I must misunderstand what you are saying, because I am seeing a conflict in
what you say.  I bet its me not catching some salient point.

In my situation I have a d-link router with an always-on broadband
connection.  When I want to work, I start the vpn connection which connects
me to the client iSeries (not their LAN though).  I can use either PC on my 
LAN, use client access & Code/400 over either PC (so long as i start the
vpn), and use e-mail, surf, connect to other iSeries machines on the web, or
even dial-up to direct-connect  with other iSeries. 
 
Is this scenario flawed, in your opinion?

---------------------------------
Booth Martin
http://www.martinvt.com
---------------------------------
-------Original Message-------
 
From: PC Technical Discussion for iSeries Users
Date: 11/23/04 13:45:10
To: PC Technical Discussion for iSeries Users
Subject: Re: [PCTECH] VPN Set-Up (Cisco)
 
I have to disagree.
 
First, you should only be allowing ports across the VPN that are necessary.
If you have them all open going in, that is your biggest security hole.  The
reason is, I am not really worried about the home PC being a bridge into the
corporate network.  What I would be worried about is software (viruses,
spyware, etc) that is installed not he client computer.  They will invade
your network irregardless if they are able to connect over their home
broadband connection.
 
By killing their local internet connection, what scenario are you trying to
protect from?  People are going to use the Internet and I would rather have
them pull all that bandwidth over their own line and not over the VPN
connection.
 
I feel having good security rules will eliminate the risk.
 
----- Original Message -----
From: "Tom Jedrzejewicz" <tomjedrz@xxxxxxxxx>
To: "PC Technical Discussion for iSeries Users" <pctech@xxxxxxxxxxxx>
Sent: Tuesday, November 23, 2004 2:02 PM
Subject: Re: [PCTECH] VPN Set-Up (Cisco)
 
 
> On Tue, 23 Nov 2004 11:07:35 -0600, Scott Johnson
> <sjohnson@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> > We are using Cisco VPN Client to get access to company's network from
home.
> > Right now when I connect up I can only access the company's network.  No
web
> > browsing, No local network printing, & etc.
>
> This is exactly how I would set it up, and how I have the VPN
> connections setup for our company.  Think of it this way . . . if the
> local PC, which is outside of your firewall on an uncontrolled
> internet connection, can access the internet AND the internal network,
> then it can become a bridge, right around your firewall, between the
> internet and the internal network.
>
> There is a setting on the Cisco VPN agent (in the Connection
> definition) for "allow local LAN access".  I think it will allow for
> printing on your homw network, but not internet access via your home
> network.
>
> > At a previous job, I swear we were able to connect up via vpn client and
still
> > access the Internet and such.  If I continue to remember correctly, only
the
> > traffic that was suppose to goto the company's network went there. The
rest was
> > handled locally.  I don't think the browser traffic was sent thru the
VPN
> > connection.
>
> If you were the security person at the previous job bowed to user
> pressure and made a poor choice (IMHO).
>
> > Has anybody set this sort of connection up via the Cisco VPN?  I check
the Cisco
> > site and they have a lot of docs there.  Can somebody point me to one
that will
> > help in this type of set-up?
>
> I am pretty sure it can be done, but I wouldn't do it.  For web
> access, I would get the VPN setup to grab all web traffic and force it
> through the company firewall.  There may be some routing issues on the
> internal network as well.
>
> --
> Tom Jedrzejewicz
> tomjedrz@xxxxxxxxx
> --
> This is the PC Technical Discussion for iSeries Users (PcTech) mailing
list
> To post a message email: PcTech@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/pctech
> or email: PcTech-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/pctech.
 
--
This is the PC Technical Discussion for iSeries Users (PcTech) mailing list
To post a message email: PcTech@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/pctech.
 

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.