SecurityDude, CISSP-ISSAP is an IT consultant, Security & Privacy Advocate and blogger at large with over 20 years IT experience. SecurityDude shares tips, tricks, and info that the average networking professional will find interesting and indispensable.
I just received Field Notice FN – 63146 – Third Party VPN Connection May Cause Unintended VPN Interruption for Other Connected Users from Cisco.
Apparently Apple iPhone’s connecting to Cisco IPSec gateways will knock other non-Apple users off their VPN connections. Affected products include PIX Firewall, VPN 3000 concentrators and ASA 5500 series security appliances.
Cisco does not (and will not) support iPhone connections to the VPN 3000 as it is end-of-sale. Users of PIX firewalls and ASA’s should upgrade to version 8.0.4.
My first thought when I read the Field Notice was “Who would be nuts enough to allow a cell phone VPN access to the network?” The iPhone is hugely popular, but the IT department needs to consider their VPN access policy very carefully. Is there an iPhone firewall? How about anti-virus? If the answer is “no” to either security question, it should not be allowed to access the corporate network. When an iPhone connects to the Internet, it has an IP address. If it can reach ME, I can reach IT. And therein lies the problem.
Refer to the hugely popular Network Observations blog entry The Root of iPhone’s Troubles. The danger is real.
What if an employee uses their personal iPhone to connect to the corporate VPN and their phone is compromised? It would give an attacker a GREAT way to get past your firewall.
Whether you love or loath the iPhone, you need to update your VPN access policy to deal with it.
My advice is to treat the iPhone like ANY PC accessing the network. It should have security software installed by the IT department. If users don’t want corporate security policy enforced on their personal device, they should use their company supplied PC or laptop.
If you would like to block iPhones from accessing your Cisco VPN Gateways, use one of these filters (courtesy of Cisco):
Deny iPhone/iPod Touch VPN connections (ASA/PIX 7.x+):
In the group policy, enable the following rule:
client-access-rule 10 deny type iPhone* version *
client-access-rule 20 permit type * version *
Deny iPhone/iPod Touch VPN connections (VPN 3000):
Choose Configuration > User Management > Groups. Then choose the group and go to the IPsec tab.
Construct the rule in the following way:
d iPhone:*
p *:*
Note: There is a space between d (and) p and the other words
Tags: iphone danger, iphone security, VPN, vpn gateway
November 7, 2008 at 2:25 pm |
[...] iPhone VPN Bully [...]