RE: ISA server and secure VPN clients

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Sun, 24 Oct 2004 19:29:33 -0500

Hi Jim,

But if it costs a lot, it must be better, or at least it feels better.
That's what  Freud said. ;-)


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Sunday, October 24, 2004 5:15 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA server and secure VPN clients

http://www.ISAserver.org

Ask a rookie question, ...etc...

Again; you should look into the Connection Manager; it offer you the
means to lock the VPN client down as tight or as loose as you choose.

BTW, preventing user Bob from accessing his Trojan/virus/haxor site
while connected to VPN does not prevent him spreading it to the VPN
network.
All he has to do is get infected / owned before connection and he could
spread the joy to you even through your much vaunted Nortel toy.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 
-----Original Message-----
From: Michael Bertelsen [mailto:mbe@xxxxxxxxxxxxx] 
Sent: Sunday, October 24, 2004 15:50
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA server and secure VPN clients

http://www.ISAserver.org

How nice of you guys to respond so quickly. I am just sorry that you did
not take the time to think on what I wrote instead of simply mistaking
me
for a rookie.

I do realize that many people have a "Microsoft cannot be secure"
attitude, but this was in no way what I was getting at.
I am a MS Certified consultant, and I have been working with MS products
as a proffesional for over six years....

The point of my previos post was to investigate whether others had
thought
of and maybe solved (what I find to be) the problem with MS VPN.
I have been searching for a solution of controlling VPN clients after
the
tunnel has been build.
I have spend the several hours today digging into CMAK, RRas policies
and
ISA firewall rules and add-ins, but have not found a way to make sure
that
a user does not manually change the routing information on the computer.

Think of this situation:

A user downloads and installs a fun little app, and with it a trojan.
Later the user open a MS VPN connection.
During the establishing of the locked down (CMAK) VPN connection the
Quantine scripts will check the routing table, the antivirus, then
firewall etc, but the trojan will not be detected.
The VPN connection is established successfully.

Now at this point what is stop the trojan process from adding or
changing
a route entry and thereby effectively sending traffic around the VPN
tunnel. (Other than making sure the user is not local admin :-))
This situation will actually enable a hacker to control the client
computer and launch an attack through the vpn tunnel.

If you actually do have a way to prevent this scenario, I would very
much
like to here it, as I am encounting an increasing numbre of requests for
MS like VPN functionallity, that third party vendors has a hard time
offering.

A Nortel VPN implementation solves this by continuesly monitor the
routing
table and closes the VPN tunnel in case of a change in the routing
table.
I was hoping for a somewhat semilar MS solution.

I look forward to a hopefully somewhat more useful answer from you.

Regards,

Michael

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 10-2004