http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/sitetositevpn.msp x http://www.rainfinity.com/products/ds_rainconnect_isa.html > -----Original Message----- > From: Michael Bertelsen [mailto:mbe@xxxxxxxxxxxxx] > Sent: October 24, 2004 6:50 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: ISA server and secure VPN clients > > http://www.ISAserver.org > > How nice of you guys to respond so quickly. I am just sorry that you did > not take the time to think on what I wrote instead of simply mistaking me > for a rookie. > > I do realize that many people have a "Microsoft cannot be secure" > attitude, but this was in no way what I was getting at. > I am a MS Certified consultant, and I have been working with MS products > as a proffesional for over six years.... > > The point of my previos post was to investigate whether others had thought > of and maybe solved (what I find to be) the problem with MS VPN. > I have been searching for a solution of controlling VPN clients after the > tunnel has been build. > I have spend the several hours today digging into CMAK, RRas policies and > ISA firewall rules and add-ins, but have not found a way to make sure that > a user does not manually change the routing information on the computer. > > Think of this situation: > > A user downloads and installs a fun little app, and with it a trojan. > Later the user open a MS VPN connection. > During the establishing of the locked down (CMAK) VPN connection the > Quantine scripts will check the routing table, the antivirus, then > firewall etc, but the trojan will not be detected. > The VPN connection is established successfully. > > Now at this point what is stop the trojan process from adding or changing > a route entry and thereby effectively sending traffic around the VPN > tunnel. (Other than making sure the user is not local admin :-)) > This situation will actually enable a hacker to control the client > computer and launch an attack through the vpn tunnel. > > If you actually do have a way to prevent this scenario, I would very much > like to here it, as I am encounting an increasing numbre of requests for > MS like VPN functionallity, that third party vendors has a hard time > offering. > > A Nortel VPN implementation solves this by continuesly monitor the routing > table and closes the VPN tunnel in case of a change in the routing table. > I was hoping for a somewhat semilar MS solution. > > I look forward to a hopefully somewhat more useful answer from you. > > Regards, > > Michael > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > ara@xxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx