Our forums are currently in maintenance mode and the ability to post is disabled. We will be back up and running as soon as possible. Thanks for your patience!

General discussion


VPN out Firewall

By rick.baldree ·
What security concerns are there related to allowing a CPN client on a desktop within your "secured" network to connect with a VPN host on someone elses network through your firewall?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by jc2it In reply to VPN out Firewall

That is best answered by answering questions:

1. Do I trust the other network?

2. What can be accessed on my network from the computer on my end of the VPN?

3. Does the other network have the same, better or worse security policies?

4. What are my alternatives?

5. Why must I do this, or what politics are involved?

Remember that the VPN is an extension of your network within a security tunnel, after all it means Virtual Private Network. The problem is that you are extending your network past your firewall, anti-virus software and anti-spyware software, and you are relying on the other network admin to handle this on their end. It really all boils down to how much you trust the other network. There are few legitimate business reasons to do this on my network, but your business may be different.

Job Cacka

Collapse -

by rick.baldree In reply to VPN out Firewall

Thansk for your thoughts and I agree with your thoughts. It does come donw to the trusting the other network. Also, is the VPN access is onjly allowed out to one a single ip on their network and VPN traffic is not allowed to be initiated from their end, then the risk would be minimized, in my opinion. is that correct?

Collapse -

by bdragomir In reply to VPN out Firewall

Hi Rick,
You're fairly accurate with your thoughts though you could allow their IP to only one destination and route it through your firewall(vpn switch->firewall->destination & re-tour the same), normally I would recommend to enable logging for the incoming IP so you can have audit possibility. The risk is the same as having a alien machine on your network (you are not aware of patch level/management, AV definition, usage, GPO, health state of the machine, dual or not NIC's(can relay connection between nic's) you name it).
As I am saying this I do know that it might be necessary to grant that access if so ... reserve the right to audit their security posture, and very important tie them with liability for any damage that is coming from them.

Collapse -

Not sure that's what Rick was asking

by christopher.merritt In reply to

In looking at the original question (and the question that I am currently researching), it doesn't seem like the answers apply. I think we all understand the risk of allowing an external entity to VPN in, but what risk does that outside entity take on by VPNing to my network?

We are getting ready to install a VPN client on a couple desktops within our enclave that will go one-way to a vendor's network. So my quesiton would be, "What's the risk for us, if we are accessing their network via VPN one way?"


Related Discussions

Related Forums