
Deny everything. Allow outbound port 80 Bzzt! You just let in an ActiveX exploit. Or Javascript. Or....
And I have successfully blocked everything other than AcriveX or JavaScript or whatever else.
Allow mail server to 25
Bzzt! You just let in a new Outlook exploit.
It is talking only to your own server. Presumably you already made sure that your Outlook by itself does not do anything funny?
If you need AIM, allow AIM from workstations to oscar.aol.com and whatever the name of the other mahine.
Bzzt! You just let in an AIM exploit. That's assuming that you even *know* what the current name of the other machine is this time around - this laptop has had 6 IP addresses in as many hours. Remember there's a reason why 'talk george@his-box.whatever.dom' isn't as common anymore....
Oscar.aol.com and whatever the name of another .aol.com machine it is are the names associated with services that AIM connects to.
I am failing to see a problem.
Well.. other than you let a box that wants to talk on the VPN get outside access to 3 things that are *KNOWN* vectors of malware which could then attack the VPN side of things, no, there's no problem here.
That's why the policy on that box that wants to talk to the secure network over VPN is to drop all but the traffic to/from gateway VPN client connects to on the floor. It is being done. CheckPoint, for example, manages to manage policy on the client not to contradict the policy of the site. Why dont others do it is beyond me. Alex