>Patrick Olsen wrote: >I have been asked what the PROs and CONs of setting up a vpn would be. >Im trying to find security pros and cons. Basically to find out if it >is worth the risk. This individual would be using a desktop at home >which we would be setting up for her. >
I consider the best practice to be an antivirus firewall like a Fortinet Fortigate to either be the VPN tunnel endpoint, or in transparent mode on the inside of the network between your Cisco VPN device and the internal network. This way you can enforce additional access controls and stop virus/worm/hack activity from getting in or out to your VPN users. The Cisco alone will not stop this mal-activity. An option that also provides access without opening up a full network tunnel is the use of an SSL application gateway like Array Networks makes or like a Neoteris (Netscreen/Juniper now) SSL gateway appliance. This way you can give limited access to client-server applications and not the whole network. These devices also do allow you to selectively allow full TCPIP layer 3 VPN's...then you need to provide protection like I mentioned above. Another consideration with IPSEC and PPTP versus SSL VPN's is that IPSEC and PPTP will have problems traversing some network firewalls (even old PIX versions), and your remote users will keep you on the help-desk phone trying to figure out why the VPN doesn't work. That is because IPSEC and PPTP require special firewall rules to allow them to get out of a network. SSL only uses a single outbound channel (typically over port 443/HTTPS) for all two way communication of VPN traffic. Firewalls usually do not complain about this unless they have specific traffic inspection policies to shut down SSL VPN traffic (Checkpoint can do this). If the remote user only needs a couple of apps, figure out a way to limit access to only the needed resources or setup a remote access RDP/Terminal Server to facilitate secure access. Also consider that a home system will store data locally and will not be under your company backup procedures. A terminal server will be on your local network and you can use you existing backup systems to keep your corporate Intellectual Property secure. Revocation of a home system in case of employee termination also becomes a problem and you are likely to lose IP in such an event with a home system with locally stored data. And finally, opening up a remote access method of any kind will expose your weak password policy to brute forcing. Multi-factor authentication should be employed and enforced. Client system certificates, SecurID and Authenex are some ways to do this multifactor authentication. Have fun, - Bryan K. Watson - [EMAIL PROTECTED] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html