Ok, i've seen the article about split tunnelling on ISAserver.org and i'm convinced ;) Although the risks are reduced because we and our customers are behind ISA firewalls, I'll unconfigure everyone here. Thanks for the clarification and pardon the ignorance ;) Peace! Tiago de Aviz SoftSell - Curitiba (41) 340-2363 www.softsell.com.br Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem por engano, queira por favor retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável pelo conteúdo ou a veracidade desta informação. -----Mensagem original----- De: Quillman Shawn (RBNA/CSA1) * [mailto:Shawn.Quillman@xxxxxxxxxxxx] Enviada em: terça-feira, 21 de dezembro de 2004 18:10 Para: [ISAserver.org Discussion List] Assunto: [isalist] RE: RES: RE: RES: RE: Access Options - Most Secure http://www.ISAserver.org We had a beautiful example of that once where a consultant was connected to the lan here and dialed into his office at the same time for mail. I'll be damned if Melissa didn't find her way into our network.... ----- Robert Bosch Corporation Technical Systems Analyst (RBNA/CSA1) 38000 Hills Tech Drive - Farmington Hills, MI 48331 - USA phone: 1 (248) 553-1164 fax: 1 (248) 848-6969 shawn.quillman@xxxxxxxxxxxx http://www.bosch.us -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Tuesday, December 21, 2004 3:01 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: RES: RE: RES: RE: Access Options - Most Secure http://www.ISAserver.org The short story is that you just lost control over the VPN client's ability to reach non-local-subnet content. Once this happens, their connection effectively provides a bridge between the Internet and your internal network. Bad Ju-Ju if I ever saw it... ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] Sent: Tuesday, December 21, 2004 11:47 To: [ISAserver.org Discussion List] Subject: [isalist] RES: RE: RES: RE: Access Options - Most Secure http://www.ISAserver.org Why is that a breach for the internal network? My clients still browse the web thru my ISA firewall and their policies are applied. Isn't this change just a route metric modification? How can it compromise me? Tiago de Aviz SoftSell - Curitiba (41) 340-2363 www.softsell.com.br Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem por engano, queira por favor retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável pelo conteúdo ou a veracidade desta informação. -----Mensagem original----- De: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Enviada em: terça-feira, 21 de dezembro de 2004 17:35 Para: [ISAserver.org Discussion List] Assunto: [isalist] RE: RES: RE: Access Options - Most Secure http://www.ISAserver.org This is called "split tunneling" and represents a serious security breach for your internal network. If your VPN clients need Internet access, they can (and should) point IE to the ISA "Internal" web proxy listener in the VPN connectoid properties in IE. This way, they get only what your policies allow. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] Sent: Tuesday, December 21, 2004 09:37 To: [ISAserver.org Discussion List] Subject: [isalist] RES: RE: Access Options - Most Secure http://www.ISAserver.org There's a workaround. Here for our developers, I modify the VPN connection so the default gateway is not changed to the remote network. Get the properties for the VPN connection, click on the network tab, get the TCP/IP properties, click advanced and uncheck the box that says "default gateway on remote network blah blah blah" It's only a PIA if the customer has more than one subnet, then you have to create routes manually on the client via a batch script after it connects to the VPN. Tiago de Aviz SoftSell - Curitiba (41) 340-2363 www.softsell.com.br Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem por engano, queira por favor retorná-la ao destinatário e apagá-la de seus arquivos. Qualquer uso não autorizado, replicação ou disseminação desta mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável pelo conteúdo ou a veracidade desta informação. ________________________________ De: Guinn Unger [mailto:mlists@xxxxxxxxxxxxx] Enviada em: terça-feira, 21 de dezembro de 2004 13:41 Para: [ISAserver.org Discussion List] Assunto: [isalist] RE: Access Options - Most Secure http://www.ISAserver.org The big disadvantage that I see from VPN is that it cuts off access to the rest of the Internet for the client while connected to the VPN. No email, no web access. We have developers who may spend hours at a time connected. Is there some way to "harden" the security for RDP? Guinn ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, December 21, 2004 3:49 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Access Options - Most Secure http://www.ISAserver.org Hi Guinn, VPN is the most secure. I don't allow RDP connections into the network directly from the Internet. You can RDP inside the authenticated and inspected VPN link, but don't directly RDP into your network from an untrusted network. HTH, Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: Guinn Unger [mailto:mlists@xxxxxxxxxxxxx] Sent: Monday, December 20, 2004 8:27 PM To: [ISAserver.org Discussion List] Subject: [isalist] Access Options - Most Secure http://www.ISAserver.org I don't know if this has been discussed before or not. I have the opportunity to access my corporate network via any of three methods: 1. VPN (standard Windows VPN) 2. TS 3. TS through web site (connect to web site and TS through ActiveX control) Is there any inherent difference in the security of any of these methods, or are they basically all the same? I use different ones at different times, but it occurred to me that they might not be equally secure. (I'm going through ISA Server in each case. Can use ISA 2000 or ISA 2004.) TIA. Guinn Unger Unger Technologies, Inc. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tiago@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx