Policy question: allowing internal users to VPN to external networks

Answered Question
Jun 19th, 2008

Hi folks.

We're getting requests from our internal users, asking for the ability/permission to VPN into external networks for business related purposes. They would be using our corporate machines sitting on our corporate network, and perhaps installing/configuring the required VPN software (e.g. Nortel, Microsoft PPTP, Cisco IPSec, etc.) They'd go out through our ASA firewalls and then connect to the remote network.

We currently block outbound IPSec and PPTP to prevent this, and the reason we give is that you're bridging the two networks and potentially opening our internal network up to Who Knows What.

In the past we've had remote offices install stand-alone DSL lines and ACL'd access just to the external VPN, but this gets expensive and cumbersome. Likewise for EVDO wireless cards.

With the current state of the economy, price of gas/travel, etc, its getting tougher to deny these requests and the Higher Up's in IT are getting hit by the business units.

How do you guys deal with this? What reasons do you give for allowing/preventing external VPN access? Is the problem better solved with policy or technology (or both?) Do you only poke holes / make exceptions for specific external VPN's, and if so what requirements do you wrap around it?

Thanks for any and all input!

- Neil

I have this problem too.
0 votes
Correct Answer by michael.leblanc about 8 years 5 months ago

In the case of IPSec, I'm not sure you're bridging the two networks.

You are allowing traffic to be tunneled through your firewall though, and the limits imposed on the passenger traffic are largely determined by the policy-push from the other parties VPN endpoint, and any software firewall on your host.

I think it comes down to adequate host protection on your end, and some common sense as to which parties you are permitted to connect too (written policy).

The Cisco VPN Client does provide an integrated firewall, and the ability to restrict your host from accessing the local LAN while the tunnel is UP.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
michael.leblanc Thu, 06/19/2008 - 16:06

In the case of IPSec, I'm not sure you're bridging the two networks.

You are allowing traffic to be tunneled through your firewall though, and the limits imposed on the passenger traffic are largely determined by the policy-push from the other parties VPN endpoint, and any software firewall on your host.

I think it comes down to adequate host protection on your end, and some common sense as to which parties you are permitted to connect too (written policy).

The Cisco VPN Client does provide an integrated firewall, and the ability to restrict your host from accessing the local LAN while the tunnel is UP.

Actions

This Discussion