[isalist] Re: More ISA VPN questions

Thanks Jim, this looks promising.  It amazes me how much the words "could" and 
"possibly" be taken as actual fact of impending doom.  As I mentioned, they 
keep telling me to apply patches to my servers for DNS issues, however, I keep 
responding that the patches have been applied, and even send them a copy of the 
registry - they can only tell that I have a 2003 Server and am running DNS - no 
detection of actual patches already applied.

Again, thank you.

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:[email protected]]
  [cid:[email protected]]




From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Wednesday, February 23, 2011 10:03 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: More ISA VPN questions

See if 
http://blogs.technet.com/b/networking/archive/2008/12/18/third-party-security-scanning-software-reports-weak-ipsec-encryption.aspx
 helps.
It's about all the control you have over this behavior AFAICT.

Good luck with your particular band of fuuls.
I'm currently dealing with FISMA auditors that demand screenshots of several 
hundred settings on several thousand hosts, rather than a single document that 
expresses the results of WMI queries for the same configuration settings.
Not only do they not know what they're talking about, they require Tier-1 
techniques to validate their ignorance...


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steven Comeau
Sent: Tuesday, February 22, 2011 7:44 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: More ISA VPN questions

Jim, thank for the "feedback"....


Yes, they are Id10t'5, but that doesn't mean they won't stick to their guns and 
make my life miserable by higher ups that trust them more than me (I mean, they 
ARE paying for this service - it just HAS to be right).  I did use PPTP, but 
they claimed it was too "insecure" (which I think THEY really are since they 
don't really know what they're talking about).  Anyway, their claim is now "The 
ISAKMP endpoint allows short key lengths or insecure encryption algorithms to 
be negotiated. This could allow remote attackers to compromise the 
confidentiality and integrity of the data by decrypting and modifying 
individual ESP or AH packets."  Their suggestion is to "Modify the ISAKMP 
settings to only allow secure encryption algorithms to be negotiated."  Now 
normally, they've given good suggestions by turning off recursion on my DNS 
servers, giving right MS bulletins on patches (which they never seem to detect 
that I've done), but on this one, I'm not sure myself what to do.  The only 
think I could think of was to set the Advanced settings in RRAS dial ups to 
Maximum Strength Encryption for the Data Encryption.  Not sure if I could force 
ISAMKP settings to specific secure encryptions algorithms.



If this keeps up, I'll just give them a set if unused Public IPs and see what 
they come up with for their tests....  I'm sure someday they'll come to believe 
Al Gore invented algorithms since the names are so close.  @set soapbox=off

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:[email protected]]
  [cid:[email protected]]




From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Tuesday, February 22, 2011 10:00 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: More ISA VPN questions

<skweeeeeeeeee>

As with many of them, your PCI auditors are 1d10t'5.  There is nothing about 
PCI that has anything at all to do with controlling or encryption of network 
traffic.
Exactly what aspect of ISAKMP are they claiming to be "vulnerable" and what is 
the basis for this claim?
Perhaps, it's http://isc.sans.edu/diary.html?storyid=852 (guessing here)?
If so, and you can't get an exception, then you can go back to PPTP or deploy 
TMG and use SSTP or deploy UAG and use DirectAccess.
As you may have noticed, you can't simultaneously disable ISAKMP and deploy 
IPsec.

Jim

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steven Comeau
Sent: Tuesday, February 22, 2011 6:44 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: More ISA VPN questions

Tap, tap, tap... is this thing on?

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:[email protected]]
  [cid:[email protected]]




From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steven Comeau
Sent: Friday, February 18, 2011 4:38 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] More ISA VPN questions

Let's see if someone can answer this one...  I have ISA2006 running at all my 
sites.

I have to pass PCI compliancy.  One of the things being brought up now is that 
I am running a vulnerable ISAKMP service (I'm use L2TP/IPSec for my 
site-to-site VPNs and for the clients).  How do I turn off the less secure 
encryption protocols?

Steve Comeau
Associate Director of IT  Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:[email protected]]
  [cid:[email protected]]





***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com<http://www.scarletknights.com> ***



***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com<http://www.scarletknights.com> ***



***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com<http://www.scarletknights.com> ***



***  This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be 
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***

PNG image

JPEG image

PNG image

PNG image

JPEG image

Other related posts: