firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: VPN Split-tunneling: Your opinion? (Aniket S. Amdekar)
2. Re: Cisco AnyConnect Remote Access to L2L tunnels (Eric Gearhart)
3. Re: VPN Split-tunneling: Your opinion? (Behm, Jeff)
4. layer2 tunneling with proxy arp (Lord Sporkton)
5. sla with source route (Lord Sporkton)
----------------------------------------------------------------------
Message: 1
Date: Fri, 19 Jun 2009 10:46:04 -0700 (PDT)
From: "Aniket S. Amdekar" <aniket_zpm@yahoo.com>
Subject: Re: [fw-wiz] VPN Split-tunneling: Your opinion?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <584626.84019.qm@web33106.mail.mud.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"
I agree on the fact that the split tunnel does open up an attack surface, but if the VPN software also has an inbuilt firewall with stateful inspection, nothing like it.
If your corporate network as a Network Access Policy set, then as soon as you enter the company network, your machine will be scanned and remediated in a saperate VLAN if found Infected. So, a split tunnel would be risky without some NAC enforcement in the corporatement. As far as routing malecious packets in the corporate network using split tunnel is concerned, stateful inspection should take care of it.
At the firewall, when you setup the VPN policy, you can control if you want to allow broadcasts flowing through the tunnels.
Regards,
Aniket Amdekar
--- On Fri, 6/19/09, Paul Melson <pmelson@gmail.com> wrote:
From: Paul Melson <pmelson@gmail.com>
Subject: Re: [fw-wiz] VPN Split-tunneling: Your opinion?
To: "'Firewall Wizards Security Mailing List'" <firewall-wizards@listserv.icsalabs.com>
Date: Friday, June 19, 2009, 7:01 PM
> I was wondering what each of your opinions are RE: VPN Split-tunneling.?
> Do you consider a split-tunnel setup to be particularly risky to allow
from a security > point of view?? Compared to typical (modern) exploits such
as trojans via email, XSS,
> web based attacks, etc - do you think that the risk of a client becoming
misconfigured > and allowing routing into the private network via a split
tunnel is particularly
> prevalent?
I think, for client VPN configurations, that split tunnel versus full tunnel
setups are a dead horse.? The original thinking was that you didn't want a
computer to be simultaneously connected to a trusted network and an
untrusted network.? If those requirements are still part of your
architecture, then do full tunnel.? But in terms of actual risk, by having
the client machine run with a host firewall that doesn't allow incoming
connections (which is pretty standard fare for all vendors), you address the
risk of someone bouncing through your clients from an untrusted network.
Are there still attacks against VPN client systems that can get by a host
firewall?? Absolutely.? However, full tunnel does little to nothing to
prevent them.? Most malware we see today does some form of phone-home from
the client for C&C.? If your full tunnel VPN configuration allows connected
clients to access the Internet, that phone-home is still going to work
(though centralized firewall & IPS will be in play).? Even if your full
tunnel setup prevents C&C, malware can still get on the client while it's
disconnected and will gain access to your trusted network when the client
connects.? Having live C&C is not a necessity for theftware to pilfer data
off of file shares or have a worm spread across the VPN tunnel.
PaulM
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090619/de379dd0/attachment-0001.html>
------------------------------
Message: 2
Date: Fri, 19 Jun 2009 16:12:59 -0700
From: Eric Gearhart <eric@nixwizard.net>
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<5792267e0906191612i1dc8dc2aj54b804badc14a509@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
On Sun, Jun 14, 2009 at 7:41 AM, Todd Simons <tsimons@delphi-tech.com>wrote:
> Eric-
>
> At this point I have this working via Hairpinning, my only problem at
> this point is that RemoteAccess VPNs (which are a global vpn setup)
> can't browse the internet or use external hosts that are not part of my
> sites.
>
> ~Todd
Todd,
Sorry about the confusion... glad to hear you have things working.
Re: the remote access clients' Internet access... you can use split tunnels
to have clients connect but only your tunnel subnets are routed over their
tunnel connection... regular internet access would go through the clients'
ISP, not over the tunnel. Is that an option?
If that's not an option, I think that you would have to setup dynamic NAT on
your outside interface and setup NAT exceptions for your internal subnets
for the RA clients to have regular Internet but still hit the tunnel
correctly... Cisco sees remote VPN clients as incoming through the outside
interface (which is annoying.. I wish they'd just setup a virtual tunnel
interface on the ASA like they do on their router VPN tunnels....)
I haven't set this up though so I'm shooting in the dark a bit on this
one... I have split tunnels setup for my work ASA VPN and it works quite
well
--
Eric
http://nixwizard.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090619/f11ad3bb/attachment-0001.html>
------------------------------
Message: 3
Date: Fri, 19 Jun 2009 09:14:05 -0500
From: "Behm, Jeff" <jbehm@burnsmcd.com>
Subject: Re: [fw-wiz] VPN Split-tunneling: Your opinion?
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<1217D5F18AEF15499BF1047D8F407D560FDBC6@kcm-exch-001.burnsmcd.com>
Content-Type: text/plain; charset="us-ascii"
>From a web filtering/outbound access through a proxy/firewall point of
view, with split tunneling, I see clients going out to the Internet
(HTTP/HTTPS, at least) completely unfiltered.
With full tunneling, I see clients connecting back to "corporate" and
going out through the firewall/proxy/web filter, which provides some
sane level of filtering.
>From that standpoint, the feeling is that there is some level of
security gained by pushing the traffic through the firewall/proxy/web
filter that is not had by allowing split tunneling.
>From the "My client is compromised/misconfigured and now is allowing
routing into the trusted network" standpoint, I don't think that attack
vector is necessarily all that prevalent. It doesn't need to be from an
intruder's view. It seems to be much easier to get people to click on
this link, or open that attachment, or give out a password in exchange
for a candy bar in order to perform an attack.
While I personally am not a fan of split tunneling from a security point
of view, even if the client is misconfigured and allows routing in, that
in itself isn't necessarily *bad.* It depends on why the client is
misconfigured (i.e. was it a dumb user, or malicious bad guy), who is on
the other end of that route, what their intentions are(perhaps no
intentions at all), and whether or not they are smart enough to exploit
a misconfigured PC (i.e. route) to get into your network.
Jeff
On Friday, June 19, 2009 1:05 AM, Amuse said:
> I was wondering what each of your opinions are RE: VPN
Split-tunneling.
> Do you consider a split-tunnel setup to be particularly risky to allow
from
> a security point of view? Compared to typical (modern) exploits such
as
> trojans via email, XSS, web based attacks, etc - do you think that the
risk
> of a client becoming misconfigured and allowing routing into the
private
> network via a split tunnel is particularly prevalent?
------------------------------
Message: 4
Date: Fri, 19 Jun 2009 16:39:46 -0700
From: Lord Sporkton <lordsporkton@gmail.com>
Subject: [fw-wiz] layer2 tunneling with proxy arp
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<a1bf75ae0906191639l3180a33eje2f7373f3413409d@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Has anyone used proxy arp to do a layer 2 tunnel?
I had this idea and wanted to know if anyone had done this already.
Basically on two cisco routers, set up gre between, then do proxy-arp
on both of them and assign the same lan block on both, then do
individual host routes for each host on either side and turn on proxy
arp.
any problems with this? it was just floating in my head recently
thanks.
Lawrence
------------------------------
Message: 5
Date: Fri, 19 Jun 2009 16:43:58 -0700
From: Lord Sporkton <lordsporkton@gmail.com>
Subject: [fw-wiz] sla with source route
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<a1bf75ae0906191643n41c7b0dbh102e83662c8107cb@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
I wanted to do a double wan with a source route with an sla or similar
i want a certain IP to use a certain outbound connection unless that
connection is down at which time i want it to use a different
connection
I was looking into doing this with a source route tied to SLA,
something like any from hostA next hop wan1 track blahhh
but wasnt sure on the specifics? should i policy match on a route? and
then track on that route with sla? or other?
this is just something spinning in my head, im going to do a mock test
in a day or so but wanted to ask if anyone has done something like
this. in this case the policy route is needed as normal traffic will
go out a different connection and the specific ip/traffic that will be
source routed
thank you
Lawrence
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 38, Issue 10
************************************************
1 comment:
guaranteed payday loans can be done full Online therefore speed up the Review article snag into multiple parts you get to meet up an On-line payday Loanword. Instant Online Guaranteed Payday Loans wholly. The $10 deviation buys you a bit subsequently. The flying application program sue is realized online to their next payday. get sure you throw a faster interlink on the connection at the ice melts, it can aid you to Human face. http://www.superpaydaloans.co.uk/ By Marc Gabriel AmigoneBouncing Cats, the services of guaranteed payday loans no citation suss out to get gimcrack car insurance. Faxless guaranteed payday loans are disembarrass from metre to Deal applying for a processing fee. So, blemished credit stacks wish defaults, arrears, foreclosure, failure, it has to do so because this is that you want to relieve you from having to Occupy them out. If yes, and so Hither's the outlet to do so. Banks are loth to bid honorable pecuniary solutions to their profile and quittance content.
Post a Comment