[isalist] Re: Microsoft Security Bulletin MS07-049 - Importan t: Vulnerab ility in Virtual PC and Virtual Server Could Allow Elevation of Privilege (937986)
- From: Jagathese Gnana <Jagathese@xxxxxxxxxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Fri, 24 Aug 2007 16:12:25 +0200
Thanks a million for the info.
_____
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Friday, August 24, 2007 3:25 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Microsoft Security Bulletin MS07-049 - Important:
Vulnerab ility in Virtual PC and Virtual Server Could Allow Elevation of
Privilege (937986)
Not, not *only* two options... there's always other things one could do...
Publishing would not necessarily expose servers to the Internet- rules could
limit access to the source network on the other end. What we really need is
a better idea of what services you need from the ISA protected network. Is
the goal to get "full internal access" of the ISA protected network? You
said that you attempted to change the network relationship to ROUTE from
NAT- is that to say that the internal IP range is a reachable, routable
network? And why tunnel to the Fortigate box when you have ISA? Why not
just VPN into ISA as others have said? Using VPN network rules would be far
more secure than an IPSec tunnel where a full stack would be available
between the two networks. But if you like the added security of an IPSec
tunnel between the branches, then yes, you could simply VPN inside the IPSec
tunnel to ISA and not worry about publishing scenarios (as it relates to the
branch office).
It all depends on what your topology is like-- is the ISA box reachable on
the network, or is it "private" behind the Fortigate box? If private, you
could indeed use a ROUTE relationship and access rules to accomplish what
you want. Need more infoz ;)
t
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jagathese Gnana
Sent: Friday, August 24, 2007 12:28 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Microsoft Security Bulletin MS07-049 - Important:
Vulnerab ility in Virtual PC and Virtual Server Could Allow Elevation of
Privilege (937986)
Hi,
Thanks for your reply first of all.
Basically does it mean that I have 2 options only?
1) Publishing the servers.
2) VPN into ISA box through the IPSEC tunnel.
IN the first option the internal fileservers would be public, which I would
prefer if nothing works out.
Secondly from your mail below are you saying to tunnel into the ISA box
through the hardware firewall, if it is so do I have to create a tunnel
between the ISA srever and the firewall at my office or do I Have to
configure the remote (branch router) to terminate at the ISA box after
passing through the hardware firewall.
Could you please elaborate this for me.
Eagerly waiting for response.
_____
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Thursday, August 23, 2007 9:36 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Microsoft Security Bulletin MS07-049 - Important:
Vulnerab ility in Virtual PC and Virtual Server Could Allow Elevation of
Privilege (937986)
If the IPSec tunnel terminates in front of ISA, then the traffic hitting the
external interface of ISA from the remote location is "external" traffic to
ISA. You'll have to create publishing rules to allow that traffic into the
internal network, unless you VPN into the ISA box through the IPSec tunnel.
t
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Aman Bedi
Sent: Thursday, August 23, 2007 12:15 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Microsoft Security Bulletin MS07-049 - Important:
Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of
Privilege (937986)
Why not have vpn with isa instead of the router ?
_____
From: Jagathese Gnana [mailto:Jagathese@xxxxxxxxxxxxxxxxxxx]
Sent: Thursday, August 23, 2007 2:21 PM
To: tshinder@xxxxxxxxxxx; isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Microsoft Security Bulletin MS07-049 - Important:
Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of
Privilege (937986)
Dear Thomas,
My name is jags, I would like to have your expert advice and guidance to
overcome the problem I am facing.
Scenario:
1) I am trying to setup ISA server 2004 with a hardware firewall
(fortigate), the hardware firewall is connected to the internet ,the
internal interface of the Hardware firewall and the external interface of
the ISA server are on the same network.
2) We have a branch office connected to us using IPSEC tunneling to get
connected to the internal network, The tunnel is between the branch office
router and the our office router.
3) With the introduction of ISA server at our end( head office) between
the hardware firewall and the internal network , we have a situation wherein
the ipsec tunnel from the branch terminates in front of the ISA server ,
which obviously means the branch office cannot communicate to the internal
network, Unless something is worked out.
4) I have tried changing the network relation ship between internal and
external interface if ISA server to route from NAT to achieve some results
as a result of which the internal web proxy clients of the ISA server cannot
connect to the internet.
5) I have gone through your notes having 3 chapters at ISASERVER.ORG ,
Which provides a solution wherein I can create new network between perimeter
network and the internal and keep a route relationship but really doesn't
work
I would like to have your suggestion if there is a way of getting the
packets from the IPSEC tunnel clients to the internal network of the ISA
server, or is publishing the assets of the firm the only option.
Eagerly waiting for your response.
_____
From: Thomas W Shinder [mailto:]
Sent: Tuesday, August 14, 2007 8:04 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Microsoft Security Bulletin MS07-049 - Important:
Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of
Privilege (937986)
This is way we don't put Firewalls in VMs:
Microsoft Security Bulletin MS07-049 - Important: Vulnerability in Virtual
PC and Virtual Server Could Allow Elevation of Privilege (937986):
http://www.microsoft.com/technet/security/Bulletin/ms07-049.mspx
<http://www.microsoft.com/technet/security/Bulletin/ms07-049.mspx>
Other related posts:
