Security·4,789 discussions

Cisco “VPN” v. Windows 2000 VPN ?

Locked

My client has two offices, linked over the Internet by a “VPN” implemented on Cisco equipment (Catalyst 2900 routers). I’m not an expert on VPNs, but it seems the setup (configured by a third-party) is very different from my idea of a VPN, and is quite awkward to use and to maintain.

My idea of a VPN for this application is Microsoft’s Windows 2000 router-to-router VPN, which I understand can provide effectively a network layer router connection between two private subnets, allowing more or less any IP traffic to pass freely between them (constrained only by the permissions configured on the hosts). In particular, any IP address on either Intranet subnet, could be accessed from any host on the network, via ordinary network layer communications (e.g. ARP, ICMP, routing protocols, etc). I understand the transport across the Internet would employ encrypted packets, having characteristics (port number, etc) of “VPN traffic” between the two tunnel end-points, and not exhibiting (tothe public Internet) any indication of what they really are.

In contrast, the facility installed using the Cisco equipment, seems to require you to (1) identify the specific hosts on the remote network which will communicate with each othervia the VPN; (2) assign “external” IP addresses to these (using addresses from a publicly-registered IP subnet); and then (3) setup and maintain Network Address Translation to map between the internal host IP addresses, and these external (public) addresses. Adding extra hosts requires skilled maintenance work on the Cisco equipment, to add the new NAT mappings. If you want to use names (rather than IP addresses), you have to provide distinct name resolution services (DNS, WINS, LMHOSTS, or whatever) in each subnet.

If you can shed any light on my confusion, I would be very grateful. My inclination is to replace the present setup with a Windows 2000 VPN?

Topic

Cisco “VPN” v. Windows 2000 VPN ?

In reply to Cisco “VPN” v. Windows 2000 VPN ?

Well the Cisco setup as described might be complex to maintain, but has its own pros and cons versus W2K VPN.
The main things you seem to omit from your description of a _good_ (secure) W2K VPN is a complete firewall, which might also include a NATtable. Also in general it is *not* a good idea to have a VPN setup in such a way that by default ‘any IP address on either Intranet subnet, could be accessed from any host on the network, via ordinary network layer communications (e.g. ARP, ICMP, routing protocols, etc).’ This is letting the fox into the chicken shed so to say – when one small thing on your VPN (or firewall) is corrupted the enemy can reach ANYthing in your organisation.

So do make a detailed comparison between:
a) the W2K VPN, with a firewall (ISA Server?) and with detailed filters telling which traffic will be let through and which is blocked by default.
b) the Cisco setup, with maybe some new technology like access integrated with Active Directory (Cisco is working on this).

Make sure the levels of security are the same. This might involve some non-MS stuff in the pipeline, ISA Server is a great step ahead but still needs 3rd party plugins for certain secure functions.
In this comparison, take a few business cases where the setup needs maintenance, and compare whether Cisco is the more cumbersome or W2K. *Then* decide, based on facts instead of feelings…

Hope this helps,

/ The Netherlands

Cisco “VPN” v. Windows 2000 VPN ?

In reply to Cisco “VPN” v. Windows 2000 VPN ?

Yes, thanks that is a helpful explanation and useful advice.

Cisco “VPN” v. Windows 2000 VPN ?

In reply to Cisco “VPN” v. Windows 2000 VPN ?

This question was closed by the author

[Author]

Replies