[isalist] Re: Endpoint IPSEC with DHCP assinged address.
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sun, 16 Mar 2008 11:05:07 -0500
Hi William,
It really wasn't meant to be a personal attack and if you took it that way, I'm
sorry.
What I really wanted to impress on you is that you think about the security
implications of this design. It has nothing to do with ISA or the specific
technologies being used, but the fact that you will allow a dedicated site to
site VPN connection from a unmanaged home network to the company's business
without really any thought about access controls the short and long term
implications of this design.
Did you explain to him the ramafications of this design and impress upon him
that this site to site VPN connection is a recipe for disaster?
That's what I was really getting into you for -- and if you did this and he
said to you "I know that this is a bad idea and could put my business and my
employees job (including yours) at risk, but I want you to do this for me
regardless", then you carried out your due diligence and took on your
professional duty, and that's that.
Thanks!
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of William Holmes
Sent: Sunday, March 16, 2008 9:05 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Endpoint IPSEC with DHCP assinged address.
You know Tom,
I am fully apprised of the security implications. I am also aware that
the user already has an always on connection provided by a Red Creek Ravlin
Device. The fact is that the Ravlin has long since passed its end of life and
needs to be replaced. I wanted to do this with a solution that is integrated
into ISA rather than some other "black box" solution. That way specific
policies and monitoring could be applied to the traffic.
I guess I could just tell the Chairman to kiss off but .....
While many people may be unaware of security I am not one of those.
There is nothing "naïve" about the security setup that current exists nor would
there be in the new configuration. The network on the remote site is completely
understood. It's hardwired to the person's home office. If there is a physical
break I'll know.
I actually was asking a technical question. Other systems out there
allow IPSEC tunnels with DHCP endpoints (including the Ravlin) I was asking ISA
could support such a configuration. A detailed technical response would have
been nice. A rant about efficacy of the configuration is a usual unwelcome.
It's really ashamed that with the knowledge that you possess on ISA
that you had to turn this question into a personal attack.
Bill
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Sunday, March 16, 2008 12:25 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Endpoint IPSEC with DHCP assinged address.
You have to be kidding? Right?
Don't you take responsibility for the security of your business?
If you can 't provide at least 10 valid security reasons for not
honoring this request, you might want to consider Wally Thor's truck driving
school as an alternate line of business. You put yourself in harm's why with
this type of naïve security configuration and if you have any assets, I'm sure
an atty would love to take them from you for allowing this type config.
Be responsible and aware.
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of William T. Holmes
Sent: Saturday, March 15, 2008 8:24 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Endpoint IPSEC with DHCP assinged address.
The person in question wants an always on connection from their home.
Bill
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Saturday, March 15, 2008 5:55 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Endpoint IPSEC with DHCP assinged address.
An IPSec tunnel will need to know both end's IP in order to set up the
tunnel, match rules, and route properly...
What's wrong with an old-fashioned VPN from his/her computer? And can
the router not act as a VPN client?
t
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of William T. Holmes
Sent: Saturday, March 15, 2008 2:30 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Endpoint IPSEC with DHCP assinged address.
Hi,
Can anyone give me a pointer on this one?
Thanks
Bill
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of William Holmes
Sent: Friday, March 14, 2008 12:54 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Endpoint IPSEC with DHCP assinged address.
Hi,
I would like to deploy a router in one of our Executive's home. The
router I have can be configured with IPSEC tunneling. I am only interested in
having the IPSEC tunnel startup from the endpoint not from the ISA2004 Server.
Is there a document on setting up? I looked at
http://www.isaserver.org/articles/2004isadlink.html but that indicates I need a
fixed IP address at each end of the tunnel. Can this same thing be
accomplished with a dynamic IP address on the endpoint so long as I don't wish
to establish the tunnel from the ISA server's side?
Thanks
Bill
Other related posts:
