RE: ISA newbie with remoteadministrationquestions
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sat, 9 Apr 2005 18:41:10 -0400
Hah! I just checked, and SurfControl has it blocked by default, it's in
the "Proxies & Peer-to-Peer" category.
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Saturday, April 09, 2005 11:30
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA newbie with remoteadministrationquestions
http://www.ISAserver.org
Hi Steve,
FWIW, I also consider it a big issue. Gotomypc is a great security issue
and I always block their site at companies who aren't using least priv
for firewall policy (which is all companies that I've worked with,
unfortunately).
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Steve Thamasett [mailto:steve.thamasett@xxxxxxx]
Sent: Friday, April 08, 2005 2:49 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA newbie with remoteadministrationquestions
http://www.ISAserver.org
Raj,
I never said that you would be "more prone to attack" if you outsourced
to a third party. I said that *my* issues with services like this are
1) you can't audit the inbound connections because they are technically
outbound connections from the firewall point of view, and 2) you are
releasing control of your overall network security to a company who is
*not* a Managed Security Provider (MSP) in the manner that you describe
in your last post.
I've worked with plenty of MSPs and for the most part they are extremely
good at what they do (indeed they have to be for the $$$ they charge),
but this is not the same thing. The question you need to ask is, "What
is my legal recourse *if* my network is compromised as a result of a
breach at gotomypc?".
Some companies may not consider this a big issue and I'm sure that there
are a lot of people who are happily using this service (or they wouldn't
still be in business), but I'm not prepared to stake my clients security
posture on *any* bridging service.
Steve T.
-----Original Message-----
From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx]
Sent: Friday, April 08, 2005 3:06 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA newbie with remoteadministrationquestions
http://www.ISAserver.org
Steve,
FYI, we outsource our entire firewall and EPR hosting to a third party
and pay millions of dollars a year. Trust, me security compromise is a
very generic statement, and can happen at any level. Just because you
are outsourcing to a third party doesn't mean the 3rd party is careless
in terms of security and you are more prone to attack. Certainly we
don't outsource because its cheap, rather it's a lot more expensive.
Rather they have a more dedicated data security infrastructure because
that is their business. Although we have in house Cisco gurus, we still
outsource that service. So don't consider just because you are using a
third party you are prone to a compromise. Companies who do such
business have what is called a written security and controls procedure,
which will be followed meticulously in case of a security breach. They
wont sit and watch while their clients are being hacked.
HTH.
Regards,
Raj Periyasamy
Systems Administrator
MCSE(Messaging), CCNA
-----Original Message-----
From: Steve Thamasett [mailto:steve.thamasett@xxxxxxx]
Sent: Friday, April 08, 2005 2:53 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA newbie with remote administrationquestions
http://www.ISAserver.org
I don't want to speak for Jim, but my issue with gotomypc is the fact
that you are now effectively outsourcing the security of your network to
a third party. If the broker server is compromised, then your ISA box
as well as any other security mechanism that you may have implemented
for your network is nullified.
Example:
User A on my network initiates a connection to the broker server,
doesn't tell anyone, and leaves for vacation. Sometime while he/she is
gone, gotomypc is compromised (it can happen, I'm not saying it's
_going_ to happen, but please just roll with the story). Bad guy uses
the outstanding connection from User A to gain control of that PC and by
proxy has access to my internal network without my knowledge because
this is never seen as an inbound request to my firewall.
Another issue I have with a service like this is that I cannot
control/audit the remote connections coming into my network as I can
with a VPN or even a dialup solution. This can cause regulatory issues
depending on your line of business, at least in the States.
My 2 cents,
Steve T.
-----Original Message-----
From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx]
Sent: Friday, April 08, 2005 2:26 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA newbie with remote administrationquestions
http://www.ISAserver.org
I don't understand, The requests from the gotomypc will still pass
through an ISA packet filter in "Outbound" direction, and is talking SSL
to a secure server. All connections are initiated by a the host running
the gotomypc. How is this any different from a regular PC in the network
sending out connections to any other Internet site? How is it a security
hole. The client initiates a request through the ISA, and ISA opens the
port for the client and serves the connection. Authentication is
controlled at every level of Gottomypc. Be more specific with your
comments.....They are rather vague...
HTH.
Regards,
Raj Periyasamy
Systems Administrator
MCSE(Messaging), CCNA
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Friday, April 08, 2005 2:07 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA newbie with remote administration questions
http://www.ISAserver.org
Yep - this is what we need; a process running on the firewall that's
asking s remote, unknown (to the firewall) service if there's anyone
asking for a connection.
..that's my definition of secure; yup-yup...
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx]
Sent: Friday, April 08, 2005 10:59
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA newbie with remote administration questions
http://www.ISAserver.org
Just been reading this thread, and the first impression I got is no one
knows how exactly gotomypc client/server components integrate and work.
Unlike a published service through ISA firewall, gotomypc does not wait
to listen for incoming requests, rather gotmypc "pings" a pre-registered
secure broker Server to check if any secure authenticated sessions are
awaitng to be serviced. In my opinion, this is as secure or more secure
than having RDP enabled in a Internet facing host. Read this article for
detailed info. By the way Gotomypc is a company owned by Citrix, I don't
think Citrix would market an insecure product, considering the
reputation Citrix has earnt worldwide.
https://www.gotomypc.com/downloads/pdf/m/GoToMyPC_Personal_Overview.pdf
HTH.
Regards,
Raj Periyasamy
Systems Administrator
MCSE(Messaging), CCNA
-----Original Message-----
From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx]
Sent: Friday, April 08, 2005 4:50 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA newbie with remote administration questions
http://www.ISAserver.org
Ok then, mine too
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Friday, April 08, 2005 11:40 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA newbie with remote administration questions
http://www.ISAserver.org
mee2
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, April 07, 2005 8:33 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA newbie with remote administration questions
http://www.ISAserver.org
..and me.
Bear in mind that every networking application you add to (and make
available from) your firewall increases the attack surface.
HTTP applications have proven (regardless of author) to be the best
attractor of 'Net meanies.
Get rid of that applet-like toy...
-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx]
Sent: Thursday, April 07, 2005 4:30 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA newbie with remote administration questions
http://www.ISAserver.org
And me
S
-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Thursday, April 07, 2005 7:50 PM
To: ISA Mailing List
Subject: [isalist] RE: ISA newbie with remote administration questions
http://www.ISAserver.org
While it may expand your knowledge, it will decrease your security...
RDP is more secure, and easier to control as a separate protocol/port
than
bundling difference services within a single protocol like HTTP. You
also
won't have to screw around with combined filters/rules (you said Win2k,
but did not specify ISA2k, but I'm assuming that is what you meant) or
proxy settings.
So while this does not specifically answer your question, it does give
you a better, faster, more secure alternative. Personally, I would
never even consider putting GMPC on my ISA server for remote admin when
TS is a far better way to go- but that's me.
t
------
*Secure your infrastructure*
Microsoft Ninjitsu: Securely Deploying MS Technologies security training
delivered by Timothy Mullen.
Registration now open for Blackhat Seattle 2005:
http://www.blackhat.com/html/training-seattle-05/train-bh-sea-05-tm.html
----- Original Message -----
From: "Jeffry Nimeroff" <jeffry.nimeroff@xxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, April 07, 2005 3:16 PM
Subject: [isalist] RE: ISA newbie with remote administration questions
> http://www.ISAserver.org
>
> Personal choice. I am not a big fan of Remote Desktop.
>
> Also, I always like to participate in exercises that expand my
knowledge,
> and figuring out why the ISA box itself doesn't have the same
privileges
> (in terms of outbound connectivity) as the other boxes behind it is
just
> such an exercise. I have already test installed GMPC on two other
> machines at my client.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/ Network
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
The haggis is unusual in that it is neither consistently nocturnal nor
diurnal, but instead is active at dawn and dusk (crepuscular), with
occasional forays forth during the day and night.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg@xxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
raj.periyasamy@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
raj.periyasamy@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
steve.thamasett@xxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
raj.periyasamy@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
steve.thamasett@xxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
