VPN Access

85 pts.
Cisco VPN
User restrictions
Last night, one of the the systems administrator had to re-index a database, which takes about 3 hrs to do. Yet, stubborn users (local and remote) still try to log on to the database to input data, even though a notice was sent out for them not to log on. So, to stop the remote users, I shutdown the port on the core switch where the the public interface of the Cisco VPN concentrator (3015) connects to. Thus, disconnecting any user. But to my surprise, one user was able to VPN in and log on to the server. So I shutdown the port where the private interface of the VPN concentrator connects in the core switch. That disconnect the user. So now both the private and public interfaces of the VPN concentrator where shutdown. But how could this user have still be able to VPN into the network, when the public interface of the concentrator was shutdown?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Talk about over kill. When rebuilding the indexes and you need to ensure that users aren’t using the database, simply put the database into single user mode.

Database reindexing can be completed while users are using the database, the will simply get error messages as the sessions timeout because the table is in use by the reindexing job.

Good answer for what should have been done, but not to the question asked !

I suspect the user was not really connected. If that is your only VPN device, and you shut the access on the Internet side, then there is no way that someone could remain connected. I suspect that the VPN session did not clear, so the connection between the concentrator and the database appeared to still be in place. If you had done a ‘clear sessions’ on the concentrator, the database session would also have dropped. Shutting the inside interface just did the same thing.

Just for good measure, check what you have acessible from the Internet, and confirm that there is no other VPN device, or anything that could be used to jump from there to the VPN concentrator. I don’t think there will be, but just do this review to make sure your security is tight.

Next time, follow Jdleon’s advice and make the change on the database, which IS a far better way to stop access, and stops local users as well. Also change the banner message on the Concentrator to say that this database is not available. That way VPN users can access anything else, like e-mail, and will not just get an error message because the VPN will not connect.

Discuss This Question:  

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: