VPN Client Security

[Wazz]

I am interested in VPN client security and have some basic questions I can’t seem to answer.
At my place of work I am part of a team that installs a home workers solution. This is basically checkpoint VPN software and a router. The router uses NAT and blocks ping, SNMP and “web Traffic” from the WAN., but we don’t stop telnet, ftp and tftp traffic. The router is also not wireless, but I do no for a fact, that some users have unplugged our router and used there own wireless routers.
So, the first question is about the VPN software. I have been told by a manager at my place of work that the VPN software acts as a firewall... I find this hard to believe! I was sure the software just established and terminates the vpn connection and deals with data encryption over the link.
The other main issue is that our laptops used by Home Workers do not have any firewall. The windows firewall is disabled in group policy. This leaves ports 21, 23, 80, 135, 139 and 445 open (as so reported by a port scanner on my laptop)
Given all the main info above, I think that this is a very insecure solution and could provide a gateway to our company network. Which leads to my Main Question… Am I right? If anyone could confirm this and possibly a way (using utilities/port scanners etc) that I can prove this I would be very grateful!

Many thanks,
Wazz

 

[lgarner]

I can't speak to Checkpoint, so you'll need to check with them. We use Cisco, and have the ability to force a stateful firewall to be installed and running, and I thing AV software, before the VPN connection is made. When the VPN isn't connected, of course, it could be turned off.

Also, no network connection is available to the user except the VPN while it's running. That might mitigate some threats.

Checkpoint probably has similar features available.

 

[Wazz]

Damn.. its annoying having a page back button next to the arrow keys.. I just lost everything I typed.. Here it goes for a second time!

Thanks for the reply!
Igarner,
Your users have to have a firewall enabled before a vpn connection can be made? Can they still log on to the PC without the VPN connection in place using a cached profile? (thus leading to unsecured web acess).
Our Users can cancel the VPN logon and use a cached profile to log on at home or disconnect the VPN connection after domain logon. All a user would have to do is untick the use proxy setting and they have unprotected internet access.
This would/could lead to code from sites, P2P software, downloads being installed to the laptop. If this is the case and such programs made outbound connections, then NAT would be of no use at all. If we have no firewall to block these outbound connections then we could be asking for trouble.
Am I right?
I suppose though for a system to be comprimised in my described way the VPN would have to be disconnected, keeping the network safe. Am I missing something.. any one else give me something to think about on this?
ta!
Wazz