Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Client Security Question

I have used other vendor's IPSEC solutions in the past, and I am now considering using the Cisco 3015 VPN solution for end users. Does the Cisco client provide any security on the client machine so as to prevent back-door connections through end user computers? Or should I start looking at personal firewalls for my end users?

4 REPLIES
New Member

Re: Client Security Question

That is exactly what the IPsec (Internet Protocol Security) client does. You'll need a firewall product to hide your PC/intranet from the outside world (Internet). We use a Cisco PIX at our gateway. After using both a software based firewall and a PIX, we found the PIX is easier to manage and the overhead is quite a bit less.

Hope this helps

New Member

Re: Client Security Question

As long as you don't enable split tunneling (by default it's disabled), all Internet activity outside the tunnel is blocked while the VPN client is running. If you're trying to protect your private network from the end user system itself, security should probably be on your end of the tunnel, not theirs, unless their system is really locked down.

New Member

Re: Client Security Question

I just finished testing the security of the Cisco VPN client. It is excellent! I tested multple "backdoor" senarios including NICs and modems. The result was that ALL interfaces are unreachable while the client is in a VPN session. I tested with port scans and having applications and shares running. No connections are shown in the port scanner and applications and shares are disconnected. This should eliminate the need for a personal firewall in most instances. This is a feature that the Microsoft PPTP client doesn't provide.

Happily,

Jamie

New Member

Re: Client Security Question

This is precisely the reason we have not allowed our sales force to use their home PC's over their swanky DSL connections. It is also the reason we are going with the Altiga client, less need for a firewall.

But it is important to note that the default functionality of the Alitga client does not completely eleminate the need for a firewall. If your users are tunneling in to your corporate network, then they are undoubtedly storing (or unknowingly cacheing) sensetive data on their machine. Once that tunnel is brought down, that machine is now ripe exploit. Heck, a good hacker would have an automated agent that sat on the computer, waited for the tunnel to build, captured the data, then waited for the tunnel to drop before sending it all home. Being able to stop interactive intrusions into your network via the VPN tunnels is an important feature, please don't get me wrong.

Personal firewalls, especially ones that can be administered from the office, are absolutely necesarry if you allow your users to tunnel in from home. As we all know, it's not a matter of if a DLS/Cable-modem user gets hacked, it's when.

132
Views
0
Helpful
4
Replies