Search This Blog

Tuesday, June 23, 2009

firewall-wizards Digest, Vol 38, Issue 12

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: VPN and XP Firewall GPO settings (Victor Williams)
2. Re: VPN and XP Firewall GPO settings (Paul Hutchings)
3. Re: firewall-wizards Digest, Vol 38, Issue 11
(rjdriscoll@comcast.net)
4. Re: VPN and XP Firewall GPO settings (Victor Williams)
5. Re: Cisco AnyConnect Remote Access to L2L tunnels (Todd Simons)


----------------------------------------------------------------------

Message: 1
Date: Mon, 22 Jun 2009 11:01:00 -0500
From: Victor Williams <bwilliam13@windstream.net>
Subject: Re: [fw-wiz] VPN and XP Firewall GPO settings
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20090622110100.B8O1X.320762.root@ispmxfep10-z01>
Content-Type: text/plain; charset=utf-8

We have our GPO's set to have the firewall on, with the only exception being tcp port 139 and 445 can be accessed by our domain controllers. Would a setup like this not work?

All of our VPN clients work with the Microsoft XP firewall turned on without issue. We use the Cisco IPSec client as well as the AnyConnect VPN client. No issues with either.

The XP firewall by default allows any outgoing traffic, and no incoming unless you so specify. I'm not sure why it would be blocking your outgoing VPN traffic originating from your workstations. If it is, you should be able to make an exception related to the actual VPN executable allowing it outgoing access, and leave the firewall on all the time, regardless of what network it's connected to.


---- Paul Hutchings <paul@spamcop.net> wrote:
> Folks hoping for a little input here:
>
> We have a Juniper SSL VPN that has Network Connect functionality. We
> have our Group Policies configured so that when onsite XP firewall is
> disabled, when offsite XP firewall is enabled.
>
> It seems what's happening when people use the Network Connect
> functionality of the VPN is that XP is detecting that it has
> connectivity to the LAN and the domain controllers/DNS boxes and is
> switching from the "Standard Profile" to the "Domain Profile" and
> dropping the firewall, which is of course unacceptable (I accept it's
> behaving by design so it's not really a criticism of Microsoft).
>
> What do people do to work around this kind of issue? I guess a group
> policy for laptops that enables the firewall even when on the domain
> is one option, and I've opened a case with JTAC in case I'm missing
> something on the SA config.
>
> Thanks.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

------------------------------

Message: 2
Date: Mon, 22 Jun 2009 17:19:18 +0100
From: Paul Hutchings <paul@spamcop.net>
Subject: Re: [fw-wiz] VPN and XP Firewall GPO settings
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <7CF3B01A-31CF-417E-9B95-7888843B98B4@spamcop.net>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

Sorry, I may have explained badly so just to clarify:

Our default GPO is set to enable the XP Firewall when the laptops are
on "Standard Profile" and disable it when using "Domain
Profile" (going from "netsh firewall show currentprofile").

What seems to happen is laptop is using public wi-fi, so it's on
"Standard Profile", firewall is enabled.

User connects using Network Connect.

XP does a GPUpdate and because it can reach the domain controllers
seems to assume "Oh I'm on the domain" and switches to Domain Profile
and switches off the firewall on the client.

I could configure a GPO just for laptops that keeps the firewall on
regardless, but I'm trying to ascertain whether what I'm seeing is
normal or not?

Also what (if any) mitigation does disabling split tunnelling so the
VPN client can't see/be seen even on the local subnet have?

Cheers,
Paul

On 22 Jun 2009, at 17:01, Victor Williams wrote:

> We have our GPO's set to have the firewall on, with the only
> exception being tcp port 139 and 445 can be accessed by our domain
> controllers. Would a setup like this not work?
>
> All of our VPN clients work with the Microsoft XP firewall turned
> on without issue. We use the Cisco IPSec client as well as the
> AnyConnect VPN client. No issues with either.
>
> The XP firewall by default allows any outgoing traffic, and no
> incoming unless you so specify. I'm not sure why it would be
> blocking your outgoing VPN traffic originating from your
> workstations. If it is, you should be able to make an exception
> related to the actual VPN executable allowing it outgoing access,
> and leave the firewall on all the time, regardless of what network
> it's connected to.
>
>
> ---- Paul Hutchings <paul@spamcop.net> wrote:
>> Folks hoping for a little input here:
>>
>> We have a Juniper SSL VPN that has Network Connect functionality. We
>> have our Group Policies configured so that when onsite XP firewall is
>> disabled, when offsite XP firewall is enabled.
>>
>> It seems what's happening when people use the Network Connect
>> functionality of the VPN is that XP is detecting that it has
>> connectivity to the LAN and the domain controllers/DNS boxes and is
>> switching from the "Standard Profile" to the "Domain Profile" and
>> dropping the firewall, which is of course unacceptable (I accept it's
>> behaving by design so it's not really a criticism of Microsoft).
>>
>> What do people do to work around this kind of issue? I guess a group
>> policy for laptops that enables the firewall even when on the domain
>> is one option, and I've opened a case with JTAC in case I'm missing
>> something on the SA config.
>>
>> Thanks.
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>


------------------------------

Message: 3
Date: Mon, 22 Jun 2009 19:42:19 +0000 (UTC)
From: rjdriscoll@comcast.net
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 38, Issue 11
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<2099987133.7784611245699739542.JavaMail.root@sz0127a.emeryville.ca.mail.comcast.net>

Content-Type: text/plain; charset="utf-8"

Are you allowing split tunneling? I have worked at companies that have disabled split tunneling, which in effect turned off routing except
through the VPN server. We then would check for things like current AV def's and patch compliance.


----- Original Message -----
From: firewall-wizards-request@listserv.icsalabs.com
To: firewall-wizards@listserv.icsalabs.com
Sent: Monday, June 22, 2009 9:00:03 AM GMT -08:00 US/Canada Pacific
Subject: firewall-wizards Digest, Vol 38, Issue 11

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. VPN and XP Firewall GPO settings (Paul Hutchings)


----------------------------------------------------------------------

Message: 1
Date: Sat, 20 Jun 2009 18:30:49 +0100
From: Paul Hutchings <paul@spamcop.net>
Subject: [fw-wiz] VPN and XP Firewall GPO settings
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <DF4421BD-AB92-4055-A5D4-370E73D13981@spamcop.net>
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

Folks hoping for a little input here:

We have a Juniper SSL VPN that has Network Connect functionality. We
have our Group Policies configured so that when onsite XP firewall is
disabled, when offsite XP firewall is enabled.

It seems what's happening when people use the Network Connect
functionality of the VPN is that XP is detecting that it has
connectivity to the LAN and the domain controllers/DNS boxes and is
switching from the "Standard Profile" to the "Domain Profile" and
dropping the firewall, which is of course unacceptable (I accept it's
behaving by design so it's not really a criticism of Microsoft).

What do people do to work around this kind of issue? I guess a group
policy for laptops that enables the firewall even when on the domain
is one option, and I've opened a case with JTAC in case I'm missing
something on the SA config.

Thanks.


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 38, Issue 11
************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090622/fdc4b3dd/attachment-0001.html>

------------------------------

Message: 4
Date: Mon, 22 Jun 2009 13:16:50 -0500
From: Victor Williams <bwilliam13@windstream.net>
Subject: Re: [fw-wiz] VPN and XP Firewall GPO settings
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20090622131650.6I9GE.323782.root@ispmxfep10-z01>
Content-Type: text/plain; charset=utf-8

Isn't the catch-all to just leave it on all the time? What is the value of not having it on if the laptop is connected to your immediate network?

I leave ours on all the time. We don't allow workstations/laptops to share files or printers...all that is handled on our servers. So, it works well for us. Again, what is the value of turning the firewall off when the laptop enters your network?


---- Paul Hutchings <paul@spamcop.net> wrote:
> Sorry, I may have explained badly so just to clarify:
>
> Our default GPO is set to enable the XP Firewall when the laptops are
> on "Standard Profile" and disable it when using "Domain
> Profile" (going from "netsh firewall show currentprofile").
>
> What seems to happen is laptop is using public wi-fi, so it's on
> "Standard Profile", firewall is enabled.
>
> User connects using Network Connect.
>
> XP does a GPUpdate and because it can reach the domain controllers
> seems to assume "Oh I'm on the domain" and switches to Domain Profile
> and switches off the firewall on the client.
>
> I could configure a GPO just for laptops that keeps the firewall on
> regardless, but I'm trying to ascertain whether what I'm seeing is
> normal or not?
>
> Also what (if any) mitigation does disabling split tunnelling so the
> VPN client can't see/be seen even on the local subnet have?
>
> Cheers,
> Paul
>
> On 22 Jun 2009, at 17:01, Victor Williams wrote:
>
> > We have our GPO's set to have the firewall on, with the only
> > exception being tcp port 139 and 445 can be accessed by our domain
> > controllers. Would a setup like this not work?
> >
> > All of our VPN clients work with the Microsoft XP firewall turned
> > on without issue. We use the Cisco IPSec client as well as the
> > AnyConnect VPN client. No issues with either.
> >
> > The XP firewall by default allows any outgoing traffic, and no
> > incoming unless you so specify. I'm not sure why it would be
> > blocking your outgoing VPN traffic originating from your
> > workstations. If it is, you should be able to make an exception
> > related to the actual VPN executable allowing it outgoing access,
> > and leave the firewall on all the time, regardless of what network
> > it's connected to.
> >
> >
> > ---- Paul Hutchings <paul@spamcop.net> wrote:
> >> Folks hoping for a little input here:
> >>
> >> We have a Juniper SSL VPN that has Network Connect functionality. We
> >> have our Group Policies configured so that when onsite XP firewall is
> >> disabled, when offsite XP firewall is enabled.
> >>
> >> It seems what's happening when people use the Network Connect
> >> functionality of the VPN is that XP is detecting that it has
> >> connectivity to the LAN and the domain controllers/DNS boxes and is
> >> switching from the "Standard Profile" to the "Domain Profile" and
> >> dropping the firewall, which is of course unacceptable (I accept it's
> >> behaving by design so it's not really a criticism of Microsoft).
> >>
> >> What do people do to work around this kind of issue? I guess a group
> >> policy for laptops that enables the firewall even when on the domain
> >> is one option, and I've opened a case with JTAC in case I'm missing
> >> something on the SA config.
> >>
> >> Thanks.
> >> _______________________________________________
> >> firewall-wizards mailing list
> >> firewall-wizards@listserv.icsalabs.com
> >> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

------------------------------

Message: 5
Date: Mon, 22 Jun 2009 20:52:44 -0400
From: "Todd Simons" <tsimons@delphi-tech.com>
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<6BEB7C2F4C712045AA210FC242934F75077B19E4@NJ-EXCHANGE1.AD.dti>
Keywords: disclaimer
Content-Type: text/plain; charset="us-ascii"

Adding the dynamic NAT on the outside interface fixed it! Thanks!

From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of
Eric Gearhart
Sent: Friday, June 19, 2009 7:13 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels

On Sun, Jun 14, 2009 at 7:41 AM, Todd Simons <tsimons@delphi-tech.com>
wrote:

Eric-

At this point I have this working via Hairpinning, my only
problem at
this point is that RemoteAccess VPNs (which are a global vpn
setup)
can't browse the internet or use external hosts that are not
part of my
sites.

~Todd


Todd,

Sorry about the confusion... glad to hear you have things working.

Re: the remote access clients' Internet access... you can use split
tunnels to have clients connect but only your tunnel subnets are routed
over their tunnel connection... regular internet access would go through
the clients' ISP, not over the tunnel. Is that an option?

If that's not an option, I think that you would have to setup dynamic
NAT on your outside interface and setup NAT exceptions for your internal
subnets for the RA clients to have regular Internet but still hit the
tunnel correctly... Cisco sees remote VPN clients as incoming through
the outside interface (which is annoying.. I wish they'd just setup a
virtual tunnel interface on the ASA like they do on their router VPN
tunnels....)

I haven't set this up though so I'm shooting in the dark a bit on this
one... I have split tunnels setup for my work ASA VPN and it works quite
well

--
Eric
http://nixwizard.net


## Scanned by Delphi Technology, Inc. ##
CONFIDENTIALITY NOTICE
This e-mail message from Delphi Technology, Inc. is intended only for the individual or entity to which it is addressed. This e-mail may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you received this e-mail by accident, please notify the sender immediately and destroy this e-mail and all copies of it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090622/643fecab/attachment.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 38, Issue 12
************************************************

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)