I have vendors that need remote access to my server. They have been using RAS. Although the server had virus protection, we got hit with something that disabled our file shares and caused a day of downtime. I want to scan all traffic between our network and the Internet for viruses, which means scanning VPN traffic as well as web browsing and downloads. Is this possible? This is a 10 user envirnment, any recommendations?
thanks
snipped-for-privacy@gmail.com wrote, On 21/01/08 15:31:
It is certainly possible, you just need to do it once the traffic has popped out of the tunnel and is in the clear. I would also say that you need a firewall that limits what your vendor can assess to the specific machines and ports that the vendor needs access to, that way even if they do have a virus there are limits on the mechanisms it could use to spread to your network. If your vendor can place files on your systems you might want an on-access virus scanner on all systems that the vendor can access even if you would not bother otherwise. Finally, you might want to limit the times your vendor can access your systems to being only when they really need to (i.e. you have phoned them up and asked them to investigate something).
I'm actually in the position of being employed by a vendor and needing remote access to customer systems, and some of the restrictions can be annoying, but if I was the customer I would want to lock down tight what the vendor can do.
Thanks, the information was helpful. So you're saying there aren't any devices that can inspect VPN traffic that you know of? thanks again
If a device can decrypt (and scan) the traffic on the way between the 2 encryption endpoints a VPN is no longer what its name implies - *private* and security for the trafic does no longer exist.
So content filtering (scanning) can only take place after decryption by one of the trusted VPN endpoints.
Depending on firewall modell traffic through VPN-Tunnels can be filtered by interface(s), source, destination, destination port etc.
If you want to do content filtering you'll need some sort of proxy/content filter behind the gateway or sometimes integrated into the gateway. UTM boxes offer usually proxies/content filters only for http, ftp, smtp, pop3 and seldom if ever for the SMB stuff (Microsoft network services) or even RDP.
Wolfgang
all u need to do is find a firewall which can act as a vpn accelerator...
Complete nonsense, why don't you keep quiet when you are clueless?
Wolfgang
Scanning the content of a secure connection would be considered as a 'man-in-the-middle' attach and would completely defeat the purpose.
Scanning incoming content from the Internet is no problems. I use SafeSquid as content filtering proxy to control access to the net, which is integrated with ClamAV to do just that at the gateway, with satisfactory results. SafeSquid also has a buit-in connectivity to other commercial AVs like Dr. Web, NOD32, Kaspersky, Sophos, Avast, Trend Micro, Symantec, etc.
I don't know if this can be done, but this is just an idea, if it would be helpful. SafeSquid can also be deployed as a reverse proxy. You can granularly configure who is allowed to access what, when and how much. So, I think it should be possible to define IP based or authentication based rules for the vendors, and define what they are allowed to access? Again, all the content that you receive from the vendors, can also be scanned. Would that be a workable solution?
wats rong with that..... confirm urself buddy...
I understand the concept of a VPN tunnel and how it is encrypted to protect the data, but if my firewall is the endpoint, and it is encrypting/decrypting data, doesn't that mean that it should be able to inspect the data for malware? I did a google and came up with the paragraph below. I am aware that the device is intended for managed service providers but the concept is the same and I would imagine it could be provided on a device for a a small to medium business. thanks!
"MSSP: Virus-Free managed VPN Service Taking advantage of Fortinet's integrated antivirus protection, managed service providers can deliver the industry's most secure VPN service by enabling Fortinet's advanced antivirus engine to block incoming and outgoing VPN traffic that contains viruses, worms, trojans, spyware and other malicious content to prevent virus outbreaks from spreading from office to office. As an added benefit, Fortinet's flexible VPN architecture allows for interoperability with most IPSec VPN gateways. Regardless of the VPN CPE the customer has in place, the FortiGate system deployed at the core will ensure virus- free VPN traffic."
as i told if ur firewall is goin to act a VPN gateway the UTM solution could very well do that...instead if your vpn gateway is inside firewall then UTM will not be able to check into the content (as it's encrypted)...hope u get it..
Got it, and thanks.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.