[KLUG Members] how can I get around a port block to setup vpn?

Bruce Smith members@kalamazoolinux.org
Fri, 21 Nov 2003 08:48:54 -0500 

> > > I also probably need to be able to find what ports are open through
> > > the firewall.  Is there a way to test that?  ICMP is blocked. ...
> > 
> > That's a good way to get yourself fired, or worse ...   (look at the
> > COURT CASES against people who were "testing" their employer's security)
> > 
> > Talk to the people who control the firewall and tell them what you want
> > to do.  If they agree, they'll help you.  If not, then forget it.
> 
> Ouch. Yeah, there's that part of it too. Policies are probably in place for
> that. Being that I'm one of the firewall administrators, tools like firewalk and
> nessus help find the holes for me and I don't think twice about using them on my
> own network or when testing my network from home. But I wouldn't be doing that
> to someone elses network without prior WRITTEN consent and the full knowledge of
> higher ups. You would do well to heed Bruce's warning.

Exactly.  How would you feel if one of your users setup their own VPN
without your knowledge?

Look at it from the administrator's point of view.  What happens if an
unauthorized user sets up their own VPN and then someone breaks into the
user's home computer, then the cracker can use the VPN to access the
corporate network!

Administrators aren't trying to be mean, but they need to trust all the
access points into their network.  Should an admin trust a VPN setup by
a user who doesn't know enough about network security that they need to
ask a LUG mailing list how to run a port scan?  (just as an example ;)

The answer is "maybe", as long as the admin is involved in the setup of
the VPN so it can be verified as meeting the corporate requirements for
being secure.  ASK!!!

--------------------------------------------
Bruce Smith                bruce@armintl.com
System Administrator / Network Administrator
Armstrong International, Inc.
Three Rivers, Michigan  49093  USA
http://www.armstrong-intl.com/
--------------------------------------------