It doesn't matter what kind of encrypted network you
build between remote sites to the inside of your site.
If you can't guarantee security of the remote site,
then you cannot guarantee the security of your site.
Some have said, gee I'll just setup a policy that
cuts off any other networks, while the remote
system is connected to our internal site. This way
others can't use that system to get to ours while
it's connected.
bzzzzt - wrong.
If that system is compromised before it
connects to your site, your allowing
that compromised system into yours.
Protect that which you _can_ 'control'. The farther
you push your perimter, the better the chance of
of including bad bad things. If you add VPN's
to homes and other businesses, you are just
extending your _trusted_ perimiter.
I think this is the same thing William said. I
just wasted more bandwidth by using more words.
Robert
- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> "William Schwartz" <[EMAIL PROTECTED]> 6/23/00 10:24:14 AM >>>
>
>Secure client can be configured to push a desktop policy. That policy can
>enforce you to lock-out all other networks that the user might be connected
>to. In theory that sounds good. I'm not sure that its that perfect of a
>world though. With users connecting to other networks before the desktop
>policy is in place and such issues I would personally require more
>protection then that.
>
>I've seen people also use a firewall type product on that same machine that
>denies all traffic other then the secure remote traffic. I've seen a product
>called "ZoneInfo" which is a personal firewall. (www.zonelabs.com) Its a
>decently simple product, but still can be confusing for end users. It is
>cheap (like $20 - $30 or something for a single user license) but that can
>get expensive when you take into account people have hundreds of users. Some
>people also mentioned BlackICE. I haven't played with that yet, but some
>people swear by it.
>
>If you can convince users to always use something like a personal firewall,
>then you might feel comfortable enough to put them on VPN.
>
>GL
>Will
>
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of
>Tucker, Greg
>Sent: Thursday, June 22, 2000 5:03 PM
>To: 'Firewall-1'
>Subject: [FW1] Connecting to dirty networks.
>
>
>
>So we have Secure Client.
>
>Is there anything else that can be used to allow trust of user accessing
>your network when they might also be connected to a dirty network (cable,
>dsl, dialup)?
>
>If you're not using Secure Client, what are you using?
>Or are you just letting them in?
>
>There will be situations where users/networks will have to get into us,
>where the trust of the connecting network is low. Since Secure Client is
>not likely an option, the only way I can see is to run IDSs and watch the
>logs.
>
>Anyone have other ideas?
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
