RE: Re[2]: VPN is a Backdoor !!! [7:27725]
Does anyone have a best practice written up concerning this? (I thought mooching a lot of the content would keep me from typing a lot!) : ) -Patrick >>> "Priscilla Oppenheimer" 11/30/01 01:19PM >>> The problem is usually between the keyboard and chair. ;-) Priscilla At 11:07 AM 11/30/01, Kent Hundley wrote: >Your right, but it is nearly impossible to secure the client. The problem >is that no matter how much education you give users, most will still do the >"wrong" thing given the right circumstances. For example, if they are in a >chat room and someone they are communicating with sends them a file, most >will open it, no matter how many times you tell them not to. > >If it is a virus or a trojan, their entire machine can become compromised >and no amount of firewall software and strong authentication can completely >fix that. When prompted about a new app trying to reach the Internet, they >may just answer 'yes'. If there's no prompt and the software doesn't work, >they may just disable their firewall. (yes, it does happen) The problem is >worse if users use their home machines for VPN access. If they use company >assigned laptops with WinNT or 2K, you can fix some of this by not giving >them admin access to their own machines. This will severely limit their >ability to install new software and offer some protection, but its not a >guarantee. I can see someone breaking into their machine to install the hot >new game they just got sent from a "friend" they met on yahoo chat who's >only too happy to help them get the software installed. > >The weakest link in the security chain is almost always human factors. In >the end, there's no silver bullet for this problem. Policies and user >education help, but there's always a risk involved once you rely on users >for security, which is what you must do when you allow users remote access >to the corporate goodies. Creating a secure link is easy, it's the >endpoints that tend to bite you. ;-) > >Good luck, >Kent > >-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >SentinuS >Sent: Thursday, November 29, 2001 3:35 PM >To: [EMAIL PROTECTED] >Subject: Re[2]: VPN is a Backdoor !!! [7:27725] > > >But I think VPN is not Backdoor if you use right Security Policy and >right configuration. There is one issue : Client. If you can secure >your client, there is no weakness. > > >Thursday, November 29, 2001, 11:47:08 PM, you wrote: >PR> Even then though, you're not secure. If the box is compromised before >you >PR> connect then even when the firewall is enforced, malicious activity >could >PR> still take a place...the attacker would not be able to connect to the >PR> machine but could leave dastardly code behind to do his job for him. > >PR> I am working on this scenario now as well. I am attempting to come up >with >PR> a best practice for cleaning a machine, installing a firewall, etc >for >PR> any vpn client. Let me know how yours goes! > >PR> -Patrick > >---cut--- > >SentinuS >Best Regards >[EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27861&t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Re[2]: VPN is a Backdoor !!! [7:27725]
The problem is usually between the keyboard and chair. ;-) Priscilla At 11:07 AM 11/30/01, Kent Hundley wrote: >Your right, but it is nearly impossible to secure the client. The problem >is that no matter how much education you give users, most will still do the >"wrong" thing given the right circumstances. For example, if they are in a >chat room and someone they are communicating with sends them a file, most >will open it, no matter how many times you tell them not to. > >If it is a virus or a trojan, their entire machine can become compromised >and no amount of firewall software and strong authentication can completely >fix that. When prompted about a new app trying to reach the Internet, they >may just answer 'yes'. If there's no prompt and the software doesn't work, >they may just disable their firewall. (yes, it does happen) The problem is >worse if users use their home machines for VPN access. If they use company >assigned laptops with WinNT or 2K, you can fix some of this by not giving >them admin access to their own machines. This will severely limit their >ability to install new software and offer some protection, but its not a >guarantee. I can see someone breaking into their machine to install the hot >new game they just got sent from a "friend" they met on yahoo chat who's >only too happy to help them get the software installed. > >The weakest link in the security chain is almost always human factors. In >the end, there's no silver bullet for this problem. Policies and user >education help, but there's always a risk involved once you rely on users >for security, which is what you must do when you allow users remote access >to the corporate goodies. Creating a secure link is easy, it's the >endpoints that tend to bite you. ;-) > >Good luck, >Kent > >-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >SentinuS >Sent: Thursday, November 29, 2001 3:35 PM >To: [EMAIL PROTECTED] >Subject: Re[2]: VPN is a Backdoor !!! [7:27725] > > >But I think VPN is not Backdoor if you use right Security Policy and >right configuration. There is one issue : Client. If you can secure >your client, there is no weakness. > > >Thursday, November 29, 2001, 11:47:08 PM, you wrote: >PR> Even then though, you're not secure. If the box is compromised before >you >PR> connect then even when the firewall is enforced, malicious activity >could >PR> still take a place...the attacker would not be able to connect to the >PR> machine but could leave dastardly code behind to do his job for him. > >PR> I am working on this scenario now as well. I am attempting to come up >with >PR> a best practice for cleaning a machine, installing a firewall, etc >for >PR> any vpn client. Let me know how yours goes! > >PR> -Patrick > >---cut--- > >SentinuS >Best Regards >[EMAIL PROTECTED] Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27859&t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Re[2]: VPN is a Backdoor !!! [7:27725]
Your right, but it is nearly impossible to secure the client. The problem is that no matter how much education you give users, most will still do the "wrong" thing given the right circumstances. For example, if they are in a chat room and someone they are communicating with sends them a file, most will open it, no matter how many times you tell them not to. If it is a virus or a trojan, their entire machine can become compromised and no amount of firewall software and strong authentication can completely fix that. When prompted about a new app trying to reach the Internet, they may just answer 'yes'. If there's no prompt and the software doesn't work, they may just disable their firewall. (yes, it does happen) The problem is worse if users use their home machines for VPN access. If they use company assigned laptops with WinNT or 2K, you can fix some of this by not giving them admin access to their own machines. This will severely limit their ability to install new software and offer some protection, but its not a guarantee. I can see someone breaking into their machine to install the hot new game they just got sent from a "friend" they met on yahoo chat who's only too happy to help them get the software installed. The weakest link in the security chain is almost always human factors. In the end, there's no silver bullet for this problem. Policies and user education help, but there's always a risk involved once you rely on users for security, which is what you must do when you allow users remote access to the corporate goodies. Creating a secure link is easy, it's the endpoints that tend to bite you. ;-) Good luck, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of SentinuS Sent: Thursday, November 29, 2001 3:35 PM To: [EMAIL PROTECTED] Subject: Re[2]: VPN is a Backdoor !!! [7:27725] But I think VPN is not Backdoor if you use right Security Policy and right configuration. There is one issue : Client. If you can secure your client, there is no weakness. Thursday, November 29, 2001, 11:47:08 PM, you wrote: PR> Even then though, you're not secure. If the box is compromised before you PR> connect then even when the firewall is enforced, malicious activity could PR> still take a place...the attacker would not be able to connect to the PR> machine but could leave dastardly code behind to do his job for him. PR> I am working on this scenario now as well. I am attempting to come up with PR> a best practice for cleaning a machine, installing a firewall, etc for PR> any vpn client. Let me know how yours goes! PR> -Patrick ---cut--- SentinuS Best Regards [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27832&t=27725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
