Re: FTP access via ISA(proxy)
From: Phillip Windell (_at_.)
Date: 07/28/04
- Next message: cianci: "controlling web access"
- Previous message: David: "Re: Firewall client"
- In reply to: David Barnes: "Re: FTP access via ISA(proxy)"
- Next in thread: David Barnes: "Re: FTP access via ISA(proxy)"
- Reply: David Barnes: "Re: FTP access via ISA(proxy)"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 28 Jul 2004 13:54:47 -0500
"David Barnes" <david@nospam-bitsolve.com> wrote in message
news:5yRNc.10191$j94.102439092@news-text.cableinet.net...
> Firstly, I don't want the clients to have a default gateway.
> Remember we have to be talking 'defence in depth' these days! and having a
> DG allows trojan software et-al to 'call home'. If it has to traverse the
> proxy, at least we have the opportunity to log, monitor and prevent it.
> I have absolutely NO valid reason for the clients to need IP routed access
> to the internet.
I agree perfectly. The Default Gateway is only required to run clients as
"SecureNAT Clients" and the SecureNAT Service is the least "in depth" of the
ISA services. That doesn't make it "bad",...it is just a matter of what
someone's requirements might be.
> What we don't want:
> Real (or any other) streaming media
> instant messenger of any sort
> local apps able to communicate with hosts on the internet.
I agree perfectly again. Here's a good link on the Instant Messengers.
[Those are underscores, not spaces between the words]
How to Block Dangerous Instant Messengers Using ISA Server
http://www.isaserver.org/tutorials/How_to_Block_Dangerous_Instant_Messengers_Using_ISA_Server.html
> As far as I understand the 'firewall client' allows the client to open and
> close external ports on the ISA firewall and to map connection to/from the
> internet for local applications.
> Err.. DEFINITELY NOT something we want.
Totally disagree. The Firewall Client will prevent and deny any connection
from any Application making any calls to Winsock (destined for the Internet)
unless the particular type of communication is *explicitly* allowed.
That is assuming some foolish Admin doesn't create some kind of "allow
everything" rule,...in which case that is their fault and not ISA's.
The Firewall Client will *even* prevent such applications from taking a
different route out to the Internet should, by some reason, the Default
Gateway on the Client provides a "new" way out to the Internet. This is
because it operates as an LSP (Layered Service Provider) and intercepts
calls as soon as they are passed to Winsock which is long before they ever
get that far down in the TCP/IP stack where the Default Gateway has effect.
-- Phillip Windell [MCP, MVP, CCNA] www.wandtv.com
- Next message: cianci: "controlling web access"
- Previous message: David: "Re: Firewall client"
- In reply to: David Barnes: "Re: FTP access via ISA(proxy)"
- Next in thread: David Barnes: "Re: FTP access via ISA(proxy)"
- Reply: David Barnes: "Re: FTP access via ISA(proxy)"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
