Re: ISA firewall problem?
- From: "SuperGumby [SBS MVP]" <not@xxxxxxxxxxx>
- Date: Sat, 23 Apr 2005 14:11:52 +1000
But through a non-split tunnel the blackhat can't connect to his proxy while
it is connected to your VPN. The proxy still exists, but is useless.
A basic security axiom is not to split tunnel. It's not an SBS issue but the
target market for SBS are more likely to split tunnel than other, larger,
markets.
If you can avoid split tunneling you should.
"Jim Magee" <yanxandnix@xxxxxxxxxxxxxxxxx> wrote in message
news:mRiae.10997$V02.2298@xxxxxxxxxxx
> Thanks for the clarification SuperGumby. My point was that if the remote
> machine was compromised while not on the VPN, and a proxy was installed as
> you put it, the network would still be at risk once the user connected to
> the VPN. The VPN would not shut down the proxy on the remote machine.
> The only advantage I see is that you can set policies to prohibit certain
> sites and protocols, such as P2P networks. However, there is nothing to
> stop the user from disconnecting from the VPN or changing the gateway
> themselves. I service accounts where we might have 50+ VPN users
> connected at 1 time. I certainly wouldn't want all of their internet
> traffic funneling through the corporate LAN. I guess there are pros and
> cons to doing it both ways. Thanks again.
>
>
> SuperGumby [SBS MVP] wrote:
>> let's imagine that the remote machine is compromised in a way which puts
>> a 'proxy' on the machine. Not a HTTP proxy but something which can be
>> connected to remotely and used to pass commands further. (DOS Trojan?)
>>
>> If you allow split tunnelling an attacker can connect to the proxy and
>> issue commands to cause activity through the VPN.
>> It is more unlikely (but not impossible) that this occur through a
>> non-split tunnel.
>>
>> Me, I split tunnels regularly. My users are less fortunate, mostly.
>>
>> "Jim Magee" <yanxandnix@xxxxxxxxxxxxxxxxx> wrote in message
>> news:_5iae.2523$RP1.1808@xxxxxxxxxxx
>>
>>>Steve Foster [SBS MVP] wrote:
>>>
>>>>Jim Magee wrote:
>>>>
>>>>
>>>>>- Double-click on Network Connections
>>>>>- Right-click on your VPN Connection
>>>>>- Click on Properties
>>>>>- Click on Networking
>>>>>- Highlight Internet Protocol (TCP/IP)
>>>>>- Click on Properties
>>>>>- Click on Advanced
>>>>>- Uncheck use default gateway on remote network
>>>>
>>>>
>>>>Not a good idea, since this allows the remote machine to be a back-door
>>>>into your network. This should only be used if you're absolutely certain
>>>>of the security of the remote machine.
>>>>
>>>
>>>I'm not disagreeing with you, but I would like you to explain further how
>>>this is any more of a security threat. My understanding is that it only
>>>affects the outbound traffic of the remote machine. If the security of
>>>the remote machine is compromised, access to the internal network via the
>>>VPN is at risk regardless of the gateway setting, no? Again, I'm not
>>>disagreeing with you. I'm just looking for clarification. I usually use
>>>this setting when connecting to some of my clients that have a slower
>>>link than my cable internet connection.
>>
>>
.
- References:
- ISA firewall problem?
- From: Torrey Lauer
- Re: ISA firewall problem?
- From: Jim Magee
- Re: ISA firewall problem?
- From: Steve Foster [SBS MVP]
- Re: ISA firewall problem?
- From: Jim Magee
- Re: ISA firewall problem?
- From: SuperGumby [SBS MVP]
- Re: ISA firewall problem?
- From: Jim Magee
- ISA firewall problem?
- Prev by Date: W32Time error
- Next by Date: Re: W32Time error - answer found I think
- Previous by thread: Re: ISA firewall problem?
- Next by thread: Re: ISA firewall problem?
- Index(es):
Relevant Pages
|
