On Mon, 27 Jan 2003 16:00:51 EST, alex@yuriev.com said:
It is very easy.
Deny everything. Allow outbound port 80
Bzzt! You just let in an ActiveX exploit. Or Javascript. Or....
Allow mail server to 25
Bzzt! You just let in a new Outlook exploit.
If you need AIM, allow AIM from workstations to oscar.aol.com and whatever the name of the other mahine.
Bzzt! You just let in an AIM exploit. That's assuming that you even *know* what the current name of the other machine is this time around - this laptop has had 6 IP addresses in as many hours. Remember there's a reason why 'talk george@his-box.whatever.dom' isn't as common anymore....
I am failing to see a problem.
Well.. other than you let a box that wants to talk on the VPN get outside access to 3 things that are *KNOWN* vectors of malware which could then attack the VPN side of things, no, there's no problem here.