Re: [FW-1] Opening checkpoint fw-1 to for Cisco VPN

[Bill]

VPN clients generally have the ability to do split-tunneling -- which means they use the VPN for certain things and the local LAN connections for others.  This feature does not need to be enabled though.  If you do not allow split tunneling, ALL traffic "should" go through the VPN connection.   Above and beyond, it is generally a good idea to have all untrusted partied (consultants, third parties, etc.) on a different LAN segment with restricted access.   AND   Not that you want to rely entirely on others for anything -- it is considered good practice to control outbound connections FROM "your" network.  There are legal reasons as well these days.  With that in mind, DuPont in this case should have restrictions on their inbound and outbound VPN connections. ----- Original Message ----- From: Erkucuk, Ozgur To: [EMAIL PROTECTED] Sent: Friday, September 20, 2002 9:54 AM Subject: Re: [FW-1] Opening checkpoint fw-1 to for Cisco VPN Hi all,   I'm thinking that this is a security back hole creating a tunnel between untrusted zone to trusted zone. So, if an intruder from "their private LAN" reaches to the client PC in your LAN through the VPN tunnel, he can also jump to other PCs on your local LAN. And this is creating a back hole. I'm new in the security area. Could you please correct me if I'm wrong? Thanks, Ozgur Erkucuk   -----Original Message----- From: Perrymon, Josh L. [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 19, 2002 1:19 PM To: [EMAIL PROTECTED] Subject: [FW-1] Opening checkpoint fw-1 to for Cisco VPN   Scenario,   I have a consultant on my network that need to VPN to back to Dupont to access his LAN. ( I assigned static IP )   He is running win2k and Cisco VPN Client.... My understanding that VPN Client uses IPSEC tunneling.   So it would look like this..   Client on my LAN with Cisco VPN client----------------------------------------------my firewall ( FW1)-------------internet----------------Dupont VPN ( Cisco 3000 ) ---------- ------------their private LAN   Question-- in order to open access in my firewall ... what ports should I open? And is there any ideas you would like to share about this?     Thanks, Josh Perrymon Network Security Consultant BE&K , INC (205) 972-6745