RES: RE: RES: RE: Access Options - Most Secure

• From: "Tiago de Aviz" <Tiago@xxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 21 Dec 2004 17:46:42 -0200

Why is that a breach for the internal network? My clients still browse the web 
thru my ISA firewall and their policies are applied.

Isn't this change just a route metric modification? How can it compromise me?

Tiago de Aviz

SoftSell - Curitiba

(41) 340-2363

www.softsell.com.br

Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é 
restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem 
por engano, queira por favor retorná-la ao destinatário e apagá-la de seus 
arquivos. Qualquer uso não autorizado, replicação ou disseminação desta 
mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável 
pelo conteúdo ou a veracidade desta informação.

-----Mensagem original-----
De: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Enviada em: terça-feira, 21 de dezembro de 2004 17:35
Para: [ISAserver.org Discussion List]
Assunto: [isalist] RE: RES: RE: Access Options - Most Secure

http://www.ISAserver.org

This is called "split tunneling" and represents a serious security breach for 
your internal network.

If your VPN clients need Internet access, they can (and should) point IE to the 
ISA "Internal" web proxy listener in the VPN connectoid properties in IE.
This way, they get only what your policies allow.
-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 
-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] 
Sent: Tuesday, December 21, 2004 09:37
To: [ISAserver.org Discussion List]
Subject: [isalist] RES: RE: Access Options - Most Secure

http://www.ISAserver.org


There's a workaround. Here for our developers, I modify the VPN connection so 
the default gateway is not changed to the remote network.

 

Get the properties for the VPN connection, click on the network tab, get the 
TCP/IP properties, click advanced and uncheck the box that says "default 
gateway on remote network blah blah blah"

 

It's only a PIA if the customer has more than one subnet, then you have to 
create routes manually on the client via a batch script after it connects to 
the VPN.

 

Tiago de Aviz

SoftSell - Curitiba

(41) 340-2363

www.softsell.com.br

Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é 
restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem 
por engano, queira por favor retorná-la ao destinatário e apagá-la de seus 
arquivos. Qualquer uso não autorizado, replicação ou disseminação desta 
mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável 
pelo conteúdo ou a veracidade desta informação.

________________________________

De: Guinn Unger [mailto:mlists@xxxxxxxxxxxxx] 
Enviada em: terça-feira, 21 de dezembro de 2004 13:41
Para: [ISAserver.org Discussion List]
Assunto: [isalist] RE: Access Options - Most Secure

 

http://www.ISAserver.org

The big disadvantage that I see from VPN is that it cuts off access to the rest 
of the Internet for the client while connected to the VPN.  No email, no web 
access.  We have developers who may spend hours at a time connected.  Is there 
some way to "harden" the security for RDP?

 

Guinn

 

________________________________

From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Tuesday, December 21, 2004 3:49 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Access Options - Most Secure

 

http://www.ISAserver.org

Hi Guinn,

 

VPN is the most secure. I don't allow RDP connections into the network directly 
from the Internet. You can RDP inside the authenticated and inspected VPN link, 
but don't directly RDP into your network from an untrusted network.

 

HTH,

 

Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder> 
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls

 

 

________________________________

From: Guinn Unger [mailto:mlists@xxxxxxxxxxxxx] 
Sent: Monday, December 20, 2004 8:27 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Access Options - Most Secure

http://www.ISAserver.org

I don't know if this has been discussed before or not.  I have the opportunity 
to access my corporate network via any of three methods:

 

1.      VPN (standard Windows VPN) 
2.      TS 
3.      TS through web site (connect to web site and TS through ActiveX 
control) 

 

Is there any inherent difference in the security of any of these methods, or 
are they basically all the same?  I use different ones at different times, but 
it occurred to me that they might not be equally secure.  (I'm going through 
ISA Server in each case.  Can use ISA 2000 or ISA 2004.)

 

TIA.

Guinn Unger
Unger Technologies, Inc.

 

Other related posts:

• » RES: RE: RES: RE: Access Options - Most Secure
• » RE: RES: RE: RES: RE: Access Options - Most Secure
• » RE: RES: RE: RES: RE: Access Options - Most Secure

1. Home
2. isalist
3. Archive
4. 12-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---