Thanks Jim, this looks promising. It amazes me how much the words "could" and "possibly" be taken as actual fact of impending doom. As I mentioned, they keep telling me to apply patches to my servers for DNS issues, however, I keep responding that the patches have been applied, and even send them a copy of the registry - they can only tell that I have a 2003 Server and am running DNS - no detection of actual patches already applied. Again, thank you. Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image001.png@01CBD348.D4CDE340] [cid:image002.jpg@01CBD348.D4CDE340] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Wednesday, February 23, 2011 10:03 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: More ISA VPN questions See if http://blogs.technet.com/b/networking/archive/2008/12/18/third-party-security-scanning-software-reports-weak-ipsec-encryption.aspx helps. It's about all the control you have over this behavior AFAICT. Good luck with your particular band of fuuls. I'm currently dealing with FISMA auditors that demand screenshots of several hundred settings on several thousand hosts, rather than a single document that expresses the results of WMI queries for the same configuration settings. Not only do they not know what they're talking about, they require Tier-1 techniques to validate their ignorance... From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Tuesday, February 22, 2011 7:44 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: More ISA VPN questions Jim, thank for the "feedback".... Yes, they are Id10t'5, but that doesn't mean they won't stick to their guns and make my life miserable by higher ups that trust them more than me (I mean, they ARE paying for this service - it just HAS to be right). I did use PPTP, but they claimed it was too "insecure" (which I think THEY really are since they don't really know what they're talking about). Anyway, their claim is now "The ISAKMP endpoint allows short key lengths or insecure encryption algorithms to be negotiated. This could allow remote attackers to compromise the confidentiality and integrity of the data by decrypting and modifying individual ESP or AH packets." Their suggestion is to "Modify the ISAKMP settings to only allow secure encryption algorithms to be negotiated." Now normally, they've given good suggestions by turning off recursion on my DNS servers, giving right MS bulletins on patches (which they never seem to detect that I've done), but on this one, I'm not sure myself what to do. The only think I could think of was to set the Advanced settings in RRAS dial ups to Maximum Strength Encryption for the Data Encryption. Not sure if I could force ISAMKP settings to specific secure encryptions algorithms. If this keeps up, I'll just give them a set if unused Public IPs and see what they come up with for their tests.... I'm sure someday they'll come to believe Al Gore invented algorithms since the names are so close. @set soapbox=off Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image008.png@01CBD348.ABE552B0] [cid:image009.jpg@01CBD348.ABE552B0] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, February 22, 2011 10:00 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: More ISA VPN questions <skweeeeeeeeee> As with many of them, your PCI auditors are 1d10t'5. There is nothing about PCI that has anything at all to do with controlling or encryption of network traffic. Exactly what aspect of ISAKMP are they claiming to be "vulnerable" and what is the basis for this claim? Perhaps, it's http://isc.sans.edu/diary.html?storyid=852 (guessing here)? If so, and you can't get an exception, then you can go back to PPTP or deploy TMG and use SSTP or deploy UAG and use DirectAccess. As you may have noticed, you can't simultaneously disable ISAKMP and deploy IPsec. Jim From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Tuesday, February 22, 2011 6:44 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: More ISA VPN questions Tap, tap, tap... is this thing on? Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image010.png@01CBD348.ABE552B0] [cid:image009.jpg@01CBD348.ABE552B0] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Friday, February 18, 2011 4:38 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] More ISA VPN questions Let's see if someone can answer this one... I have ISA2006 running at all my sites. I have to pass PCI compliancy. One of the things being brought up now is that I am running a vulnerable ISAKMP service (I'm use L2TP/IPSec for my site-to-site VPNs and for the clients). How do I turn off the less secure encryption protocols? Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image008.png@01CBD348.ABE552B0] [cid:image009.jpg@01CBD348.ABE552B0] *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com<http://www.scarletknights.com> *** *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com<http://www.scarletknights.com> *** *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com<http://www.scarletknights.com> *** *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com ***