Re: ISA firewall problem?

From: "Steve Foster [SBS MVP]" <steve.foster@xxxxxxxxxxxxx>
Date: Sat, 23 Apr 2005 05:48:49 -0700

Jim Magee wrote:

Steve Foster [SBS MVP] wrote: > Jim Magee wrote: > >> - Double-click on Network Connections >> - Right-click on your VPN Connection >> - Click on Properties >> - Click on Networking >> - Highlight Internet Protocol (TCP/IP) >> - Click on Properties >> - Click on Advanced >> - Uncheck use default gateway on remote network > > > Not a good idea, since this allows the remote machine to be a back-door > into your network. This should only be used if you're absolutely

certain

> of the security of the remote machine. > I'm not disagreeing with you, but I would like you to explain further

how this is any more of a security threat. My understanding is that it only affects the outbound traffic of the remote machine. If the security of the remote machine is compromised, access to the internal network via the VPN is at risk regardless of the gateway setting, no? Again, I'm not disagreeing with you. I'm just looking for clarification. I usually use this setting when connecting to some of my clients that have a slower link than my cable internet connection.

In split-tunnel mode, it's possible for the remote machine to act as if it were a router. Information can flow to/from the internet, and can then in turn flow to/from your LAN, and vice versa.

Without the split tunnel, there can be no flow to/from the internet (other than through SBS and controlled by ISA).

It probably won't be long before someone writes a trojan that attacks VPN connections, and possibly makes the required changes to permit split-tunnelling anyway. With RWW, there's less need for VPN, and that's probably the way to go where possible.

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.
.

Follow-Ups:
- Re: ISA firewall problem?
  - From: Jim Magee

References:
- ISA firewall problem?
  - From: Torrey Lauer
- Re: ISA firewall problem?
  - From: Jim Magee
- Re: ISA firewall problem?
  - From: Steve Foster [SBS MVP]
- Re: ISA firewall problem?
  - From: Jim Magee

Prev by Date: Re: Unknown IP continually recurring in DNS
Next by Date: Re: ISA firewall problem?
Previous by thread: Re: ISA firewall problem?
Next by thread: Re: ISA firewall problem?
Index(es):
- Date
- Thread

Relevant Pages

Re: Need Help with Home Network Problem
... Is there a Cat5 network cable plugged into it? ... a network cable connecting your main comp to this modem via it's network ... >> internet fine. ... it wont connect at all." ...
(alt.internet.wireless)
Re: ssh gives "Permission denied, please try again"
... connecting too. ... specify my own address from outside my own network. ... internet connection, then - unless you've specifically set something up ... If you want to be able to ssh to a machine that's connected to the ...
(uk.comp.os.linux)
Re: cannot find server or dns error
... > I have two PC's which I am trying to connect wirelessly to internet. ... Could you please provide a better description of your network? ... What is the router connected to? ... How is it connecting to the Internet? ...
(microsoft.public.windows.inetexplorer.ie6.browser)
Re: Having network problems.
... >> network adapter properties (the adapter with the internet connection) is ... >> gateway using DHCP through the modem ... ... > having problems with others connecting *to* you. ...
(microsoft.public.windowsxp.security_admin)
Re: ISA firewall problem?
... >> - Uncheck use default gateway on remote network ... only affects the outbound traffic of the remote machine. ... If the security of the remote machine is compromised, access to the internal network via the VPN is at risk regardless of the gateway setting, no? ... I usually use this setting when connecting to some of my clients that have a slower link than my cable internet connection. ...
(microsoft.public.windows.server.sbs)