[vpn] Is it risk to allow Internet access through VPN??

Chuck Renner crenner at dynalivery.com
Wed Dec 19 18:28:01 EST 2001


> Our VPN clients are passing through Firewall to 
> access LAN. But they are unable to access internet 
> when they are connected to VPN. Our border router 
> is configured to allow traffic from LAN only.
> 
> Can anyone tell me about the potential risk factors in 
> allowing VPN clients to access internet through VPN 
> and then Firewall?

There are a number of things to consider, and then you have to make a
decision.

To me, having the clients come in through the VPN, and then out through the
firewall is the most sensible way to go.  Otherwise, you have to deal with
things like split tunnelling, which could potentially be a security hole.

(In that situation, the VPN tunnel handles communications to your LAN, but
everything else goes out normally.  If some sort of vulnerability is
exploited in this mode, it could make it's way into the LAN as well.)

No matter what, the biggest potential security issue with VPN clients has to
do with management.  Do all of your remote users have firewalls?  Do they
have virus protection?  Are they kept up to date with security patches?  If
a VPN client spends any 'unprotected' time on the net, it could be
compromised or infected in some way.  Then you give the client direct access
into your LAN, and you've effectively allowed Bad Things[tm] a way around
your firewall.  (And it doesn't just have to be unprotected on the 'net.
The son of your employee could pop in a floppy disk he got at school that
has a virus, trojan, or other such nasty.)  

Network Computing just had an article covering the risks of remote users:
http://www.networkcomputing.com/1224/1224ws1.html

VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list