Hi Jim, But if it costs a lot, it must be better, or at least it feels better. That's what Freud said. ;-) Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Sunday, October 24, 2004 5:15 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA server and secure VPN clients http://www.ISAserver.org Ask a rookie question, ...etc... Again; you should look into the Connection Manager; it offer you the means to lock the VPN client down as tight or as loose as you choose. BTW, preventing user Bob from accessing his Trojan/virus/haxor site while connected to VPN does not prevent him spreading it to the VPN network. All he has to do is get infected / owned before connection and he could spread the joy to you even through your much vaunted Nortel toy. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Michael Bertelsen [mailto:mbe@xxxxxxxxxxxxx] Sent: Sunday, October 24, 2004 15:50 To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA server and secure VPN clients http://www.ISAserver.org How nice of you guys to respond so quickly. I am just sorry that you did not take the time to think on what I wrote instead of simply mistaking me for a rookie. I do realize that many people have a "Microsoft cannot be secure" attitude, but this was in no way what I was getting at. I am a MS Certified consultant, and I have been working with MS products as a proffesional for over six years.... The point of my previos post was to investigate whether others had thought of and maybe solved (what I find to be) the problem with MS VPN. I have been searching for a solution of controlling VPN clients after the tunnel has been build. I have spend the several hours today digging into CMAK, RRas policies and ISA firewall rules and add-ins, but have not found a way to make sure that a user does not manually change the routing information on the computer. Think of this situation: A user downloads and installs a fun little app, and with it a trojan. Later the user open a MS VPN connection. During the establishing of the locked down (CMAK) VPN connection the Quantine scripts will check the routing table, the antivirus, then firewall etc, but the trojan will not be detected. The VPN connection is established successfully. Now at this point what is stop the trojan process from adding or changing a route entry and thereby effectively sending traffic around the VPN tunnel. (Other than making sure the user is not local admin :-)) This situation will actually enable a hacker to control the client computer and launch an attack through the vpn tunnel. If you actually do have a way to prevent this scenario, I would very much like to here it, as I am encounting an increasing numbre of requests for MS like VPN functionallity, that third party vendors has a hard time offering. A Nortel VPN implementation solves this by continuesly monitor the routing table and closes the VPN tunnel in case of a change in the routing table. I was hoping for a somewhat semilar MS solution. I look forward to a hopefully somewhat more useful answer from you. Regards, Michael ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx