General VPN security question about remote clients with Viruses
I have been asked to give a definitive answer to the following question, I think I know the answer to this but just want it confirmed.
We have a Cisco Router with VPN this Router is protected with ACL's etc and IPS. A user connects via VPN to our LAN and they have a virus on the remote device is the network then vulnerable, basically as they have access via VPN does it give them full access through the Firewall and could this virus then propergate?
Re: General VPN security question about remote clients with Viru
yes and no. i guess it depends on the way the remote vpn access is configured.
e.g. with a router, when you configure remote vpn access, an inbound acl is still required. thus it's a very good opportunity to secure your lan, as you can restrict the access down to protocol/port level.
alternatively, if you are using pix, you can disable the command "sysopt connection permit-ipsec" and then configure inbound acl to restrict the remote vpn access.
providing the inbound acl is restricting the remote vpn access down to the protocol/port level, it then depends on what sort of virus the remote pc got. the virus may or may not be able to spread out, and maybe simply blocked by the acl.
cisco actually introduces network admission control (nac), which offers a comprehensive solution in securing the lan. in summary, when local/remote pc tries to connect to the network, the security level (i.e. os patch, virus update etc) will be examined before the pc will be accepted and granted connectivity. for more info, please read:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :