|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: c0ncept (c0ncept
HUSHMAIL.COM)Date: Fri Mar 30 2001 - 16:22:13 CST
The routing table is checked first, and if no route to a specified
destination, it is sent to the default gateway.
If your work has multiple subnets, then you could add each subnet to your
routing table manualy. Depending on your network topology, you may be able
to use Route Summerization...for example, if your work has 172.16.1.0/24,
172.16.2.0/24, ..., 172.16.5.0/24, then you can specify a route to
172.16.0.0/16 through the remote router.
There's no reason to route all internet traffic through the remote end of
the VPN. Remember, Any packet you send accros the VPN not destined for your
remote site will be routed accross the WAN again, to it's final destination,
and it's reply will be routed twice. Leaving that box unchecked will
increase the traffic over your WAN link by a factor of two.
-- c0ncept
[demo]
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 c0 f0 15 bc 44 ...... Intel DC21041 PCI Ethernet Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 x.x.x.x 192.168.1.3 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 1
192.168.1.3 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 1
x.x.x.x 255.255.255.192 x.x.x.x 192.168.1.3 1
x.x.x.x 255.255.255.255 127.0.0.1 127.0.0.1 1
x.x.x.255 255.255.255.255 x.x.x.x 192.168.1.3 1
224.0.0.0 224.0.0.0 192.168.1.3 192.168.1.3 1
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 1
Default Gateway: d.d.d.d
===========================================================================
Persistent Routes:
None
C:\>route add 172.16.0.0 MASK 255.255.255.0 192.168.1.1 METRIC 1 IF 2
C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 c0 f0 15 bc 44 ...... Intel DC21041 PCI Ethernet Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 x.x.x.x 192.168.1.3 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.255.0 192.168.1.1 192.168.1.3 1
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 1
192.168.1.3 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 1
x.x.x.x 255.255.255.192 x.x.x.x 192.168.1.3 1
x.x.x.x 255.255.255.255 127.0.0.1 127.0.0.1 1
x.x.x.255 255.255.255.255 x.x.x.x 192.168.1.3 1
224.0.0.0 224.0.0.0 192.168.1.3 192.168.1.3 1
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 1
Default Gateway: d.d.d.d
===========================================================================
Persistent Routes:
None
[/demo]
-----Original Message-----
From: Focus on Microsoft Mailing List
[mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of Nathan Reynolds
Sent: Friday, March 30, 2001 6:28 AM
To: FOCUS-MSSECURITYFOCUS.COM
Subject: Re: VPN endpoint security
Also-
I would say significantly more than 50% of us have multi-subnetted networks
at work. Unchecking the "use default gateway on remote network" isn't
really a valid option.
-----Original Message-----
From: pen test [mailto:pentestlistHOTMAIL.COM]
Sent: Thursday, March 29, 2001 7:10 AM
To: FOCUS-MSSECURITYFOCUS.COM
Subject: Re: VPN endpoint security
heres what I saw sometime ago.
When I connect to the vpn my Aol instant messenger will sign off and then
sign back on, same thing happens when I logout of the vpn. This shows that
my traffic is routing through the vpn. If uncheck "use remote defualt
gateway" then this does not happen so the traffic is going out like normal.
BUT if I dont use the companies gateway I have to use a host file to resolve
anything so its more of a pain than anything. Your computer will still
respond to scans, ping and whatever since the vpn connection is on top of
your normal connection. Your ip from your isp is still valid. You
essentially have 2 ips not a real and a virtual. Hey you can be found twice
by attackers.
>From: Jason Lewis <jlewisJASONLEWIS.NET>
>Reply-To: jlewisjasonlewis.net
>To: FOCUS-MSSECURITYFOCUS.COM
>Subject: Re: [FOCUS-MS] VPN endpoint security
>Date: Tue, 27 Mar 2001 19:32:10 -0500
>
>Maybe I wasn't clear. My machine acts like it is on the network where
>the VPN server is. Traceroute works like I am sitting next to the
>server.
>
>My question was related to the IP that my ISP gives me. Is that IP
>still responding to port scans, attacks, whatever.
>
>When I connect to the VPN server, it assigns me an IP for the network
>the VPN server is connected to.
>
>jas
>http://www.rivalpath.com
>
>
>
>-----Original Message-----
>From: Byron Kennedy [mailto:byronmarkettools.com]
>Sent: Tuesday, March 27, 2001 7:18 PM
>To: 'jlewisjasonlewis.net'; FOCUS-MSSECURITYFOCUS.COM
>Subject: RE: VPN endpoint security
>
>
>i think running a simple traceroute would also confirm this for you.
>
>-----Original Message-----
>From: Jason Lewis [mailto:jlewisJASONLEWIS.NET]
>Sent: Tuesday, March 27, 2001 2:18 PM
>To: FOCUS-MSSECURITYFOCUS.COM
>Subject: Re: VPN endpoint security
>
>
>This brings up something I have been thinking about but haven't tested.
>
>It appears that when I connect my Win2K Pro laptop to my Win2K server
>via VPN, all my traffic is routed through the VPN. Does this mean that
>my machine no longer responds to requests via the IP that I am assigned
>when I get on the internet? All my traffic is routed over the IP that
>the VPN server has given me.
>
>Maybe I need to go port scan my machine......
>
>To answer the original question, I have been recommending ZoneAlarm.
>
>jas
>http://www.rivalpath.com
>
>
>-----Original Message-----
>From: Focus on Microsoft Mailing List
>[mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of Richard Bartlett
>Sent: Tuesday, March 27, 2001 2:23 AM
>To: FOCUS-MSSECURITYFOCUS.COM
>Subject: Re: VPN endpoint security
>
>
>Byron,
>
>For protecting VPN users using Windows 2000/NT4 I recommend using
>Network ICE ICEpac Security Suite. This gives you a central console
>that manages all our VPN or remote users who are running BlackICE
>Agents, and they don't even know it's there (or they don't have to).
>It's fairly easy to setup and can be combined with BlackICE Sentry to
>watch your entire subnet.
>
>Hearily recommend it.
>
>Richard Bartlett
>Hacker Immunity Ltd
>
>-----Original Message-----
>From: Focus on Microsoft Mailing List
>[mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of Byron Kennedy
>Sent: 26 March 2001 21:09
>To: FOCUS-MSSECURITYFOCUS.COM
>Subject: VPN endpoint security
>
>
>Just curious what others are doing out there to secure corporate IPSec
>VPN endpints (dial-up, brodband,etc)? Looking for an easy to
>administer solution for wintel clients using primarily win2000 and
>nt4.0? Concerns are policy administration and ease of use. What about
>ZoneAlarm Pro? other?
>
>Thx!Byron
>
>
>
>Byron Kennedy
>Markettools, Inc.
>*******************************************
>www.markettools.com
>www.ztelligence.com
>www.zoomerang.com
>MarketTools is the premier applications services provider of Web-based
>corporate solutions including market research and feedback services.
>The company helps businesses of all sizes gather the critical
>information they need to make key business decisions. MarketTools'
>research and feedback applications are the first phase of its global
>relationship intelligence network that will link companies with their
>customers, employees, vendors and shareholders. MarketTools is a
>privately held company headquartered in Mill Valley, CA.
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]