Re: firewall-wizards Digest, Vol 38, Issue 11

View: New views

3 Messages — Rating Filter: Alert me

	Re: firewall-wizards Digest, Vol 38, Issue 11 by Robert Driscoll :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Are you allowing split tunneling? I have worked at companies that have disabled split tunneling, which in effect turned off routing except through the VPN server. We then would check for things like current AV def's and patch compliance. ----- Original Message ----- From: firewall-wizards-request@... To: firewall-wizards@... Sent: Monday, June 22, 2009 9:00:03 AM GMT -08:00 US/Canada Pacific Subject: firewall-wizards Digest, Vol 38, Issue 11 Send firewall-wizards mailing list submissions to firewall-wizards@... To subscribe or unsubscribe via the World Wide Web, visit https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards or, via email, send a message with subject or body 'help' to firewall-wizards-request@... You can reach the person managing the list at firewall-wizards-owner@... When replying, please edit your Subject line so it is more specific than "Re: Contents of firewall-wizards digest..." Today's Topics: 1. VPN and XP Firewall GPO settings (Paul Hutchings) ---------------------------------------------------------------------- Message: 1 Date: Sat, 20 Jun 2009 18:30:49 +0100 From: Paul Hutchings <paul@...> Subject: [fw-wiz] VPN and XP Firewall GPO settings To: Firewall Wizards Security Mailing List <firewall-wizards@...> Message-ID: <DF4421BD-AB92-4055-A5D4-370E73D13981@...> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Folks hoping for a little input here: We have a Juniper SSL VPN that has Network Connect functionality. We have our Group Policies configured so that when onsite XP firewall is disabled, when offsite XP firewall is enabled. It seems what's happening when people use the Network Connect functionality of the VPN is that XP is detecting that it has connectivity to the LAN and the domain controllers/DNS boxes and is switching from the "Standard Profile" to the "Domain Profile" and dropping the firewall, which is of course unacceptable (I accept it's behaving by design so it's not really a criticism of Microsoft). What do people do to work around this kind of issue? I guess a group policy for laptops that enables the firewall even when on the domain is one option, and I've opened a case with JTAC in case I'm missing something on the SA config. Thanks. ------------------------------ _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards End of firewall-wizards Digest, Vol 38, Issue 11 ************************************************ _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: firewall-wizards Digest, Vol 38, Issue 11 by Paul Hutchings-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I have split tunnelling disabled, but being frank my low level knowledge of TCP/IP isn't sufficient to know if it's sufficient mitigation for lack of a software firewall. Frustratingly, the Juniper Host Checker comes with a firewall but you need admin rights simply to enable/disable that component. Cheers, Paul On 22 Jun 2009, at 20:42, rjdriscoll@... wrote: > Are you allowing split tunneling? I have worked at companies that > have disabled split tunneling, which in effect turned off routing > except > through the VPN server. We then would check for things like current > AV def's and patch compliance. > > > ----- Original Message ----- > From: firewall-wizards-request@... > To: firewall-wizards@... > Sent: Monday, June 22, 2009 9:00:03 AM GMT -08:00 US/Canada Pacific > Subject: firewall-wizards Digest, Vol 38, Issue 11 > > Send firewall-wizards mailing list submissions to > firewall-wizards@... > > To subscribe or unsubscribe via the World Wide Web, visit > https://listserv.icsalabs.com/mailman/listinfo/firewall- > wizards > or, via email, send a message with subject or body 'help' to > firewall-wizards-request@... > > You can reach the person managing the list at > firewall-wizards-owner@... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of firewall-wizards digest..." > > > Today's Topics: > > 1. VPN and XP Firewall GPO settings (Paul Hutchings) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 20 Jun 2009 18:30:49 +0100 > From: Paul Hutchings <paul@...> > Subject: [fw-wiz] VPN and XP Firewall GPO settings > To: Firewall Wizards Security Mailing List > <firewall-wizards@...> > Message-ID: <DF4421BD-AB92-4055-A5D4-370E73D13981@...> > Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed > > Folks hoping for a little input here: > > We have a Juniper SSL VPN that has Network Connect functionality. We > have our Group Policies configured so that when onsite XP firewall is > disabled, when offsite XP firewall is enabled. > > It seems what's happening when people use the Network Connect > functionality of the VPN is that XP is detecting that it has > connectivity to the LAN and the domain controllers/DNS boxes and is > switching from the "Standard Profile" to the "Domain Profile" and > dropping the firewall, which is of course unacceptable (I accept it's > behaving by design so it's not really a criticism of Microsoft). > > What do people do to work around this kind of issue? I guess a group > policy for laptops that enables the firewall even when on the domain > is one option, and I've opened a case with JTAC in case I'm missing > something on the SA config. > > Thanks. > > > ------------------------------ > > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > > > End of firewall-wizards Digest, Vol 38, Issue 11 > ************************************************ > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: firewall-wizards Digest, Vol 38, Issue 11 by pkc :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Paul Hutchings a écrit : > I have split tunnelling disabled, but being frank my low level > knowledge of TCP/IP isn't sufficient to know if it's sufficient > mitigation for lack of a software firewall. > > Frustratingly, the Juniper Host Checker comes with a firewall but you > need admin rights simply to enable/disable that component. > Hi, I'm not sure the juniper host checker comes with a firewall. It can check if there is a firewall running, but the main goal is to check for some config on the remote host (process running, open port, antivirus running, etc). did you mean "network connect" ? > Cheers, > Paul > _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards