[isalist] Re: More ISA VPN questions
- From: Steven Comeau <scomeau@xxxxxxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 23 Feb 2011 11:00:07 -0500
Thanks Jim, this looks promising. It amazes me how much the words "could" and
"possibly" be taken as actual fact of impending doom. As I mentioned, they
keep telling me to apply patches to my servers for DNS issues, however, I keep
responding that the patches have been applied, and even send them a copy of the
registry - they can only tell that I have a 2003 Server and am running DNS - no
detection of actual patches already applied.
Again, thank you.
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image001.png@01CBD348.D4CDE340]
[cid:image002.jpg@01CBD348.D4CDE340]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Wednesday, February 23, 2011 10:03 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: More ISA VPN questions
See if
http://blogs.technet.com/b/networking/archive/2008/12/18/third-party-security-scanning-software-reports-weak-ipsec-encryption.aspx
helps.
It's about all the control you have over this behavior AFAICT.
Good luck with your particular band of fuuls.
I'm currently dealing with FISMA auditors that demand screenshots of several
hundred settings on several thousand hosts, rather than a single document that
expresses the results of WMI queries for the same configuration settings.
Not only do they not know what they're talking about, they require Tier-1
techniques to validate their ignorance...
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steven Comeau
Sent: Tuesday, February 22, 2011 7:44 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: More ISA VPN questions
Jim, thank for the "feedback"....
Yes, they are Id10t'5, but that doesn't mean they won't stick to their guns and
make my life miserable by higher ups that trust them more than me (I mean, they
ARE paying for this service - it just HAS to be right). I did use PPTP, but
they claimed it was too "insecure" (which I think THEY really are since they
don't really know what they're talking about). Anyway, their claim is now "The
ISAKMP endpoint allows short key lengths or insecure encryption algorithms to
be negotiated. This could allow remote attackers to compromise the
confidentiality and integrity of the data by decrypting and modifying
individual ESP or AH packets." Their suggestion is to "Modify the ISAKMP
settings to only allow secure encryption algorithms to be negotiated." Now
normally, they've given good suggestions by turning off recursion on my DNS
servers, giving right MS bulletins on patches (which they never seem to detect
that I've done), but on this one, I'm not sure myself what to do. The only
think I could think of was to set the Advanced settings in RRAS dial ups to
Maximum Strength Encryption for the Data Encryption. Not sure if I could force
ISAMKP settings to specific secure encryptions algorithms.
If this keeps up, I'll just give them a set if unused Public IPs and see what
they come up with for their tests.... I'm sure someday they'll come to believe
Al Gore invented algorithms since the names are so close. @set soapbox=off
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image008.png@01CBD348.ABE552B0]
[cid:image009.jpg@01CBD348.ABE552B0]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Tuesday, February 22, 2011 10:00 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: More ISA VPN questions
<skweeeeeeeeee>
As with many of them, your PCI auditors are 1d10t'5. There is nothing about
PCI that has anything at all to do with controlling or encryption of network
traffic.
Exactly what aspect of ISAKMP are they claiming to be "vulnerable" and what is
the basis for this claim?
Perhaps, it's http://isc.sans.edu/diary.html?storyid=852 (guessing here)?
If so, and you can't get an exception, then you can go back to PPTP or deploy
TMG and use SSTP or deploy UAG and use DirectAccess.
As you may have noticed, you can't simultaneously disable ISAKMP and deploy
IPsec.
Jim
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steven Comeau
Sent: Tuesday, February 22, 2011 6:44 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: More ISA VPN questions
Tap, tap, tap... is this thing on?
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image010.png@01CBD348.ABE552B0]
[cid:image009.jpg@01CBD348.ABE552B0]
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steven Comeau
Sent: Friday, February 18, 2011 4:38 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] More ISA VPN questions
Let's see if someone can answer this one... I have ISA2006 running at all my
sites.
I have to pass PCI compliancy. One of the things being brought up now is that
I am running a vulnerable ISAKMP service (I'm use L2TP/IPSec for my
site-to-site VPNs and for the clients). How do I turn off the less secure
encryption protocols?
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>
[cid:image008.png@01CBD348.ABE552B0]
[cid:image009.jpg@01CBD348.ABE552B0]
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com<http://www.scarletknights.com> ***
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com<http://www.scarletknights.com> ***
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com<http://www.scarletknights.com> ***
*** This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com ***
Other related posts:
