Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

RE: Radius access from provider to internal MS ISA Server
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Sat, 6 Jul 2002 02:55:53 -0400 (EDT)
On Fri, 5 Jul 2002, Ben Nagy wrote:


        [SNIP]



So, this sounds like you're doing some sort of PPTP/L2TP/L2F type thing
with the actual layer-2 dialup stuff. Normally that stuff comes in on a
private link, I've seen it most when it's aggregated into a single
frame-relay link the from ISP concerned.

That has big advantages, in your situation, in that users cannot access
the Internet directly and also concurrently access your internal
network. (I don't need to go into why that's a good thing, I presume..)

The only reason I type all this out is that the bit you mention later
about the engineers claiming that the firewall offers enough protection
raised a doubt in my mind as to whether the forwarded connections really
were getting tunneled or whether it was just some strange authentication
only forwarding scheme, which wouldn't appear to have much value. If the
users can directly access the Internet from the ISP they're connected
to, then IMO you're really wasting your time and you should just use the
VPN gateway to do all your auth - it's stronger, better, faster and all
that jazz.





My question on VPN tunnels in particular is;  how many force all
communication out via the VPN, restricting access via other potential
internet'able pathways?  The reason I ask is, it seems one of the issues
with especially home users accessing work servers would be pushing a
security policy through the VPN, preventing such things as viri and
trojans and other malicious activity from gaining a foothold and running
up the trusted tunnel into the workplace while the home user is connected
to work systems and servers.

How do others push their security policies to their home users in these
scenarios in a concurrent manner?  Is it possible?  Or is this just an
open trust scenario?


Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]