[isalist] Re: Endpoint IPSEC with DHCP assinged address.

Hi William,
 
It really wasn't meant to be a personal attack and if you took it that way, I'm 
sorry. 
 
What I really wanted to impress on you is that you think about the security 
implications of this design. It has nothing to do with ISA or the specific 
technologies being used, but the fact that you will allow a dedicated site to 
site VPN connection from a unmanaged home network to the company's business 
without really any thought about access controls the short and long term 
implications of this design. 
 
Did you explain to him the ramafications of this design and impress upon him 
that this site to site VPN connection is a recipe for disaster?
 
That's what I was really getting into you for -- and if you did this and he 
said to you "I know that this is a bad idea and could put my business and my 
employees job (including yours) at risk, but I want you to do this for me 
regardless", then you carried out your due diligence and took on your 
professional duty, and that's that.
 
 
Thanks!
Tom
 
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- Microsoft Firewalls (ISA)

 


________________________________

        From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of William Holmes
        Sent: Sunday, March 16, 2008 9:05 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Endpoint IPSEC with DHCP assinged address.
        
        

        You know Tom,

         

        I am fully apprised of the security implications. I am also aware that 
the user already has an always on connection provided by a Red Creek Ravlin 
Device.  The fact is that the Ravlin has long since passed its end of life and 
needs to be replaced.  I wanted to do this with a solution that is integrated 
into ISA rather than some other "black box" solution. That way specific 
policies and monitoring could be applied to the traffic. 

         

        I guess I could just tell the Chairman to kiss off but .....

         

        While many people may be unaware of security I am not one of those. 
There is nothing "naïve" about the security setup that current exists nor would 
there be in the new configuration. The network on the remote site is completely 
understood. It's hardwired to the person's home office.  If there is a physical 
break I'll know.

         

        I actually was asking a technical question. Other systems out there 
allow IPSEC tunnels with DHCP endpoints (including the Ravlin) I was asking ISA 
could support such a configuration. A detailed technical response would have 
been nice.  A rant about efficacy of the configuration is a usual unwelcome.

         

        It's really ashamed that with the knowledge that you possess on ISA 
that you had to turn this question into a personal attack.

         

        Bill

         

         

        
________________________________


        From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
        Sent: Sunday, March 16, 2008 12:25 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Endpoint IPSEC with DHCP assinged address.

         

        You have to be kidding? Right?

         

        Don't you take responsibility for the security of your business?

         

        If you can 't provide at least 10 valid security reasons for not 
honoring this request, you might want to consider Wally Thor's truck driving 
school as an alternate line of business. You put yourself in harm's why with 
this type of naïve security configuration and if you have any assets, I'm sure 
an atty would love to take them from you for allowing this type config.

         

        Be responsible and aware.

         

        From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of William T. Holmes
        Sent: Saturday, March 15, 2008 8:24 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Endpoint IPSEC with DHCP assinged address.

         

        The person in question wants an always on connection from their home.

         

        Bill

         

        From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
        Sent: Saturday, March 15, 2008 5:55 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Endpoint IPSEC with DHCP assinged address.

         

        An IPSec tunnel will need to know both end's IP in order to set up the 
tunnel, match rules, and route properly...

         

        What's wrong with an old-fashioned VPN from his/her computer?  And can 
the router not act as a VPN client?

         

        t

         

        From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of William T. Holmes
        Sent: Saturday, March 15, 2008 2:30 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Endpoint IPSEC with DHCP assinged address.

         

        Hi,

         

        Can anyone give me a pointer on this one?

        
        Thanks

         

        Bill

         

        From: isalist-bounce@xxxxxxxxxxxxx 
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of William Holmes
        Sent: Friday, March 14, 2008 12:54 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Endpoint IPSEC with DHCP assinged address.

         

        Hi,

         

        I would like to deploy a router in one of our Executive's home. The 
router I have can be configured with IPSEC tunneling. I am only interested in 
having the IPSEC tunnel startup from the endpoint not from the ISA2004 Server. 
Is there a document on setting up?  I looked at 
http://www.isaserver.org/articles/2004isadlink.html but that indicates I need a 
fixed IP address at each end of the tunnel.  Can this same thing be 
accomplished with a dynamic IP address on the endpoint so long as I don't wish 
to establish the tunnel from the ISA server's side?

         

        Thanks

        
        Bill

Other related posts: