I have used other vendor's IPSEC solutions in the past, and I am now considering using the Cisco 3015 VPN solution for end users. Does the Cisco client provide any security on the client machine so as to prevent back-door connections through end user computers? Or should I start looking at personal firewalls for my end users?
That is exactly what the IPsec (Internet Protocol Security) client does. You'll need a firewall product to hide your PC/intranet from the outside world (Internet). We use a Cisco PIX at our gateway. After using both a software based firewall and a PIX, we found the PIX is easier to manage and the overhead is quite a bit less.
As long as you don't enable split tunneling (by default it's disabled), all Internet activity outside the tunnel is blocked while the VPN client is running. If you're trying to protect your private network from the end user system itself, security should probably be on your end of the tunnel, not theirs, unless their system is really locked down.
I just finished testing the security of the Cisco VPN client. It is excellent! I tested multple "backdoor" senarios including NICs and modems. The result was that ALL interfaces are unreachable while the client is in a VPN session. I tested with port scans and having applications and shares running. No connections are shown in the port scanner and applications and shares are disconnected. This should eliminate the need for a personal firewall in most instances. This is a feature that the Microsoft PPTP client doesn't provide.
This is precisely the reason we have not allowed our sales force to use their home PC's over their swanky DSL connections. It is also the reason we are going with the Altiga client, less need for a firewall.
But it is important to note that the default functionality of the Alitga client does not completely eleminate the need for a firewall. If your users are tunneling in to your corporate network, then they are undoubtedly storing (or unknowingly cacheing) sensetive data on their machine. Once that tunnel is brought down, that machine is now ripe exploit. Heck, a good hacker would have an automated agent that sat on the computer, waited for the tunnel to build, captured the data, then waited for the tunnel to drop before sending it all home. Being able to stop interactive intrusions into your network via the VPN tunnels is an important feature, please don't get me wrong.
Personal firewalls, especially ones that can be administered from the office, are absolutely necesarry if you allow your users to tunnel in from home. As we all know, it's not a matter of if a DLS/Cable-modem user gets hacked, it's when.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...