RES: RE: RES: RE: RES: RE: Access Options - Most Secure
- From: "Tiago de Aviz" <Tiago@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 21 Dec 2004 18:40:22 -0200
Ok, i've seen the article about split tunnelling on ISAserver.org and i'm
convinced ;)
Although the risks are reduced because we and our customers are behind ISA
firewalls, I'll unconfigure everyone here.
Thanks for the clarification and pardon the ignorance ;)
Peace!
Tiago de Aviz
SoftSell - Curitiba
(41) 340-2363
www.softsell.com.br
Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é
restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem
por engano, queira por favor retorná-la ao destinatário e apagá-la de seus
arquivos. Qualquer uso não autorizado, replicação ou disseminação desta
mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável
pelo conteúdo ou a veracidade desta informação.
-----Mensagem original-----
De: Quillman Shawn (RBNA/CSA1) * [mailto:Shawn.Quillman@xxxxxxxxxxxx]
Enviada em: terça-feira, 21 de dezembro de 2004 18:10
Para: [ISAserver.org Discussion List]
Assunto: [isalist] RE: RES: RE: RES: RE: Access Options - Most Secure
http://www.ISAserver.org
We had a beautiful example of that once where a consultant was connected to the
lan here and dialed into his office at the same time for mail. I'll be damned
if Melissa didn't find her way into our network....
-----
Robert Bosch Corporation
Technical Systems Analyst (RBNA/CSA1)
38000 Hills Tech Drive - Farmington Hills, MI 48331 - USA
phone: 1 (248) 553-1164 fax: 1 (248) 848-6969
shawn.quillman@xxxxxxxxxxxx
http://www.bosch.us
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Tuesday, December 21, 2004 3:01 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RES: RE: RES: RE: Access Options - Most Secure
http://www.ISAserver.org
The short story is that you just lost control over the VPN client's ability to
reach non-local-subnet content.
Once this happens, their connection effectively provides a bridge between the
Internet and your internal network.
Bad Ju-Ju if I ever saw it...
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
Sent: Tuesday, December 21, 2004 11:47
To: [ISAserver.org Discussion List]
Subject: [isalist] RES: RE: RES: RE: Access Options - Most Secure
http://www.ISAserver.org
Why is that a breach for the internal network? My clients still browse the web
thru my ISA firewall and their policies are applied.
Isn't this change just a route metric modification? How can it compromise me?
Tiago de Aviz
SoftSell - Curitiba
(41) 340-2363
www.softsell.com.br
Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é
restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem
por engano, queira por favor retorná-la ao destinatário e apagá-la de seus
arquivos. Qualquer uso não autorizado, replicação ou disseminação desta
mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável
pelo conteúdo ou a veracidade desta informação.
-----Mensagem original-----
De: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Enviada em: terça-feira, 21 de dezembro de 2004 17:35
Para: [ISAserver.org Discussion List]
Assunto: [isalist] RE: RES: RE: Access Options - Most Secure
http://www.ISAserver.org
This is called "split tunneling" and represents a serious security breach for
your internal network.
If your VPN clients need Internet access, they can (and should) point IE to the
ISA "Internal" web proxy listener in the VPN connectoid properties in IE.
This way, they get only what your policies allow.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
Sent: Tuesday, December 21, 2004 09:37
To: [ISAserver.org Discussion List]
Subject: [isalist] RES: RE: Access Options - Most Secure
http://www.ISAserver.org
There's a workaround. Here for our developers, I modify the VPN connection so
the default gateway is not changed to the remote network.
Get the properties for the VPN connection, click on the network tab, get the
TCP/IP properties, click advanced and uncheck the box that says "default
gateway on remote network blah blah blah"
It's only a PIA if the customer has more than one subnet, then you have to
create routes manually on the client via a batch script after it connects to
the VPN.
Tiago de Aviz
SoftSell - Curitiba
(41) 340-2363
www.softsell.com.br
Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é
restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem
por engano, queira por favor retorná-la ao destinatário e apagá-la de seus
arquivos. Qualquer uso não autorizado, replicação ou disseminação desta
mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável
pelo conteúdo ou a veracidade desta informação.
________________________________
De: Guinn Unger [mailto:mlists@xxxxxxxxxxxxx]
Enviada em: terça-feira, 21 de dezembro de 2004 13:41
Para: [ISAserver.org Discussion List]
Assunto: [isalist] RE: Access Options - Most Secure
http://www.ISAserver.org
The big disadvantage that I see from VPN is that it cuts off access to the rest
of the Internet for the client while connected to the VPN. No email, no web
access. We have developers who may spend hours at a time connected. Is there
some way to "harden" the security for RDP?
Guinn
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Tuesday, December 21, 2004 3:49 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Access Options - Most Secure
http://www.ISAserver.org
Hi Guinn,
VPN is the most secure. I don't allow RDP connections into the network directly
from the Internet. You can RDP inside the authenticated and inspected VPN link,
but don't directly RDP into your network from an untrusted network.
HTH,
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: Guinn Unger [mailto:mlists@xxxxxxxxxxxxx]
Sent: Monday, December 20, 2004 8:27 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Access Options - Most Secure
http://www.ISAserver.org
I don't know if this has been discussed before or not. I have the opportunity
to access my corporate network via any of three methods:
1. VPN (standard Windows VPN)
2. TS
3. TS through web site (connect to web site and TS through ActiveX
control)
Is there any inherent difference in the security of any of these methods, or
are they basically all the same? I use different ones at different times, but
it occurred to me that they might not be equally secure. (I'm going through
ISA Server in each case. Can use ISA 2000 or ISA 2004.)
TIA.
Guinn Unger
Unger Technologies, Inc.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tiago@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
