Question : VPN security concerns

Hi All,

I have just setup 6 ipsec vpn tunnels to clients we support. One of my concerns is, is that these "clients" are internet cafes, in other words, thousdands of tourists/backpackers hop onto their terminals everyday and browse the net, download torrents etc etc. These terminals are thus prone to viruses frequently. Our Head office LAN is currently exposed to these sites, so I am afaid for our exchange server and other servers that are housed here.

Am I right to be concerned?

See, the IPSEC vpn allows me to create an ACL to specify the kind of traffic allowed and block any traffic to our servers, however, the sites we have established VPN sessions use cheap Billiona and Draytek router, and so they can not work with these custom ACL's on our cisco routers, the only way for it to work is to have an access-list that says:

permit ip {LAN} 0.0.0.255 {Customer LAN} 0.0.0.255

This works, but obviously this exposes our entire subnet.  The Billions and Draytek have simple GUI interfaces, they can not accomodate complex ACL's, and we all know that for IPSEC to work both sides MUST have the identical ACL.

Please advice.

Regards

Answer : VPN security concerns

Yes you should be concerned.  The ability to restrict the data coming from the IPSEC tunnel endpoints should be an absolute prerequisite for turning up the tunnels.  We do the same for any external VPN users(usually vendors), only allowing their VPN credentials to access the resources required for them to do their task.  For example, and HVAC tech may be able to VPN in, but they can only open port 5900 for VNC to an internal HVAC system.