Re: ISA firewall problem?

Steve Foster [SBS MVP] wrote: 
Jim Magee wrote:

Steve Foster [SBS MVP] wrote:
> Jim Magee wrote:
>
>> - Double-click on Network Connections
>> - Right-click on your VPN Connection
>> - Click on Properties
>> - Click on Networking
>> - Highlight Internet Protocol (TCP/IP)
>> - Click on Properties
>> - Click on Advanced
>> - Uncheck use default gateway on remote network
>
>
> Not a good idea, since this allows the remote machine to be a back-door
> into your network. This should only be used if you're absolutely 

certain

> of the security of the remote machine.
>
I'm not disagreeing with you, but I would like you to explain further

how this is any more of a security threat. My understanding is that it only affects the outbound traffic of the remote machine. If the security of the remote machine is compromised, access to the internal network via the VPN is at risk regardless of the gateway setting, no? Again, I'm not disagreeing with you. I'm just looking for clarification. I usually use this setting when connecting to some of my clients that have a slower link than my cable internet connection.

In split-tunnel mode, it's possible for the remote machine to act as if it were a router. Information can flow to/from the internet, and can then in turn flow to/from your LAN, and vice versa.

Without the split tunnel, there can be no flow to/from the internet (other than through SBS and controlled by ISA).
My understanding is that if the remote machine is compromised to the point where it is acting as a router or proxy, this doesn't go away when a single tunnel VPN is invoked. The compromised machine would still be accessible from the internet.

It probably won't be long before someone writes a trojan that attacks VPN connections, and possibly makes the required changes to permit split-tunnelling anyway. With RWW, there's less need for VPN, and that's probably the way to go where possible. 

Agreed.

.

Relevant Pages

  • Re: cups relaying remote broadcasts to a local subnet (SOLVED)
    ... This sounds like an application that could use a vpn (virtual private ... network) over the internet. ... port 9100 it only has to be set up on the gateway machine. ...
    (Fedora)
  • Re: Using a Linksys router, should I also use Zonealarm?
    ... public internet to access corporate network. ... In the "old days" when people used to use Dial-In instead of VPN you ware ... protected by corporate Firewall -- since there was no public Internet ...
    (microsoft.public.security)
  • Re: cups relaying remote broadcasts to a local subnet
    ... This sounds like an application that could use a vpn (virtual private ... network) over the internet. ... The 10.x.x.x series of IP addresses is set aside as private address space. ...
    (Fedora)
  • Re: Http access across a site 2 site VPN
    ... Troubleshooting Client Authentication on Access Rules in ISA Server 2004 ... Microsoft Internet Security & Acceleration Server: ... access rule that represents access to the vpn between the sites. ... corresponding network rules and access rules, and I went ahead and created ...
    (microsoft.public.isa)
  • Re: Remote Access and Setting up a VPN....need some expert advice....
    ... Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net ... Assuming you need to access the server shared folder only, it is better to use VPN. ... Since you have two NICs in the server, you can setup VPN follow this step by step how to. ... > internal network and has an address of 10.0.0.254. ...
    (microsoft.public.windows.server.sbs)