Client VPN question

Unanswered Question

Quick question guys - How can I assure security when using a client VPN connection from within my network to an external company's network. I understand that creating a site to site connection would be best - however If I were to use a client VPN connection then how can I stop users on the remote company's subnet browsing my network via the virtual VPN connection?

Hope that makes sense?....



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
michael.leblanc Thu, 04/24/2008 - 16:28

If you are connecting to a third party network (through a VPN or otherwise), you should take steps to protect your host from compromise with a personal firewall.

If your host is protected from compromise, and your host is not providing routing functionality, users on the remote site should have no access to your network.

The tunnel exposes your host, not your network (given the stipulations above).

Hi Michael - thanks for your reply, however my question really is when the client VPN establishes a connection to a remote site there are two active connections opened on that PC - the local connection and a virtual connection, this sort of bridges the two networks together. What I would like to know is how could the security of our network be compromised as the virtual VPN connection to the remote subnet would allow all packets back to the originating host due to the VPN - what's to stop a hacker at the remote end dropping a script onto the VPN PC from the remote site that would allow malicious traffic to jump the virtual connection to physical subnet - does this make sense?



michael.leblanc Fri, 04/25/2008 - 06:18

If you look at the Transport tab of the Connection Properties, you will see a checkbox for a feature called "Allow Local LAN Access". The help file suggests leaving this "unchecked" provides the protection you are seeking.

The Options menu also provides access to a Stateful Firewall.

When you say "sort of bridges the two networks together", are you suggesting that packets are freely forwarded from one interface to the other? If so, I don't agree. I don't think the host will do this without a routing function installed, or being compromised.

Still comes back to protecting the host for me.


This Discussion