This isn''t a 100% Shorewall topic but since this list relates to internet security and it''s issues I thought this might be a good place to start. I have setup a company firewall using Mandrake Linux 9.0, Shorewall 1.3x and PPTPD v2.4.1, and a few other networking services. Thanks to Shorewall the firewall as tested is secure and the VPN is working fine with MPPE-128 Encryption. My concern is what can I do, if anything to secure the client systems when connected via VPN. Is there a way to disable other networking features on the client so that the client is tougher to compromise? The CEO of my company has asked me ''OK... you have the company firewall secured to your satisfaction, how can you assure me that someone won''t hack into a VPN client''s system and gain access to the company that way?''. It''s a good question... But I''m not sure of the answer. Niels
--On Thursday, December 26, 2002 7:50 PM -0600 Niels Damgaard <nielsd@shaw.ca> wrote:> > This isn''t a 100% Shorewall topic but since this list relates to internet > security and it''s issues I thought this might be a good place to start. > > I have setup a company firewall using Mandrake Linux 9.0, Shorewall 1.3x > and PPTPD v2.4.1, and a few other networking services. Thanks to > Shorewall the firewall as tested is secure and the VPN is working fine > with MPPE-128 Encryption. My concern is what can I do, if anything to > secure the client systems when connected via VPN. Is there a way to > disable other networking features on the client so that the client is > tougher to compromise? The CEO of my company has asked me ''OK... you have > the company firewall secured to your satisfaction, how can you assure me > that someone won''t hack into a VPN client''s system and gain access to the > company that way?''. It''s a good question... But I''m not sure of the > answer.And we must guess what OS the clients are running? I''m guessing that it isn''t Linux which puts this question wildly off-topic on this list? I am not masochistic enough to be in the business of securing Windows systems. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
>And we must guess what OS the clients are running? I''m guessing that it>isn''t Linux which puts this question wildly off-topic on this list? Iam>not masochistic enough to be in the business of securing Windowssystems. Well, what must be said in favor of W2k/WXP is the fact that when you do activate a VPN link, all other networking components gets disabled automatically. That will, of course, no help you if the client has been compromised before the VPN goes active, and manages to set up some kind of reverse tunnel for the attackers benefit.
Is there any way I can block access from an ISP by domain name - i.e. I want to block someone who uses ISCCo, but gets a dynamically assigned IP - can I just blick all from ISCCo.net.au ?? Jon
--On Saturday, December 28, 2002 01:59:35 AM +1100 Jon Biddell <jon@fl.net.au> wrote:> Is there any way I can block access from an ISP by domain name - i.e. I > want to block someone who uses ISCCo, but gets a dynamically assigned IP > - can I just blick all from ISCCo.net.au ?? >If you write your own script to build the blacklist file, yes. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net