RE: ISA server and secure VPN clients

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 22 Oct 2004 08:16:24 -0700

Hi Tom,

YaDamnSkippy!

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Friday, October 22, 2004 06:44
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA server and secure VPN clients

http://www.ISAserver.org

Hi Jim,

This makes me think I need to include a section in the VPN chapter in
the book:

"Why the world isn't flat and other Microsoft VPN client/server
misconceptions"

Thanks! 


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Friday, October 22, 2004 8:20 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA server and secure VPN clients

http://www.ISAserver.org

Hi Michael,
Inline...


  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!
 
 
-----Original Message-----
From: Michael Bertelsen [mailto:mbe@xxxxxxxxxxxxx] 
Sent: Friday, October 22, 2004 6:50 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA server and secure VPN clients

http://www.ISAserver.org

Hi

Up until the release of ISA Server 2004, the use of Microsoft VPN
Clients
were thought of as only being semi secure, since you have no way of
blocking the use of split tunneling.
[[Jim]] This is pure, unadulterated BS; take a look at the Connection
Mangler components; you can (and should) disable the user's ability to
change the "use default gateway..." setting in the connectoid.

From the Client, you were always able to access the local LAN as well as
any subnet entered into the routing table, when the VPN tunnel was
active.
[[Jim]] I'll stipulate that allowing a connection to any network other
than the VPN connection is potentially hazardous to the remote network,
but the real danger is in allowing the VPN client to access non-local
networks.  Even the MS VPN client doesn't allow this by default.
Take a read here:
http://www.microsoft.com/windows2000/en/server/help/sag_CMAKtopnode.htm?
id=1634 
..and here:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standa
rd/proddocs/en-us/sag_CMAKtopnode.asp 
and here:
http://www.microsoft.com/technet/community/columns/cableguy/cg0901.mspx
..and here:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/de
ployguide/en-us/DNSBG_RAC_OVERVIEW.asp

..aw, hell; just start here:
http://search.microsoft.com/search/results.aspx?st=b&na=88&View=en-us&qu
=%22connection+manager%22 

With VPN Quarantining for RRas on Windows Server 2003 you were able to
test on several things on the client before establishing the tunnel, but
as soon as the VPN tunnel was established you could easily change the
routing table, and there by effectively use spilt tunneling.
[[Jim]] Again, see my response to point #1

Also, using RRas policies you can severely lockdown the vpn tunnel it
self.

Does anybody know if this problem has been solved with the release of
ISA
server 2004 ??
I have a hard time seeing how a secure ISA VPN gateway can rectify the
insecure vpn client.
The only thing I see as a possible solution is if i.e. Windows XP SP2
supports an advanced setup, and you set a Quarantine policy to only
allow
clients running Windows XP SP2.
[[Jim]] Neither ISA nor RRAS (which actually handles the VPN
connections) doesn't control the client configuration and doesn't have
any way to observe it after the connection is created.
See my response to point #1

I look forward to your thoughts on this !

Mike

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.



Other related posts: