In Juniper's SSL VPN you can implement a route-change monitor and choose to drop the connection in the event of a change. You could also pre-scan the client for the presence of any malware.
On an IPsec connection, I would suppose that you would have to be restrictive in the level of access. If you wanted to protect against such threats, I would set up a VPN zone and have the client tunnel bound to that zone. Then, through policy, allow/disallow access and run a UTM feature like DI on the inter-zone communications. I'm speaking to ScreenOS. I'm sure there's probably some sort of VPN quarantine feature in ASA. In MS, you can do the same in IAS/NPS. -Andrew -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kevin VPN Sent: Thursday, January 26, 2012 11:03 PM To: [email protected] Subject: Re: [vpn-help] Outlook interrupted On 01/26/2012 01:45 PM, Jernej SimonÄiÄ wrote: > On Thursday, January 26, 2012, 15:58:15, Greene, Teri wrote: > >> When connected to a client site through Shrew VPN (2.1.7), my Outlook >> (MS Office 2010) drops connection and cannot re-establish. I also >> have trouble connecting to the Internet (IE 8). Are you aware of this >> issue, and is there anything that can be done about it? I basically >> have no email when connected to this client. Others within our >> organization have the same issue. > > The VPN tunnel probably overrides your default route, and thus > prevents you from accessing the LAN. One client has his VPN set up > this way, I just delete the route after establishing the connection, > and add a route to just the segment I need. > Hi Jernej, I'm disappointed that deleting the route actually works. I just tried it. I would have thought (hoped!) that Shrew might watch for things messing with the routes and reset them if they change. I'd think that would be a potential way for trojan to get into an organization - wait for a tunnel to come up, enumerate the remote network, add a non-tunneled route to it's C&C server and call home for instructions. Sort of defeats one of the purposes of a full-tunnel VPN. :( Does anyone know if this route hack can be done with other VPN clients like Cisco or Juniper? _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
