Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Best Practice Question

I am somewhat of a security newbie, but manage a small companies IT dept. I have been asked to allow outgoing vpn connections to other companies from our site through our Pix firewall. The administrator before me didnt allow it.

I was wondering if there were security concerns with allowing this.



Re: Best Practice Question

Certainly there are security concerns with allowing VPNs to other companies, but that does not mean that you should not do it. What it does mean is that you need to understand what traffic and applications are to be used over the VPN and will need to configure the PIX to allow only that traffic. With some applications, that is easy to do, but with others it can be next to impossible.

You need a security policy which dictates what sorts of traffic are acceptable and recognizes the value of allowing the improved connectivity with your trading partners. Note that this may require more knowledge of how specific applications work that you want to learn (and clearly more than your predecessor in the job was willing to learn).

You should also temper what is allowed by recognizing the vulnerabilities of your systems and the trust you have in the other companies. For example, it is almost certainly a bad idea to let windows browsing traffic through, as that is a popular vector for numerous virii and worms (do a quick search on Nachi or Welchia for some ideas of what can happen if you don't take proper precautions).

Good luck and have fun!

Vincent C Jones

New Member

Re: Best Practice Question

The traffic would most likely by only terminal services and http. Our consultants need to access customer systems to troubleshoot software installations.

I guess my next question would be where i could find documentation that could help me configure this. I have looked here, but really didnt find what i needed.

If our firewall is currently blocking outgoing vpn connections, what type of protocol, policy, port has to be denied?

CreatePlease to create content