Kazaa and other peer-peer software on a VPN client

I note that Mark Mancini warns strongly against allowing remote clients to
access a LAN
through VPN if they are running Kazaa ( and presumably any othe type of
peer-peer
software). ( See thread " Remote Login from Home")

1) Not familiar with Kazaa and similar others. What is it that makes it
unadvisable on a VPN
client?

2) Would the same caution hold true for Terminal Services clients running
that software?

Thanks
DHH

Susan
Sun Dec 28 18:54:21 CST 2003

Kazaa is a known respository for viruses, malware
Kazaa says in their EULA that they can use your excess CPU power for
their purposes
Kazaa pokes holes in your firewall and you are now opening up your
network to the security level of who knows what.

Consider Kazaa a cancer or plague and don't let it near your network.

D H Harris wrote:

> I note that Mark Mancini warns strongly against allowing remote clients to
> access a LAN
> through VPN if they are running Kazaa ( and presumably any othe type of
> peer-peer
> software). ( See thread " Remote Login from Home")
>
> 1) Not familiar with Kazaa and similar others. What is it that makes it
> unadvisable on a VPN
> client?
>
> 2) Would the same caution hold true for Terminal Services clients running
> that software?
>
> Thanks
> DHH
>
>

--
http://www.sbslinks.com/really.htm

Javier
Sun Dec 28 19:06:25 CST 2003

What Susan said and...

Be aware that Kazaa is just one of many programs that can put your network
at risk (LiveWire, Morpheous, most Gnutella clients... are also P2P
software). There is also tons of other "bad stuff" that people put in their
systems... such as Spy/Adware that could have some security problems.

I don't think TS would be vulnerable in that sense (unless you are doing VPN
first)... but I might be wrong. The best way is to have no such programs :-)

--
-Javier

<< SBS ROCK!!! >>

"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:uHgolZazDHA.484@TK2MSFTNGP10.phx.gbl...
> Kazaa is a known respository for viruses, malware
> Kazaa says in their EULA that they can use your excess CPU power for
> their purposes
> Kazaa pokes holes in your firewall and you are now opening up your
> network to the security level of who knows what.
>
> Consider Kazaa a cancer or plague and don't let it near your network.
>
> D H Harris wrote:
>
> > I note that Mark Mancini warns strongly against allowing remote clients
to
> > access a LAN
> > through VPN if they are running Kazaa ( and presumably any othe type of
> > peer-peer
> > software). ( See thread " Remote Login from Home")
> >
> > 1) Not familiar with Kazaa and similar others. What is it that makes it
> > unadvisable on a VPN
> > client?
> >
> > 2) Would the same caution hold true for Terminal Services clients
running
> > that software?
> >
> > Thanks
> > DHH
> >
> >
>
> --
> http://www.sbslinks.com/really.htm
>

D
Sun Dec 28 19:13:22 CST 2003

Well, yeah, but other than THAT is it OK?

:>)

DHH
================================
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:uHgolZazDHA.484@TK2MSFTNGP10.phx.gbl...
> Kazaa is a known respository for viruses, malware
> Kazaa says in their EULA that they can use your excess CPU power for
> their purposes
> Kazaa pokes holes in your firewall and you are now opening up your
> network to the security level of who knows what.
>
> Consider Kazaa a cancer or plague and don't let it near your network.
>
> D H Harris wrote:
>
> > I note that Mark Mancini warns strongly against allowing remote clients
to
> > access a LAN
> > through VPN if they are running Kazaa ( and presumably any othe type of
> > peer-peer
> > software). ( See thread " Remote Login from Home")
> >
> > 1) Not familiar with Kazaa and similar others. What is it that makes it
> > unadvisable on a VPN
> > client?
> >
> > 2) Would the same caution hold true for Terminal Services clients
running
> > that software?
> >
> > Thanks
> > DHH
> >
> >
>
> --
> http://www.sbslinks.com/really.htm
>

Chris
Sun Dec 28 19:17:04 CST 2003

Basicly......................it's illegal!!!!

I just can't believe that the people using it aren't downloading copyrighted
material. That's the only way it is legal to use this software......to swap
non copyrighted material.

--
Please visit our new online store. http://store.casnetworkservices.cc
"D H Harris" <dixon@sohelpme.info> wrote in message
news:Ob$BXiazDHA.2408@tk2msftngp13.phx.gbl...
> Well, yeah, but other than THAT is it OK?
>
> :>)
>
> DHH
> ================================
> "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
> wrote in message news:uHgolZazDHA.484@TK2MSFTNGP10.phx.gbl...
> > Kazaa is a known respository for viruses, malware
> > Kazaa says in their EULA that they can use your excess CPU power for
> > their purposes
> > Kazaa pokes holes in your firewall and you are now opening up your
> > network to the security level of who knows what.
> >
> > Consider Kazaa a cancer or plague and don't let it near your network.
> >
> > D H Harris wrote:
> >
> > > I note that Mark Mancini warns strongly against allowing remote
clients
> to
> > > access a LAN
> > > through VPN if they are running Kazaa ( and presumably any othe type
of
> > > peer-peer
> > > software). ( See thread " Remote Login from Home")
> > >
> > > 1) Not familiar with Kazaa and similar others. What is it that makes
it
> > > unadvisable on a VPN
> > > client?
> > >
> > > 2) Would the same caution hold true for Terminal Services clients
> running
> > > that software?
> > >
> > > Thanks
> > > DHH
> > >
> > >
> >
> > --
> > http://www.sbslinks.com/really.htm
> >
>
>

Mark
Sun Dec 28 19:40:42 CST 2003

OK, soapbox time......

With TS, unlike VPN, everything stays on the server and nothing goes client
to server and vice versa. With a VPN, if a client has Kazaa then you just
opened Pandora's box on your network......with TS, everything is secure.

Ok, so are ALL VPNs bad??!?!!? No, there are HIGH end VPNs that inspect
packets and prevent alternative access to the web.....all unlike M$ VPN,
which is what everyone here uses. The boss's computer may be the one that
let's in "the gift" via VPN!

This is why I RANT incessently about TS without VPN. The mapping of the
client drives is just as bad. In lieu of that use Sharepoint to put files
up and then TS in and work on them. Limit your exposure. I don't setup
VPNs unless it is site to site and 3rd party appliance with managed
computers.

Ok, I'm off the soapbox now.....I think I explained it all.

--
Sincerely,
Mark Mancini, CCA, CCNA, Master CIW&CI, CNE 4&5, MCSE+I 4&2000
www.MCSE2000.com
www.AppLauncher.com



"D H Harris" <dixon@sohelpme.info> wrote in message
news:Ovu7vSazDHA.2156@TK2MSFTNGP09.phx.gbl...
> I note that Mark Mancini warns strongly against allowing remote clients to
> access a LAN
> through VPN if they are running Kazaa ( and presumably any othe type of
> peer-peer
> software). ( See thread " Remote Login from Home")
>
> 1) Not familiar with Kazaa and similar others. What is it that makes it
> unadvisable on a VPN
> client?
>
> 2) Would the same caution hold true for Terminal Services clients running
> that software?
>
> Thanks
> DHH
>
>

Susan
Sun Dec 28 20:02:16 CST 2003

Regardless Kazaa with our without VPN/TS is not a good idea period. As
Chris pointed out and my bad for missing.. it puts your firm at risk for
digital piracy.

Mark Mancini wrote:
> OK, soapbox time......
>
> With TS, unlike VPN, everything stays on the server and nothing goes client
> to server and vice versa. With a VPN, if a client has Kazaa then you just
> opened Pandora's box on your network......with TS, everything is secure.
>
> Ok, so are ALL VPNs bad??!?!!? No, there are HIGH end VPNs that inspect
> packets and prevent alternative access to the web.....all unlike M$ VPN,
> which is what everyone here uses. The boss's computer may be the one that
> let's in "the gift" via VPN!
>
> This is why I RANT incessently about TS without VPN. The mapping of the
> client drives is just as bad. In lieu of that use Sharepoint to put files
> up and then TS in and work on them. Limit your exposure. I don't setup
> VPNs unless it is site to site and 3rd party appliance with managed
> computers.
>
> Ok, I'm off the soapbox now.....I think I explained it all.
>

--
http://www.sbslinks.com/really.htm

Kevin
Sun Dec 28 20:47:14 CST 2003

It took me close to 4 hours to purge all remnants of Kazaa that had infected
a single computer. For me, perosnally, the rule is: No Kazaa ... no HotShots
... No AOL ... no WebShots ... No to all of those things that DO NOT belongs
on a business computer system.

BTW, I just encountered WinAmp at a customer site. Anyone have any thoughts
about it? Personally. I want it off ... if only because it may use up
bandwidth.
-kw

"D H Harris" <dixon@sohelpme.info> wrote in message
news:Ovu7vSazDHA.2156@TK2MSFTNGP09.phx.gbl...
> I note that Mark Mancini warns strongly against allowing remote clients to
> access a LAN
> through VPN if they are running Kazaa ( and presumably any othe type of
> peer-peer
> software). ( See thread " Remote Login from Home")
>
> 1) Not familiar with Kazaa and similar others. What is it that makes it
> unadvisable on a VPN
> client?
>
> 2) Would the same caution hold true for Terminal Services clients running
> that software?
>
> Thanks
> DHH
>
>

Javier
Sun Dec 28 21:19:08 CST 2003

> BTW, I just encountered WinAmp at a customer site. Anyone have any
thoughts
> about it? Personally. I want it off ... if only because it may use up
> bandwidth.

I'm very fond of WinAmp... I think is a good product.

AFAIK-> it only uses the internet for downloading album info (just like
Windows Media Player does) and that sort of stuff. It does some reporting of
"statistics" but you can turn that feature off. Also, it is possible to use
it as a streaming audio player (again, like WMP or RealPlayer)... of course
that you can block this by creating the proper rules in ISA.

In any case... you can do almost anything that WinAmp does with WMP (I just
like Winamp better). So, that might just be reason enough for not allowing
it ;-)

--
-Javier

<< SBS ROCK!!! >>

Susan
Mon Dec 29 01:47:26 CST 2003

Downloading Lawsuits' Cost Getting Higher
The recording industry can still bring civil lawsuits
against people who download music illegally, but
Friday's court ruling will make that more expensive
and time-consuming. A federal appeals court said
Internet providers, such as Verizon, EarthLink and
America Online, do not have to turn over the names
of their customers when music companies serve
them with a subpoena.
http://www.siliconvalley.com/mld/siliconvalley/news/editorial/7556691.htm
http://www.wired.com/news/digiwood/0,1412,61714,00.html

Jane Doe ruling limits effect of RIAA legal defeat
http://www.theregister.co.uk/content/6/34645.html

Chris wrote:
> Basicly......................it's illegal!!!!
>
> I just can't believe that the people using it aren't downloading copyrighted
> material. That's the only way it is legal to use this software......to swap
> non copyrighted material.
>

--
http://www.sbslinks.com/really.htm

D
Mon Dec 29 07:24:17 CST 2003

"Ok, I'm off the soapbox now.....I think I explained it all."


You did indeed, Mark...and very clearly.

Thanks

DHH
======================================
"Mark Mancini" <info@NOSPAMmcse2000.com> wrote in message
news:OmY4FzazDHA.3216@TK2MSFTNGP11.phx.gbl...
> OK, soapbox time......
>
> With TS, unlike VPN, everything stays on the server and nothing goes
client
> to server and vice versa. With a VPN, if a client has Kazaa then you just
> opened Pandora's box on your network......with TS, everything is secure.
>
> Ok, so are ALL VPNs bad??!?!!? No, there are HIGH end VPNs that inspect
> packets and prevent alternative access to the web.....all unlike M$ VPN,
> which is what everyone here uses. The boss's computer may be the one that
> let's in "the gift" via VPN!
>
> This is why I RANT incessently about TS without VPN. The mapping of the
> client drives is just as bad. In lieu of that use Sharepoint to put files
> up and then TS in and work on them. Limit your exposure. I don't setup
> VPNs unless it is site to site and 3rd party appliance with managed
> computers.
>
> Ok, I'm off the soapbox now.....I think I explained it all.
>
> --
> Sincerely,
> Mark Mancini, CCA, CCNA, Master CIW&CI, CNE 4&5, MCSE+I 4&2000
> www.MCSE2000.com
> www.AppLauncher.com
>
>
>
> "D H Harris" <dixon@sohelpme.info> wrote in message
> news:Ovu7vSazDHA.2156@TK2MSFTNGP09.phx.gbl...
> > I note that Mark Mancini warns strongly against allowing remote clients
to
> > access a LAN
> > through VPN if they are running Kazaa ( and presumably any othe type of
> > peer-peer
> > software). ( See thread " Remote Login from Home")
> >
> > 1) Not familiar with Kazaa and similar others. What is it that makes it
> > unadvisable on a VPN
> > client?
> >
> > 2) Would the same caution hold true for Terminal Services clients
running
> > that software?
> >
> > Thanks
> > DHH
> >
> >
>
>

Steve
Mon Dec 29 08:02:36 CST 2003

Mark Mancini wrote:

> OK, soapbox time......
>
> With TS, unlike VPN, everything stays on the server and nothing goes
> client to server and vice versa. With a VPN, if a client has Kazaa
> then you just opened Pandora's box on your network......with TS,
> everything is secure.

That rather depends on how things are configured.

>
> Ok, so are ALL VPNs bad??!?!!? No, there are HIGH end VPNs that
> inspect packets and prevent alternative access to the web.....all
> unlike M$ VPN, which is what everyone here uses. The boss's computer
> may be the one that let's in "the gift" via VPN!

Microsoft's VPN implentation does allow you to control what passes over
the VPN tunnel, just like high-end VPNs. By default, MS VPN [in SBS]
does not provide access to the internet through the VPN at all.

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.

Javier
Mon Dec 29 08:33:14 CST 2003

Hi Steve!

Slightly OT:

Do you know what happened with the VPN checker thingy? I could swear that I
saw somewhere that Win2k3 was going to bring a piece of software that
checked the client computer for current service pack status (and other
stuff) before the VPN link was established. Did I dream that? is just that I
haven't read anything on that subject... and this thread made me wonder.

--
-Javier

<< SBS ROCK!!! >>

"Steve Foster [SBS MVP]" <steve.foster@picamar.co.uk> wrote in message
news:ef$uqRhzDHA.1736@TK2MSFTNGP09.phx.gbl...
> Mark Mancini wrote:
>
> > OK, soapbox time......
> >
> > With TS, unlike VPN, everything stays on the server and nothing goes
> > client to server and vice versa. With a VPN, if a client has Kazaa
> > then you just opened Pandora's box on your network......with TS,
> > everything is secure.
>
> That rather depends on how things are configured.
>
> >
> > Ok, so are ALL VPNs bad??!?!!? No, there are HIGH end VPNs that
> > inspect packets and prevent alternative access to the web.....all
> > unlike M$ VPN, which is what everyone here uses. The boss's computer
> > may be the one that let's in "the gift" via VPN!
>
> Microsoft's VPN implentation does allow you to control what passes over
> the VPN tunnel, just like high-end VPNs. By default, MS VPN [in SBS]
> does not provide access to the internet through the VPN at all.
>
> --
> Steve Foster [SBS MVP]
> ---------------------------------------
> MVPs do not work for Microsoft. Please reply only to the newsgroups.

Susan
Mon Dec 29 09:34:16 CST 2003

Do a search on Network quarantene. It's under the hood.

Javier Gomez wrote:
> Hi Steve!
>
> Slightly OT:
>
> Do you know what happened with the VPN checker thingy? I could swear that I
> saw somewhere that Win2k3 was going to bring a piece of software that
> checked the client computer for current service pack status (and other
> stuff) before the VPN link was established. Did I dream that? is just that I
> haven't read anything on that subject... and this thread made me wonder.
>

--
http://www.sbslinks.com/really.htm

Javier
Mon Dec 29 09:41:56 CST 2003

Thanks Susan... I found it !!!

FYI-

The "Official" name is: Network Access Quarantine Control
http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx

[I will do some reading tonight]

--
-Javier

<< SBS ROCK!!! >>

"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:%23B5$PFizDHA.2388@TK2MSFTNGP09.phx.gbl...
> Do a search on Network quarantene. It's under the hood.
>
> Javier Gomez wrote:
> > Hi Steve!
> >
> > Slightly OT:
> >
> > Do you know what happened with the VPN checker thingy? I could swear
that I
> > saw somewhere that Win2k3 was going to bring a piece of software that
> > checked the client computer for current service pack status (and other
> > stuff) before the VPN link was established. Did I dream that? is just
that I
> > haven't read anything on that subject... and this thread made me wonder.
> >
>
> --
> http://www.sbslinks.com/really.htm
>

Mark
Mon Dec 29 20:49:49 CST 2003

Steve,
I don't think the level of packet inspection compared to something like
Checkpoint is close - but I could be wrong....my specialty is TS not VPN.
To clarify......with a MS VPN client, the end user can still go to the
Internet through their ISP....other VPNs block ALL other connectivity so
there is no bridge created.

--
Sincerely,
Mark Mancini, CCA, CCNA, Master CIW&CI, CNE 4&5, MCSE+I 4&2000
www.MCSE2000.com
www.AppLauncher.com



"Steve Foster [SBS MVP]" <steve.foster@picamar.co.uk> wrote in message
news:ef$uqRhzDHA.1736@TK2MSFTNGP09.phx.gbl...
> Mark Mancini wrote:
>
> > OK, soapbox time......
> >
> > With TS, unlike VPN, everything stays on the server and nothing goes
> > client to server and vice versa. With a VPN, if a client has Kazaa
> > then you just opened Pandora's box on your network......with TS,
> > everything is secure.
>
> That rather depends on how things are configured.
>
> >
> > Ok, so are ALL VPNs bad??!?!!? No, there are HIGH end VPNs that
> > inspect packets and prevent alternative access to the web.....all
> > unlike M$ VPN, which is what everyone here uses. The boss's computer
> > may be the one that let's in "the gift" via VPN!
>
> Microsoft's VPN implentation does allow you to control what passes over
> the VPN tunnel, just like high-end VPNs. By default, MS VPN [in SBS]
> does not provide access to the internet through the VPN at all.
>
> --
> Steve Foster [SBS MVP]
> ---------------------------------------
> MVPs do not work for Microsoft. Please reply only to the newsgroups.

Steve
Tue Dec 30 05:01:38 CST 2003

Javier Gomez wrote:

> Thanks Susan... I found it !!!
>
> FYI-
>
> The "Official" name is: Network Access Quarantine Control
> http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantin
> e.mspx
>
> [I will do some reading tonight]

It's a pretty cool feature - and you can actually implement similar
functionality for yourself with SBS2000 if required. You have to use
CMAK - the Connection Manager Admin Kit - as the Connection Manager
tools include the ability to set actions to run after a connection is
made, and it's this ability that is leveraged for the quarantine
process. You could write your own code to test a machine for patch
state (eg using HFNetCHkLT) and AV state and disconnect it if it didn't
meet your rules.

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.

Steve
Thu Jan 01 11:03:36 CST 2004

Mark Mancini wrote:

> Steve,
> I don't think the level of packet inspection compared to
> something like Checkpoint is close - but I could be wrong....my
> specialty is TS not VPN. To clarify......with a MS VPN client, the
> end user can still go to the Internet through their ISP....other VPNs
> block ALL other connectivity so there is no bridge created.

Not by default, they can't. If they modify the VPN connectoid and
untick the use default gateway box, then yes, the "internet connection"
remains active. It's possible to disable this ability if you use the
CMAK.

The reason for this is simply that the MS VPN acts as a full TCP/IP
client. Most other VPN solutions hack into the TCP/IP stack and hook
it, so that VPN requests are rewritten within the stack, whereas with
the MS one the packets are written appropriately to begin with.

The drawback with the MS approach is that turning off the VPN gateway
does create a potential back-door (note that it is only a _potential_
back-door - more config changes are required to make it bridge/route).
On the other hand, since there's no client install required, it's
likely to work with a wider range of ISPs (eg AOL software and
3rd-party VPN clients are highly likely to conflict).

Additionally, if the VPN tunnel is being filtered in ISA/RRAS, the
chances of anything malicious getting anywhere are severely reduced
anyway.

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.