Thanks,
Requires Free Membership to View
Bruce Hi Bruce,
Yours is a quite common concern and it's a little bit of a red herring as there are really two separate security issues that have got bunched together as a single issue. The first issue is how to control PCs that are sometimes connected to the corporate network and sometimes connected to other networks. This is an issue independent of whether or not a VPN is involved. The only difference that a VPN brings into the picture is that it allows me to do both simultaneously. The second issue is how to manage PCs that have VPN enabled.
Without a VPN, I can connect my laptop computer directly to the Internet when I'm out of the office or through the corporate firewall when I'm in the office. If something (a virus or Trojan) attaches itself to my PC while I'm out of the office, it can still do damage when I'm in the office even though it happens sequentially - I may never be connected directly to the Internet and the corporate network at the same time.
I think the best solution for this problem is the use of personal firewalls and virus scanning software such as those provided by Network Ice, McAfee, Symantec and Zone Labs. This way, the user has the same protection regardless of the location. These products have developed to the point where many of them will dynamically connect to corporate servers for policy updates, security updates and new code.
At first, it looks like a VPN exacerbates this problem by allowing users to be simultaneously connected directly to both the Internet and to the private network, a technique referred to as "split tunneling." However, IPSec VPN precludes traffic from being redirected through from the Internet and back through the VPN tunnel. As a result, hackers cannot hairpin or bounce through a VPN-enabled PC to get to your corporate LAN. So there is no real-time threat.
Better yet, a VPN gives me capabilities that I don't have without a VPN that may preclude the need for personal firewalls and additional PC software. Many companies choose to disable "split-tunneling" thereby precluding users from being connected to both the Internet and the private network at the same time. When split tunnels are disabled, ALL traffic is routed through the VPN; the user can't even get to the web and vice versa. In some cases, VPN gateways support a backhaul feature that will redirect the web traffic through the corporate firewall. So, on the client side, ALL traffic passes through the VPN tunnel. On the gateway side, traffic that emerges from the tunnel and is destined for the private network is routed to the private network and traffic destined for the Internet is routed to the corporate gateway router or firewall. So, everything the user sees from the Internet passes through the corporate filters whether they are in the building or not.
The final issue is protecting authentication credentials that are stored on the PC. Here I recommend a "belt and suspenders" approach. Use digital certificate to authenticate the device and ensure that your certificate authority will deny duplicate authentications and will alert you when they occur. On top of the digital certificates, use a challenge phrase or password to authenticate the user. This way, even if someone takes the certificate, they still can't get into your network without the appropriate challenge phrase. This shouldn't be at all burdensome for the end user since the certificates operate transparently. All they would see was the request for a password or challenge phrase.
Hope this helps,
Mark
This was first published in October 2002