General VPN Security Question

karlsd · ‎03-22-2002

My company uses VPN connectivity for the means of granting remote users access to our network as well as a particular remote office access to our network. We are now also in the business of providing remote support for outside customers. Sales and Management have been throwing around the idea of PIX to PIX connectivity between our network and these customer networks. I have reservations about this. There are other ways to remotely manage and support a network without a dedicated, always on VPN tunnel. IE secure VPN client and a properly configured PIX.

My feeling is when you set up a PIX to PIX you are then adding a perminant extension to your network which may compromise your network. I believe a PIX to PIX configuration should only be used to link remote offices that are managed by your IT staff and you have total control over.

Is there a right and wrong time to use VPN?

vipin.radhakrishnan · ‎03-23-2002

Well , the whole cncept is based on a aite to site or remote client access basis, let it be VPN , or PIX connectivity, they are just mere gateways where u need to strt or terminate your IPSec .Thats the way i look at it, it makes ur design simple. So in your case, when you are thinkin about remote office to Headquarter conencticity , go for dedicated boxes, maybe PIX to PIX or VPN concnetrators anythin thats site to site . And when it comes to giving access to your remote clients(customers) secure access, u can go for a VPN client setup which terminates at your site PIX or VPN concentrator.

Hope thsi resolves ur issue , wel again ythere are 1000+ ways u can deal with a security desaign, analyse the situation and act accordingly !!

Cheers

karlsd · ‎03-25-2002

Your response more or less confirmed what a VPN's purpose is. The outstanding issue in my mind is the usage. I agree, site to site will warrant a dedicated (always on) secure connection. My issue is, does it matter who manages these sites? Remember, you are only as secure as your weakest link. We have a remote site that is linked via PIX to PIX VPN. This is great. Its cost efficient and most importantly, ITS MANAGED BY US. I know how secure their site is and have the ability to make changes if required BECAUSE WE OWN IT. The senerio I am dealing with is a customer site, not owned by us that requires our support. I have reservations establishing an always on PIX to PIX link to them. I feel that establishing a VPN client connection from a particular machine will serve the same purpose. It doesnt open up your network. Your client machine pulls down a pre-determined IP address from the customer VPN/PIX, do what you need to do and disonnect. This is not a senerio where both sides need to share resources from one another. My management has a habit of throwing "lets just set up a PIX to PIX while the project is going on" around. I dont know these customers from a hole in the wall. Yes, we have a say where the inital configuration is concerned but I dont know if someone is gonna go in and make a change that may put us at risk. Just want to nkow if my argument is justified.

wraights · ‎04-09-2002

Absolutely your argument is justified. I had the EXACT same issue come up at my office. Everyone likes the idea of using the PIX as a catch-all for every project that someone needs to connect to us.

Well...it doesn't always work like that. The problem with that is that (as you said before) you don't know what the clients side looks like. They might not HAVE a PIX. Who knows if they will want to buy one just to connect with you guys. So they might want to dialup and then have a VPN connection with you. That as well leaves you vulnerable.

I came up with the solution of making ourselves basically an ISP by purchasing a RAS and having people dial-in to us. That way we could have them connect to ONLY the things that we want them to. There are many other options that you have, but a PIX-to-PIX is really not designed for every Joe to connect to you.