[THIN] Re: A question from my security guys about exposure

• From: Evan Mann <emann@xxxxxxxxxxxx>
• To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
• Date: Thu, 10 Oct 2002 08:29:28 -0400

By default MS PPTP connections have a box checked for "use default gateway
on remote network" under TCP/IP properties/advanced which forces ALL TCP/IP
traffic to go through the VPN once you establish the connection.  Unchecking
obviously only passes TCP/IP traffic bound for equipment on the ohter side
of the VPN go through the VPN.

-----Original Message-----
From: Roger Riggins [mailto:Roger@xxxxxxxxxxxx]
Sent: Wednesday, October 09, 2002 5:45 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: A question from my security guys about exposure



Some VPN clients disallow internet activity outside of the VPN once
established. I think even MS PPTP does that.=20

It'll be tough to prevent the scenario you describe unless you protect
every single device that will be used to access your network. Even then,
it's all a 'best effort' attempt.

Roger Riggins, A+ MCSE CCNA CCA
ACES Systems Engineer
* 319-352-1234
* roger@xxxxxxxxxxxx
=20

-----Original Message-----
From: Rowlandson, John [mailto:John.Rowlandson@xxxxxxxxxxxxx]=20
Sent: Wednesday, October 09, 2002 8:17 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: A question from my security guys about exposure




i use csg 1.1 in a dmz with sta etc etc..

we are in the process or a company wide ethical (sp) attack....

i'm waiting to see what they come up with as i have left a hole for them
=3D
to find...

if they don't find my deliberate hole (1494tcp nat'd to a box) then i'll
=3D
rethink the "attack"

but it should show the strength of CSG 1.1

Roly

-----Original Message-----
From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx]
Sent: Wednesday, 9 October 2002 10:34 PM
To: 'citrixse@xxxxxxxxxxxxxxx'; 'thin@xxxxxxxxxxxxx'
Subject: [THIN] A question from my security guys about exposure



Setup: MF XPe, Nfuse 1.7 with CSG, no SSL relay configured.  Most users
=3D
only
have access to published apps, though some have desktops.  We are using
=3D
a
mix of ICA web clients and full PN clients, though will be moving to 99%
=3D
web
clients.

Scenario: We have an at-home worker who has a PC that is direct =3D
connected to
the Internet through a cable-modem or DSL (take your pick).  The worker
=3D
has
a VPN connection to our network.  Their PC at home has been back-doored.
Now when the worker connects through the VPN, they are opening a =3D
connection
to our network for whoever back-doored them.

Now change the scenario, such that instead of a VPN connection, the =3D
worker
is connecting to us via a Citrix connection over the web.  Their PC =3D
still
has the back-door on it.  What is the equivelant exposure under this
scenario?  Can the person that controls the back-door hijack the Citrix
session somehow or gain access to the resources on the network while the
connection is active?  I am guessing the exposure is not as great since
=3D
that
workstation isn't truly a node on the network as it would be under a VPN
solution, but I am curious as to what other risks may exist and how we =
=3D
can
safeguard against them if they exist.

Thanks,
Paul
**********************************************
This weeks sponsor 99Point9.com
99Point9 helps solve your unresolved technical
server-based questions, issues and incidents.
http://www.99point9.com
***********************************************

For Archives, to Unsubscribe, Subscribe or=3D20
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm
**********************************************
This weeks sponsor 99Point9.com
99Point9 helps solve your unresolved technical
server-based questions, issues and incidents.
http://www.99point9.com
***********************************************

For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm
**********************************************
This weeks sponsor 99Point9.com
99Point9 helps solve your unresolved technical
server-based questions, issues and incidents.
http://www.99point9.com
***********************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm
**********************************************
This weeks sponsor 99Point9.com
99Point9 helps solve your unresolved technical
server-based questions, issues and incidents.
http://www.99point9.com
***********************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm

Other related posts:

• » [THIN] A question from my security guys about exposure
• » [THIN] Re: A question from my security guys about exposure
• » [THIN] Re: A question from my security guys about exposure
• » [THIN] Re: A question from my security guys about exposure
• » [THIN] Re: A question from my security guys about exposure
• » [THIN] Re: A question from my security guys about exposure
• » [THIN] Re: A question from my security guys about exposure

1. Home
2. thin
3. Archive
4. 10-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---