About DMZ and VPN Users 1402



  • Hi,
    We’re testing rule between DMZ and internal users. It is set to any to any at the moment. i can’t determine that’s a SOX compliance but i think it should be concerned for security aspect. any recommendation?
    Another thing is VPN users, if they login to firewall, they can access all the services(VNC, telenet etc…) because of the business purpose, administrator needs to login to firewall from outside country. However if anyone acquire the id and password, isn’t that a problem?



  • The SOX 404 standards focusing on IT best practices certainly encourages a secure environment but allows companies flexibility to implement specific controls for their environment.
    For a few years, I performed Network Vulnerability Assessements and penetration testing on a quarterly basis as a senior IT security professional. VPNs are often a weak point and your overall security is always a strong as it’s weakest link.
    Some suggestions:

    1. Ensure your VPN policies are up-to-date or establish one if you don’t have this.
    2. Ensure remote users have appropriate AV and FW protection … If they use home PCs, consider paying for this and granting them a corporate CAL
    3. Encourage STRONG Passwords and then invest in software that can test password strength
    4. Make sure all passwords are rotated on a 90 day basis or sooner (our company uses 30 days)
    5. Work with your VPN vendor to ramp up security if possible (e.g., sometimes special certificates, security keys, etc. can be used)
    6. Two-factor security controls are a good investment (e.g., SecureID cards or smart cards)
    7. From a network penetration standpoint, scan your DMZ thoroughly, including 1st line routers, servers, SMTP routing boxes, firewall controls, etc. for any possible exposures.
    8. It’s good to have employees sign an annual agreement related to adhering to policies and acknowledging the right to monitor it’s business resources.
    9. Make sure you stay on the latest VPN server and workstations builds. Keeping up is important as sometimes security holes will be patched in the later editions.
    10. Develop overall standards for VPN and make sure everyone uses both the same and most secure approach. Discourage use of any VPN or remote connectivity outside the standards.
      Good luck on this 🙂


  • I concur with Harry.
    Well written steps.
    We need to stress that for VPN remote employees should be provided the business entity certified laptops. They should be prevented from logging onto VPN from home.



  • Harry,
    If you haven’t already heard before, that’s a good and informational website that you maintain. I don’t post unless I’ve something to add, but hope that anyone reading this post will consider your website for technical details about Windows Security and related issues.
    Regards,
    Milan



  • I would add that allowing all VPN users to access any network resource or service as you describe, xeraso, would not appear to fit the definition of best practice. That may depend on other restrictions in place such as limiting VPN access to only those individuals who require that level of access. More frequently, however, I would recommend restricting access to specific internal IP addresses and services or protocols that are required for each VPN user to accomplish their job. Depending on the firewall utilized and the authentication design, this can usually be accomplished on a per user or group basis.


Log in to reply