Firewall Wizards mailing list archives

RE: Radius access from provider to internal MS ISA Server

From: "Ben Nagy" <ben () iagu net>
Date: Sun, 7 Jul 2002 10:45:34 +0200

Most of the VPN client software I have seen allows you to check a box
which drops all unsecured traffic when the client is active. That gets
you most of the way.

With Win2K you could use company laptops and a security policy with the
correct, unalterable, configuration of the dialup/VPN connector. 

Both situations work OK until you have a user who is actively trying to
bypass the policy - you can't effectively secure a box if someone has
unsupervised physical access to it.[1]

With virii and trojans, though, you also need to worry about
non-concurrent threats - so you now need to worry about any home user
that ever connects to the Internet and also sometimes connects to the
company VPN.

Basically, it's a major problem with trust boundaries, and almost nobody
worries about it. This is well known among the security community, but
the benefits of VPNs are pretty huge, so people implement them anyway. 

Cheers,

[1] Yes, OK, I know I'm lying, but it's accurate for the 99.9th
percentile. 8)
--
Ben Nagy
Network Security Specialist
Mb: TBA  PGP Key ID: 0x1A86E304

-----Original Message-----
From: R. DuFresne [mailto:dufresne () sysinfo com]

[...]

My question on VPN tunnels in particular is;  how many force 
all communication out via the VPN, restricting access via 
other potential internet'able pathways?  The reason I ask is, 
it seems one of the issues with especially home users 
accessing work servers would be pushing a security policy 
through the VPN, preventing such things as viri and trojans 
and other malicious activity from gaining a foothold and 
running up the trusted tunnel into the workplace while the 
home user is connected to work systems and servers.

How do others push their security policies to their home 
users in these scenarios in a concurrent manner?  Is it 
possible?  Or is this just an open trust scenario?


Thanks,

Ron DuFresne


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Radius access from provider to internal MS ISA Server, (continued)
- - - Re: Radius access from provider to internal MS ISA Server Kyle R. Hofmann (Jul 05)
    - Re: Radius access from provider to internal MS ISA Server Paul Robertson (Jul 05)
    - RE: Radius access from provider to internal MS ISA Server Ben Nagy (Jul 07)
    - RE: Radius access from provider to internal MS ISA Server Paul Robertson (Jul 07)
    - RE: strong passwords (was Radius/MS ISA stuff) Ben Nagy (Jul 08)
    - RE: strong passwords (was Radius/MS ISA stuff) Paul Robertson (Jul 08)
    - Re: strong passwords (was Radius/MS ISA stuff) Barney Wolff (Jul 08)
    - RE: strong passwords (was Radius/MS ISA stuff) Bill Royds (Jul 08)
    - RE: Radius access from provider to internal MS ISA Server R. DuFresne (Jul 06)
    - RE: Radius access from provider to internal MS ISA Server Bill Royds (Jul 06)
    - RE: Radius access from provider to internal MS ISA Server Ben Nagy (Jul 07)