer 'yes'. If there's no prompt and the software doesn't work, >they may just disable their firewall. (yes, it does happen) The problem is >worse if users use their home machines for VPN access. If they use company >assigned laptops with WinNT or 2K, you can fix some of this by not giving >them admin access to their own machines. This will severely limit their >ability to install new software and offer some protection, but its not a >guarantee. I can see someone breaking into their machine to install the hot >new game they just got sent from a "friend" they met on yahoo chat who's >only too happy to help them get the software installed. > >The weakest link in the security chain is almost always human factors. In >the end, there's no silver bullet for this problem. Policies and user >education help, but there's always a risk involved once you rely on users >for security, which is what you must do when you allow users remote access >to the corporate goodies. Creating a secure link is easy, it's the >endpoints that tend to bite you. ;-) > >Good luck, >Kent > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >SentinuS >Sent: Thursday, November 29, 2001 3:35 PM >To: [EMAIL PROTECTED] >Subject: Re[2]: VPN is a Backdoor !!! [7:27725] > > >But I think VPN is not Backdoor if you use right Security Policy and >right configuration. There is one issue : Client. If you can secure >your client, there is no weakness. > > >Thursday, November 29, 2001, 11:47:08 PM, you wrote: >PR> Even then though, you're not secure. If the box is compromised before >you >PR> connect then even when the firewall is enforced, malicious activity >could >PR> still take a place...the attacker would not be able to connect to the >PR> machine but could leave dastardly code behind to do his job for him. > >PR> I am working on this scenario now as well. I am attempting to come up >with >PR> a best practice for cleaning a machine, installing a firewall, etc.... >for >PR> any vpn client. Let me know how yours goes! > >PR> -Patrick > >---cut--- > >SentinuS >Best Regards >[EMAIL PROTECTED] ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27861&t=27725 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]