|
Home > Archive > IIS Server Security > January 2004 > Question On Internet Access While Logged In As VPN CLient
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Question On Internet Access While Logged In As VPN CLient
|
|
|
| Question On Internet Access While Logged In As VPN CLient
We have MSESKSB SERVER w\Firewall.
My question is, can the VPN (outside!) (WAN,) client's
while logged in to the Server & going through our
Firewall, be able to access the internet through another
port on the Firewall or from their own systems without
jeopardizing & opening up the virtual & private connection
to the outside internet world?
I know there is a switch we can set on the VPN advance
TCP/IP properties to allow this, However, I also know that
this "opens" & defeats the reason for the Virtural &
Private Conection.
Can this be done safely? If so, how?
As Always, I Look Forward In Hearing Your Advise Jim B.
| |
| Karl Levinson [x y] mvp 2004-01-25, 11:34 pm |
|
"JIMB" <anonymous@discussions.microsoft.com> wrote in message
news:317501c3e28b$d838d2c0$a101280a@phx.gbl...
quote:
> My question is, can the VPN (outside!) (WAN,) client's
> while logged in to the Server & going through our
> Firewall, be able to access the internet through another
> port on the Firewall or from their own systems without
> jeopardizing & opening up the virtual & private connection
Yes, if you wish, you can enable split tunneling. It increases the risk.
Why not just let them go out to the Internet through the VPN connection?
[This does tend to prevent people from getting to other computers or servers
if any that they may have on their home network.]
quote:
> I know there is a switch we can set on the VPN advance
> TCP/IP properties to allow this, However, I also know that
> this "opens" & defeats the reason for the Virtural &
> Private Conection.
Not exactly... the main concern I believe is that an attacker can remotely
control and/or compromise the home computer, and from there get into your
network through the VPN connection with no authentication. This happened to
Microsoft a few years back in a very public hack that resulted in the
compromise of pre-release alpha software or source code.
quote:
> Can this be done safely? If so, how?
It increases the risk. I don't know of any special way to make this safer.
Installing firewall, antivirus and all patches on the home computer,
filtering the TCP/IP ports and protocols that are permitted to come through
the VPN connection, and using software such as www.sygate.com [their remote
access policy solution] or the Windows 2003 Server Quarantine Server feature
to check for antivirus, firewall and missing patches are all ways that you
might make the VPN connection somewhat safer, whether or not you choose to
enable split tunneling. Some antivirus software like NAV and/or McAfee may
also have ways of handling remote and VPN users.
|
|
|
|
|