Site to Site VPN while keeping ISA in the Mix

re:Site to Site VPN while keeping ISA in the Mix

TrackBack — Wed, 03 Aug 2005 00:57:00 GMT

Site to Site VPN while keeping ISA in the Mixooeess

re:Site to Site VPN while keeping ISA in the Mix

TrackBack — Fri, 22 Jul 2005 05:18:00 GMT

Site to Site VPN while keeping ISA in the Mixooeess

re:Site to Site VPN while keeping ISA in the Mix

TrackBack — Thu, 19 May 2005 02:36:00 GMT

^_~,pretty good!csharpsseeoo

re:Site to Site VPN while keeping ISA in the Mix

TrackBack — Fri, 15 Apr 2005 22:10:00 GMT

^_^,Pretty Good!

re: Site to Site VPN while keeping ISA in the Mix

Javier — Sat, 11 Dec 2004 15:23:00 GMT

Hi Tony!

Good to hear from you, its been a while since we "talked". I have to agree with most of your comments. However, I must point out that this like any other solution depends on how you configure it. In my routers I can block all inbound and outbound traffic (except for the VPN) and I control the remote and main LANs. I'm actually more worried (like you mentioned) about the VPN per se.

A much better (secure) approach would be to put the VPN endpoint in front of ISA and publish the necessary ports (i.e. Terminal Services) and don't forward them on the router. This way the VPN tunnel only has access to what they need instead of the whole lan.

I will take a look at your site (sent you an email).

re: Site to Site VPN while keeping ISA in the Mix

Javier — Fri, 10 Dec 2004 23:14:00 GMT

Hello Javier,

Good to see you blogging, and as I'm looking at this post while I'm setting up a portal page of SBS MVP RSS feeds, I felt I should offer my opinion that although your solution should work, I would not recommend it... simply because I feel it violates one of the cardinal rules of firewalling, that you should never permit alternative paths into the corporate LAN.

This and other alternate entrypoints like unsecured or improperly secured WAPs, travelling/guest laptops which connect directly into the network are variations on the "infection by floppy" problems of the 1980's. It's very costly to implement safeguards if you believe in the traditional "trusted zone" firewall principle but make a mistake allowing an exploit through in some way and VPNs can be a highway into the LAN.

On this subject, I'm also actually very negative about traditional VPNs in general. If anyone is interested in <why> VPNs are a major danger to your network, what the alternatives are and specifically what I believe is the best solution (the application gateway), you can view a presentation I gave earlier this year by either going to the winsug.org site and looking for my presentation or going to my website at www.su-networking.com and becoming a registered user (no fee) for this and other whitepapers I've written.

Yours,
Tony Su