What is split tunneling? ----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, September 02, 2003 5:05 PM Subject: [isalist] Re: Mail filter and anti-virus, please advise! http://www.ISAserver.org Hi Kenny, And don't forget to NEVER allow split tunneling and NEVER allow users to connect modems to their computers. Both these config allow users to subvert firewall policy. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Kenny Mann [mailto:Kennymann@xxxxxxxxxxx] Sent: Tuesday, September 02, 2003 10:57 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Mail filter and anti-virus, please advise! http://www.ISAserver.org In general (IMO: In all cases) it's a bad idea to rely on a single point, as that will inevitably be your single-point of failure. From your emails I father you are focusing on security in general so... Many things make up a secure network. 1.) Firewall (ISA, Cisco, IPTables, etc Even Windows 2000 and XP have TCP/IP filtering built-in, so your client machines can have their own firewalls, just in case). 2.) Software Updates. I say software updates because this effects everything. Your firewall, your OS, and your running software. Windows Update is a good thing to run on a regular basis. If you are worried about an update hosing your machines, once a week run it on your machine, then allow other people to update a couple days later. I believe that Isa 2000 is on SP1. 3.) Antivirus. Having an Exchange addon or mail addon (for whatever mail server you use) is a good idea. Some machines may not be powerful enough to run a real-time virus scanner. Upgrade them, or at least install it and once a week (day?) scan the machine. 4.) When installing Win2K/XP give it an administrator password. Even if it's something simple/stupid. It may stop a worm that exploits blank admin passwords or mounts the C$ share. Anything I missed anyone? >> Thats the reason, I didnt see any reason for av on every machine. >> >> Would'nt you agree? Me being me, I would rather play paranoid. It's very difficult to cover all the holes and to stop someone from getting data in. It's been my experience that people who generally don't know any better accidently find a way in.. Maybe it's just my luck but... What if someone sends an attachment that the server can not scan or accidently allows through? If your AV doesn't catch a virus, but the next day it's added to your definitions. You already have a virus in your network. It is not a fun way to spend a weekend dis-infecting computers (unless you have some Nerf toys ;-) and a few friends) You say that only a couple computers are allows to have access to floppies and cd-roms, do you mean the drive or disk? Someone could bring a disk from home and show joe blow in the cube next door this cool neat game, which is virus infected. Is it possible for any of them to bring a laptop in and jack it into the network? What if they have a USB drive? FTP access? </two cents> Hope this helps! Kenny Mann ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: aroray@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')