RE: ISA server and secure VPN clients
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sun, 24 Oct 2004 19:27:28 -0500
Hi Michael,
But if you properly configure Access Policy, what is the issue?
Since users access only the content they require, and the ISA firewall
performs stateful application layer inspection on the connections, then
what's the difference between a VPN connection and any other remote
access connection through publishing?
You're not giving them full access to everthing? That's not what the ISA
firewall is all about. Its about access control.
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Michael Bertelsen [mailto:mbe@xxxxxxxxxxxxx]
Sent: Sunday, October 24, 2004 5:50 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA server and secure VPN clients
http://www.ISAserver.org
How nice of you guys to respond so quickly. I am just sorry that you did
not take the time to think on what I wrote instead of simply mistaking
me
for a rookie.
I do realize that many people have a "Microsoft cannot be secure"
attitude, but this was in no way what I was getting at.
I am a MS Certified consultant, and I have been working with MS products
as a proffesional for over six years....
The point of my previos post was to investigate whether others had
thought
of and maybe solved (what I find to be) the problem with MS VPN.
I have been searching for a solution of controlling VPN clients after
the
tunnel has been build.
I have spend the several hours today digging into CMAK, RRas policies
and
ISA firewall rules and add-ins, but have not found a way to make sure
that
a user does not manually change the routing information on the computer.
Think of this situation:
A user downloads and installs a fun little app, and with it a trojan.
Later the user open a MS VPN connection.
During the establishing of the locked down (CMAK) VPN connection the
Quantine scripts will check the routing table, the antivirus, then
firewall etc, but the trojan will not be detected.
The VPN connection is established successfully.
Now at this point what is stop the trojan process from adding or
changing
a route entry and thereby effectively sending traffic around the VPN
tunnel. (Other than making sure the user is not local admin :-))
This situation will actually enable a hacker to control the client
computer and launch an attack through the vpn tunnel.
If you actually do have a way to prevent this scenario, I would very
much
like to here it, as I am encounting an increasing numbre of requests for
MS like VPN functionallity, that third party vendors has a hard time
offering.
A Nortel VPN implementation solves this by continuesly monitor the
routing
table and closes the VPN tunnel in case of a change in the routing
table.
I was hoping for a somewhat semilar MS solution.
I look forward to a hopefully somewhat more useful answer from you.
Regards,
Michael
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
