RE: Teminal in through ISA - Security
- From: David Dellanno <david@xxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 31 Jul 2001 21:36:24 -0400
Doesn't sound insulting at all, but Microsoft VPN client provides
secure password based on NTLM...then the password would be encryptic when
the vpn establish network connectivity. If you do have a mix network
environment the best practice would recommend to authenticate using basic
clear text authentication, then I agree your password would be hanging out
like a soar thumb and obtainable.
-----Original Message-----
From: Shayne Lebrun [mailto:slebrun@xxxxxxxxxxx]
Sent: Tuesday, July 31, 2001 2:52 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Teminal in through ISA - Security
http://www.ISAserver.org
See, that sounds a bit funny, when you think about it. This is going to
sound insulting, perhaps, but it isn't intended to be.
It's a risk to have port 3389 open, password protected, and spawning a
128 bit encrypted datastream. But it's OK to have port 2323 (or
whatever port Window's integral VPN server listens to) open, password
protected, and spawning a 128 bit encrypted datastream.
This does make a few assumptions, such as you're not using certificates
on your VPN client side, but does hold true, to some extent.
Now, that having been said, for completeness sake, VPN is a good extra
layer. But if your password is 'password' I can get into your VPN
server easily enough. :-)
-----Original Message-----
From: David V. Dellanno [mailto:david@xxxxxxxxxxxxxxx]
Sent: Tuesday, July 31, 2001 2:39 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Teminal in through ISA - Security
http://www.ISAserver.org
JMO......I would find it a risk to have an open door to your firewall,
meaning having port 3389 open at your firewall. What I would feel much
comfortable would be VPN first then allow you to use TS on the internal
side.
Again, JMO
Dave
-----Original Message-----
From: Andrews, Bryan (COX-Atlanta) [mailto:Bryan.Andrews@xxxxxxx]
Sent: Tuesday, July 31, 2001 12:27 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Teminal in through ISA - Security
http://www.ISAserver.org
Changed the subject... Anyone have any thoughts on terminal sessions
coming in through ISA? And associated risks?
Thanks.
-----Original Message-----
From: Bryan Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx]
Sent: Sunday, July 29, 2001 5:46 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN from behind another firewall...?
http://www.ISAserver.org
Well to gget around this problem, i published a workstation terminal to
the internet.
Works great from behind the other firewall... now how much of a security
risk might this be? Are the user/pass encrypted when logging in?
-----Original Message-----
From: Nóri [mailto:nori@xxxxxxx]
Sent: Saturday, July 28, 2001 9:02 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN from behind another firewall...?
http://www.ISAserver.org
I've had this happen when GRE is not allowed back to the client.
Users are behind a Netopia router that support basic packet filtering
and it
doesn't allow GRE back to the client.
Regards,
Arnor
-----Original Message-----
From: Bryan Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx]
Sent: 27. júlí 2001 22:05
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN from behind another firewall...?
http://www.ISAserver.org
No takers on this? :|
-----Original Message-----
From: Andrews, Bryan (COX-Atlanta) [mailto:Bryan.Andrews@xxxxxxx]
Sent: Friday, July 27, 2001 8:15 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN from behind another firewall...?
http://www.ISAserver.org
BTW it seems to connect then does verifying user and password then craps
out with a 721 error (something about ppp not supported).
It is a default client setup except I have the 'include domain' checked
so I can input my domain name and I unchecked require encryption just in
case.
Thanks.
-----Original Message-----
From: Bryan Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx]
Sent: Friday, July 27, 2001 7:34 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] VPN from behind another firewall...?
http://www.ISAserver.org
I am trying to create a vpn connection to my isa network from a client
inside another network (behind a pix firewall).
The isa server seems to allow a vpn to standard internet clients...
Any thoughts on this?
Thanks...
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bryan.andrews@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bandrews@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
nori@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bandrews@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bryan.andrews@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
slebrun@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
david@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
