Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
344
Views
0
Helpful
1
Replies

Policy question: allowing internal users to VPN to external networks

Go to solution
clausonna
Level 3
Level 3

‎06-19-2008 12:15 PM - edited ‎02-21-2020 03:46 PM

Hi folks.

We're getting requests from our internal users, asking for the ability/permission to VPN into external networks for business related purposes. They would be using our corporate machines sitting on our corporate network, and perhaps installing/configuring the required VPN software (e.g. Nortel, Microsoft PPTP, Cisco IPSec, etc.) They'd go out through our ASA firewalls and then connect to the remote network.

We currently block outbound IPSec and PPTP to prevent this, and the reason we give is that you're bridging the two networks and potentially opening our internal network up to Who Knows What.

In the past we've had remote offices install stand-alone DSL lines and ACL'd access just to the external VPN, but this gets expensive and cumbersome. Likewise for EVDO wireless cards.

With the current state of the economy, price of gas/travel, etc, its getting tougher to deny these requests and the Higher Up's in IT are getting hit by the business units.

How do you guys deal with this? What reasons do you give for allowing/preventing external VPN access? Is the problem better solved with policy or technology (or both?) Do you only poke holes / make exceptions for specific external VPN's, and if so what requirements do you wrap around it?

Thanks for any and all input!

- Neil

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
michael.leblanc
Level 4
Level 4

‎06-19-2008 04:06 PM

In the case of IPSec, I'm not sure you're bridging the two networks.

You are allowing traffic to be tunneled through your firewall though, and the limits imposed on the passenger traffic are largely determined by the policy-push from the other parties VPN endpoint, and any software firewall on your host.

I think it comes down to adequate host protection on your end, and some common sense as to which parties you are permitted to connect too (written policy).

The Cisco VPN Client does provide an integrated firewall, and the ability to restrict your host from accessing the local LAN while the tunnel is UP.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
michael.leblanc
Level 4
Level 4

‎06-19-2008 04:06 PM

In the case of IPSec, I'm not sure you're bridging the two networks.

You are allowing traffic to be tunneled through your firewall though, and the limits imposed on the passenger traffic are largely determined by the policy-push from the other parties VPN endpoint, and any software firewall on your host.

I think it comes down to adequate host protection on your end, and some common sense as to which parties you are permitted to connect too (written policy).

The Cisco VPN Client does provide an integrated firewall, and the ability to restrict your host from accessing the local LAN while the tunnel is UP.

0 Helpful
Customers Also Viewed These Support Documents