Firewall Wizards mailing list archives
RE: Radius access from provider to internal MS ISA Server
From: "Ben Nagy" <ben () iagu net>
Date: Sun, 7 Jul 2002 10:45:34 +0200
Most of the VPN client software I have seen allows you to check a box which drops all unsecured traffic when the client is active. That gets you most of the way. With Win2K you could use company laptops and a security policy with the correct, unalterable, configuration of the dialup/VPN connector. Both situations work OK until you have a user who is actively trying to bypass the policy - you can't effectively secure a box if someone has unsupervised physical access to it.[1] With virii and trojans, though, you also need to worry about non-concurrent threats - so you now need to worry about any home user that ever connects to the Internet and also sometimes connects to the company VPN. Basically, it's a major problem with trust boundaries, and almost nobody worries about it. This is well known among the security community, but the benefits of VPNs are pretty huge, so people implement them anyway. Cheers, [1] Yes, OK, I know I'm lying, but it's accurate for the 99.9th percentile. 8) -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304
-----Original Message----- From: R. DuFresne [mailto:dufresne () sysinfo com]
[...]
My question on VPN tunnels in particular is; how many force all communication out via the VPN, restricting access via other potential internet'able pathways? The reason I ask is, it seems one of the issues with especially home users accessing work servers would be pushing a security policy through the VPN, preventing such things as viri and trojans and other malicious activity from gaining a foothold and running up the trusted tunnel into the workplace while the home user is connected to work systems and servers. How do others push their security policies to their home users in these scenarios in a concurrent manner? Is it possible? Or is this just an open trust scenario? Thanks, Ron DuFresne
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Radius access from provider to internal MS ISA Server, (continued)
- Re: Radius access from provider to internal MS ISA Server Kyle R. Hofmann (Jul 05)
- Re: Radius access from provider to internal MS ISA Server Paul Robertson (Jul 05)
- RE: Radius access from provider to internal MS ISA Server Ben Nagy (Jul 07)
- RE: Radius access from provider to internal MS ISA Server Paul Robertson (Jul 07)
- RE: strong passwords (was Radius/MS ISA stuff) Ben Nagy (Jul 08)
- RE: strong passwords (was Radius/MS ISA stuff) Paul Robertson (Jul 08)
- Re: strong passwords (was Radius/MS ISA stuff) Barney Wolff (Jul 08)
- RE: strong passwords (was Radius/MS ISA stuff) Bill Royds (Jul 08)
- RE: Radius access from provider to internal MS ISA Server R. DuFresne (Jul 06)
- RE: Radius access from provider to internal MS ISA Server Bill Royds (Jul 06)
- RE: Radius access from provider to internal MS ISA Server Ben Nagy (Jul 07)