VPN and viruses
-
If a user has his personal PC infected with a virus and connects to the corporate LAN with OpenVPN, there is a risk that the virus will pass from his personal PC to the LAN.
I have no control over personal PCs and in the case I have described I do not believe that the antivirus installed on pfSense can protect the network. Unless all incoming traffic from the VPN is first scanned by the antivirus.
However, I did not understand if this is possible, how to do it or if there is another method to protect the network.
Thanks in advance for any advice. -
A VPN is no different than any other IP connection. If a virus can connect to other devices over the network, then it can spread. One thing in it's favour is when tun is used, routing is involved, which means it can't simply broadcast to neighbours.
-
@jknott
If I connect with a VPN, my PC acquires an IP address of the LAN. At this point, if, for example, I can ping all the devices on the LAN, then the virus can also contact the other PCs and infect them.
For all we know, the antivirus pfSense protects the browsing and downloading / uploading files, but does not enter into play when I transfer a file from one PC to another in the network; even if one of the two PCs is remotely and connected with OpenVPN.
If I am right, then there is no protection. -
There are firewall rules protecting your network from the Internet. You can create appropriate rules between your LAN and VPN. I have a couple of examples here. Only my ThinkPad connects to my network via VPN, Since it's trusted I don't have any rules restricting it. On the other hand, devices connecting to my guest WiFi are not trusted, so I have rules that prevent any device connected to it from communicating with anything on my LAN, other than pinging the VLAN interface.
You have to decide if the other end of the VPN is trusted or not and configure the rules accordingly.
-
The only antivirus you might have on pfSense, clamav, only scans traffic that is cached by Squid.
It is probably not doing anything for traffic coming over a VPN. But even if it is it's no substitute for AV on hosts where it can have far more visibility.
Steve