Experience is the best teacher. Especially when it's somebody else's experience.
I'm about to embark on a virtual private network (VPN) construction project, and I'm not eager to learn from my own mistakes. So two weeks ago, I posted this Microsoft Challenge: My small (10 users) network accesses the Internet through a 1-Mbps DSL line and Microsoft's Proxy Server. Where do I go from here? What kind of mistakes am I likely to make? Help me avoid the pitfalls and get my VPN running smoothly, securely, and as quickly as possible.
I had faith that TechRepublic members could help me sort out my VPN options, and that faith was rewarded. I received a dozen well-thought-out suggestions that add up to a great checklist. Not surprisingly, the vote was split on which OS to use. Some say go with Windows 2000 to take advantage of its integration with Active Directory and its support for Layer 2 Tunneling Protocol (L2TP) using Internet Protocol Security (IPSec). Others say stick with Windows NT and keep Win2K at arm's length until the bugs are shaken out. And still others suggested I just throw a Linux box between the network and the world.
From the trenches…
Collectively, you've made your share of VPN slip-ups. I enjoyed this true confession from trichard: "I've said ‘DUH!’ one too many times because I forgot the 128-bit security upgrade patch from MS... don't miss this often overlooked step."
In a detailed response, Inspectorclave assembled a dynamite checklist:
Make sure you have TCP/IP configured to enable PPTP filtering. This will prevent outside access to your internal network through VPN.
Add the Point-to-Point Tunneling Protocol to your list of protocols.
Create a dialup networking connection configured for your VPN.
Make sure that your proxy server has the applicable ports configured for inbound and outbound traffic.
My favorite responses, though, were chronicles from the front lines, based on first-hand experience.
Skiptheb in Andover, MA, just finished setting up a VPN at an Internet startup using Win2K and a 1.1-Mbps DSL connection. He writes, "I chose not to use the proxy server from Microsoft. Instead, I went with a NetScreen firewall for better control of the ports and also to use mapped IPs to my servers. The VPN works great (once I got the subnet details right from my ISP—they seemed new to this too). I have been wanting to install a VPN solution now for two years. It took me this long to find a firm that was on-board with the cost justification."
Skip may be done, but brdall is smack in the middle of implementation right now. "We tried the NT PPTP solution and rejected it." He says, "It's slow (fat protocol) and not always reliable. We're switching to the Cisco PIX with IPSec clients. Somewhat expensive and not real easy to set up on the host end, but faster, and actually the client setup is much easier."
To round out the package, I received an assortment of interesting third-party hardware and software recommendations:
"I would definitely upgrade to Win2K first, purchase Check Point's VPN software," says jeff. "You'll save a few headaches, although you will spend a few more IT dollars up front."
If you are going to be growing, be careful not to paint yourself into a corner, says jcomes. "I'd highly suggest using a hardware VPN. We've used one from Nortel and it works very well; you can even use the MS VPN Client with Windows 2000/98."
Separate endorsements for Lucent's Pipeline routers (formerly made by Ascend) come from mouim and a TechRepublic member known only as Clocks. The former says, "A DSL Pipeline router with built-in VPN capabilities and firewall protection can easily be purchased for under $1,000, which is even less than a scaled down server."
michael_moore argues in favor of "some kind of secure router/firewall with VPN enabled. Cisco works better than Win2K and the client is free. Good luck, this is definitely a learning experience."
Thanks for all the input. I feel much more confident about the next phase of the operation.
Here's Ed's new Challenge
Many of you suggested that the most important part of configuring a firewall or proxy server is to block undesirable incoming and outgoing ports and allow the ones you need. Okay, I'll buy that. In my continuing quest to build a truly private VPN, I need to configure Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports. But I'm having trouble finding an authoritative source of information on port numbers and their purposes. Can you point me (and your fellow TechRepublic members) to a good source of information? If so, click here to tackle this week's Microsoft Challenge.