RE: ISA server and secure VPN clients
- From: "Steve Moffat" <steve@xxxxxxxxxx>
- To: "ISA Mailing List" <isalist@xxxxxxxxxxxxx>
- Date: Sun, 24 Oct 2004 18:59:23 -0300
I concur, basic secure domain policy should always be applied to vpn
clients.
Steve
-----Original Message-----
From: Ara.A [mailto:ara@xxxxxxxxxx]
Sent: Sunday, October 24, 2004 6:51 PM
To: ISA Mailing List
Subject: [isalist] RE: ISA server and secure VPN clients
http://www.ISAserver.org
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/sitetositevpn
.msp
x
http://www.rainfinity.com/products/ds_rainconnect_isa.html
> -----Original Message-----
> From: Michael Bertelsen [mailto:mbe@xxxxxxxxxxxxx]
> Sent: October 24, 2004 6:50 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA server and secure VPN clients
>
> http://www.ISAserver.org
>
> How nice of you guys to respond so quickly. I am just sorry that you
> did not take the time to think on what I wrote instead of simply
> mistaking me for a rookie.
>
> I do realize that many people have a "Microsoft cannot be secure"
> attitude, but this was in no way what I was getting at.
> I am a MS Certified consultant, and I have been working with MS
> products as a proffesional for over six years....
>
> The point of my previos post was to investigate whether others had
> thought of and maybe solved (what I find to be) the problem with MS
VPN.
> I have been searching for a solution of controlling VPN clients after
> the tunnel has been build.
> I have spend the several hours today digging into CMAK, RRas policies
> and ISA firewall rules and add-ins, but have not found a way to make
> sure that a user does not manually change the routing information on
the computer.
>
> Think of this situation:
>
> A user downloads and installs a fun little app, and with it a trojan.
> Later the user open a MS VPN connection.
> During the establishing of the locked down (CMAK) VPN connection the
> Quantine scripts will check the routing table, the antivirus, then
> firewall etc, but the trojan will not be detected.
> The VPN connection is established successfully.
>
> Now at this point what is stop the trojan process from adding or
> changing a route entry and thereby effectively sending traffic around
> the VPN tunnel. (Other than making sure the user is not local admin
> :-)) This situation will actually enable a hacker to control the
> client computer and launch an attack through the vpn tunnel.
>
> If you actually do have a way to prevent this scenario, I would very
> much like to here it, as I am encounting an increasing numbre of
> requests for MS like VPN functionallity, that third party vendors has
> a hard time offering.
>
> A Nortel VPN implementation solves this by continuesly monitor the
> routing table and closes the VPN tunnel in case of a change in the
routing table.
> I was hoping for a somewhat semilar MS solution.
>
> I look forward to a hopefully somewhat more useful answer from you.
>
> Regards,
>
> Michael
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com Leading
> Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/ Network
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> ara@xxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
steve@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
This E-Mail is confidential. It is not intended to be read, copied, disclosed
or used by any person other than the recipient named above.
Unauthorised use, disclosure, or copying is strictly prohibited and may be
unlawful. Optimum IT Solutions Ltd disclaims any liability for any action taken
in connection of this E-Mail. The comments or statements expressed in this
E-Mail are not necessarily those of Optimum IT Solutions Ltd or its
subsidiaries or affiliates.
administrator@xxxxxxxxxx
Other related posts:
