Security·4,716 discussions

Securing VPN remote users.

Locked

Question of the Day:

I am wondering what other organizations are doing regarding VPN security issues. I have had a hard time finding resources that talk about securing VPN users. Alot of sites say that VPN’s fix security holes but it seems like they just introduce more security issues for remote users.
Here are the questions I am wondering about:
1)Who are your remote users? ie) company owned machines or individual owned machines.
2)How do you protect against viruses from remote VPN users? Please be very detailed.
3)How do you install applications on remote users computers and how to you update and support these appliations.
4) Do you use terminal services such as Windows 2000 or Citrix Metaframe for applications?
5) How did you determine the server and bandwidth requirements for terminal server connections.
6) Have you used terminal services through a browser and what were your experiences?
7) If you use Citrix over Windows 2000 please explain the benefits you have found of Citrix compared to Windows 2000.
8) URL’s of good security resources that talk about securing remote VPN users. I am not looking for sites that say that a VPN fixes all of my security concerns because it does not. In fact VPNs create even more security concerns.
8) What software are you using for virus’s and/or remote user firewall software.

Here is my plan,

Have users connect to corporate network via the VPN. During each logon McAfee thin clint would puch out new virus definitions and would report viruses detected. Once this was complete the use could then connect to the terminal server for applications.

Thanks!

Topic

Securing VPN remote users.

In reply to Securing VPN remote users.

I’ve setup many VPNs for customers and find connections to individual computers to be a lot of overhead.

The VPNs that work best are typically point to point connections for WAN connectivity. The VPN gets setup with hardware devices and stays setup.

When you give VPN client software to a user to install on their home computer you never know what they’ll have for equipment, if it’s infected, etc… Also probably only 2 to 5% of the users will be able to get it installed. And then they’ll expect you to fix their home computer when your VPN software or virus software “breaks it”.

The approach I’m recommending is to install VPN client software on equipment owned by the organization only. This is gear that you can control the configuration and virus protection on.

If users need access to resources from devices other than company owned resources they should be using Terminal Server or Citrix web clients (again so you don’t have to setup software on an unsupported machine).Make sure that connections are secure and I would recommending using some security token type devices (like those from RSA) for authentication.

Mike

Securing VPN remote users.

In reply to Securing VPN remote users.

These are things that I already knew about VPN’s. Please answer the question posted.

Securing VPN remote users.

In reply to Securing VPN remote users.

Hey there. I dunno if I can answer all these questions in 1930 chars, but I’ll give it a try…

1) Employees using either their own or company supplied systems.
2) We decided to not shoulder the expense and support of anti-virus software. Before employees get VPN access, they must sign an agreement stating that they have current AV software installed and that they maintain it regularly. they are required to tell us the brand and version of the software. This seemed to make sense since many of our employees already had AV software.
3) out of band on CDs
4) yes (metaframe), but a subset of VPN users have full IP access to the network.
5) we didn’t.
6) no (dial up only)
7) server resides on NT only
8)-> http://networkmagazine.com/article/NMG20010518S0006
http://www.infosecuritymag.com/articles/may01/cover.shtml
http://www.itworld.com/Sec/2211/CWD010326firewalls/
9) As I said, we aren’t supplying AV software
to remote users. We are using personal firewall software, however, and this is very important. For ourselves, we are using the ‘Secure Client’ feature built into the Checkpoint VPN client. If you are not using a Checkpoint VPN Gateway, that’s no use to you. Symantec’s ‘Desktop Firewall’ software appears to be a good product to fill this need.
Hope this helps!

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

Q.1)Who are your remote users?
A. Doesn’t matter. You should consider everyone as a hazard and secure yourself accordingly
Q.2)How do you protect against viruses
A. The same way as anything else. Put good antivirus software on all your serversand keep it up to date
Q.3)How do you install applications on remote users computers
A. I wouldn’t do this. I would provide acces to centrally held copies of software – see below.
Q.4) Do you use terminal services
A. Yes Tarantella – see http://www.tarantella.com
Q.5) How did you determine the server and bandwidth
A. This depends on the application. Tarantella runs Adaptive IP which makes very good use of the available bandwidth. I have had very good resultrs from modem connections
Q.6) Have you used terminal services through a browser
A. That’s what Tarantella does. It works wonderfully well.
Q.7) If you use Citrix
A. I haven’t used Citrix but when I assesed both I found Tarantella to be better tahn Citrix and much less expensive.
Q.8) URL’s of good security resources .
A. In some ways VPNs do solve more security problems than they create because you will be configuring the VPN from firewall to firewall and you will be setting the security policy of both ends. See http://www.netscreen.com for example
Q.8) What software are you using for virus’s and/or remote user firewall software.
A. We use McAfee office edition but there are others. For firewalls I would use Checkpoint 4.1 at your central site running of course on it’s own server. For your remote clients use a hardware firewall like NetScreen (see above). They are faster and cheaper than software for small sites.

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

1. We connect all of our offices and all remote home users via vpn. Most are company-owned machines, a very few are personal.

2. All of our machines run Symantic anti-virus. We have a corporate license for all of the company-owned PC’s and all personal machines which connect to us. (Pricing is by seat.) The server for the anti-virus software updates all computers at least weekly.

3. All company-owned machines are configured by our IT department. Personal machines are usually configured byus as well, with a few exceptions. Our help desk supports all applications. When updates are needed, we generally load the update on our server and all users pull a copy. (Depends on what the update is.)

4. We use Citrix Metaframe for our main applications. We use seamless windows so that users see the application window, with no remote desktop window.

5. Sizing is generally by seat-of-the-pants. We guesstimate 6K in bandwith per user, and load up a dual-cpu server with as much memory as it can hold. If things seem to slow down, we will add a server.

(continued in comment)

Securing VPN remote users.

In reply to Securing VPN remote users.

(continued)

6. We have tried services in a browser, but did not like it. Most of our users don’t really know that they are using a terminal server, and we like to keep it that way.

7. We use Citrix over NT4. The main benefits of Citrix are seamless windows, added stability of connection and superior administrative utilities.

8. (no spaces or line breaks in any urls)
http://support.microsoft.com/support/kb/articles/Q255/7/84.ASP

You can read any sites you want, but the bottom line is that outgoing vpn does not add any security holes, since it is typically not set up to receive connections. Passwords and data between the client and server are typically encrypted, typically with 128-bit encryption. If you are really concerned about it, add a personal firewall on each machine, set to block everything you are worried about. (A virus is much more likely to come in via email, so this is probably overkill, but you must make your own risk tolarance decisions.)

Good luck.

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

1)Who are your remote users?
ANyone that have correctly instaled and configured the VPN client software and Ip addresses (usually from the internet, because it is a private comunication using a public line, That’s a VPN!)
2)How do you protect against viruses from remote VPN users?
Remote/external users logs in to your network server or set of servers. Once he is connected, the comunication between your server and his pc is safe, so you should keep safe from his pc just as you do against any other private (in your lan) workstation
An antivirus at the server, an e-mail antivirus, etc, etc,. There is no posibilities to get infected FROM ANY other internet side machine.
3)How do you install applications on remote users computers and howto you update and support these appliations.
Applications should be WEB like, client server, or remote control apps. Set up a private internal web site an make an app like
those that you can download software. Make an install downloadable script file and provive enought help on line. The users must install the software itself.
4) Do you use terminal services such as Windows 2000. YES!!!
These are the most common and secure methods to move applications say from DOS to WEB like sessions. Printing is Ughhh!!!
5) How did you determine the server and bandwidth requirements for terminal server connections.
TRY and TEST. Line BW is not an issue, Give 8K per connection, but resources at the server, definitelly yes. Again, it’s all depends on your aplication, so setup a T2K server and start accessing it. There is so many info to track…

Securing VPN remote users.

In reply to Securing VPN remote users.

Poster rated this answer

Securing VPN remote users.

In reply to Securing VPN remote users.

Cont:
6) Have you used terminal services through a browser and what were your experiences?
Again, this is the most common configuration, due to tha fact that T2k and cytrix were developed to move aplications to the web world but not to a web server!
7) If you use Citrix over Windows 2000 please explain the benefits you have found of Citrix compared to Windows 2000.
Both are simmilar aplications and both are very good and stable. I prefered W2k. (less money…)
8) URL’s of good security resources that talk about securing remote VPN users
Define your VPN platform first, Netware, Wnt 4.0, W2K, etc. Then start searching about that particular software. I recommends you Novell VPN auth server or BorderManager server.
9) What software are you using for virus’s and/or remote user firewall software. BorderManager 3.0 from Netware. It provides Firewall+proxy+VPN is a single box. (You don’t need a firewall for VPN access only)

Hope it’s usefull..

Securing VPN remote users.

In reply to Securing VPN remote users.

Poster rated this answer

Securing VPN remote users.

In reply to Securing VPN remote users.

Talk to your Cisco reseller – the solutions that Cisco provides are secure, and the best that you can do.. You don’t really need to look elsewhere.

Securing VPN remote users.

In reply to Securing VPN remote users.

Poster rated this answer

Securing VPN remote users.

In reply to Securing VPN remote users.

1)Who are your remote users?
We have both organizations and individuals. We are a health care provider, and so this is a verry big issue with us.

2)How do you protect against viruses from remote VPN users?
I don?t leave anything to chance. Weare running MyCIO on all of the client systems in the company, Group Shield on all of the servers as well as Out Break on the Exchange servers. After this,for our all of our remote users we have a Nokia VPN Gateway with Checkpoint and McAfee on it for virus and hacking detection. We also use several different sniffers on each of our servers that we run reports with each week.

3)How do you install applications on remote users computers and how to you update and support these appliations.
Inall truth, we send out a burned CD-ROM to the remote users. We have verry few as we use the internet explorer for most of our remote usage. There is very little software that we send out. The CD contains a simple setup program that installs the changes using Windiff from MS.

8) URL’s of good security resources that talk about securing remote VPN users. I am not looking for sites that say that a VPN fixes all of my security concerns because it does not. In fact VPNs create even more securityconcerns.
Truth be told, I use most of the hacking sites for checking on what could be used to get though the firewalls. Then I plan accordingly. Here is one you may wish to see, using VPN?s aginst you.
http://www.nocrew.org/software/httptunnel.html
Here are a few more to check out:
http://www.cotse.com/security.htm
http://www.insecure.org/
http://www.securitywriters.org/

9) What software are you using for virus’s and/or remote user firewall software.
See question # 2

Hope this helps you out,
-Juan De Marco

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

1)Individually owned machines. IT staff
2) I’ll try to find out for you.
3)We have a procedure for doing this.
4) We use Smart Term
5) We don’t use a terminal server connection.
6) We’re happy with Smart Term.
7) Haven’t done this.
8) http://www.cisco.com (of course) – There’s a WEALTH of informaton there. before you reject my answer you need to check out what Cisco has to offer. I know I’m right.
9) Obvious answer

Securing VPN remote users.

In reply to Securing VPN remote users.

Poster rated this answer

Securing VPN remote users.

In reply to Securing VPN remote users.

I have several clients using VPN and TS.

1: Most of the users are internal users who need access from home or on the road. They use both their own PC’s and company owned PC’s.
2: All of the users are required to use and maintain anti-virus software on their computers. All of the servers and or PC’s that they connect to have enterprise Anti-virus software installed. Maintaining your anti-virus software at your servers is the key to good protection.
3: They have either been installed at the office or they have been given the software and detailed instructions on how to install it. However most users that try and do it themselves need phone support to install it properly.
4: I have used both TS and PCanywhere in VPN situations. PCanywhere requires a PC for each user coming in. Pcanywhere was used because software they are using is not compatible with TS.
5: Compaq has a good white-paper to determine hardware requirements. http://www.compaq.com/support/techpubs/whitepapers/207a0996.html. Citrix claims that a Terminal Services connection uses 11K of bandwidth per user.
6: Yes I have, but it was decided that there were to many downsides to using it. Security being the main issue. A Web-server is difficult to lock down and keep locked down, due to bugs and holes. However, using a web-browser is the more economical way to go, because of Licensing requirements. Web-based TS’s reliabilty can leave alot to be desired. Especially on disconnect.

see below for continuation…

Securing VPN remote users.

In reply to Securing VPN remote users.

7: I have played with Citrix and have found it to be more versatile than Win2k. The main difference is the cost. Citrix is very expensive when only a few users will be connecting. Win2k is more expensive when allowing alot of users access. Any more than 10-15 users and you should consider Citrix. Win2k TS is licensed on a per seat basis only. This means that a user can not use more than one PC to connect without incurring a charge to your license.

8: no answer

9: I am using both Norton Antivirus Enterprise and Mcafee for antivirus software. Norton is good, but at the moment I like Mcafee better. They seem to get virus updates out faster than Symantec. Checkpoint’s Firewall-1 is a very nice package with both Firewall and excellent VPN built-in.

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

1. We connect all of our offices and all remote home users via vpn.
Most are company-owned machines, a very few are personal.

2. All of our machines run Trend anti-virus. We have a corporate license for all of the company-owned PC’s and all personal machines which connect to us. Automatic update at lonon time available!

3. All company-owned machines are configured by our IT department. Personal machines are usually configured by us as well, with a few exceptions. Our help desk supports all applications. When updates are needed, we generally load the update on our server and all users pull a copy. (Depends on what the update is.)

4. We use Citrix Metaframe for our main applications.
We use seamless windows so that users see the application window, with no remote desktop window.

5. Sizing is generally by seat-of-the-pants. We guesstimate 6K in bandwith per user, and load up a dual-cpu server with as much memory as it can hold.

Securing VPN remote users.

In reply to Securing VPN remote users.

It Continue in the next answer !!

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

cont…

6) no (dial up only)

7) server resides on NT only

8)-> http://networkmagazine.com/article/NMG20010518S0006

9) As I said, we aren’t supplying AV software to remote users.
We are using personal firewall software, however, and this is very important. For ourselves, we are using the ‘Secure Client’ feature built into the Checkpoint VPN client. If you are not using a Checkpoint VPN Gateway, that’s no use to you. Symantec’s ‘Desktop Firewall’ software appears to be a good product to fill this need.

Hope this helps!

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

Have done a number of Remote access installations, here are a few comments.
(1) Both, however the moment you open it to non corporate equipment you will find it impossible to enforce any policies, e.g. virus protection. There4 if you can, keep it corporate.
(2) If you are corporate machines only, then protection is the same as local machines, you can enforce virus protection locally on the machines. If personal, you’re goosed. You can encourage people by providing them with AV and F/W software free for them to use, but will not be able to enforce it At a network level you will not be able to block such activity. So, the only thing you can do is have very strict firewall rules to ensure that only authorised ports are used. Then ensure that all your app servers have read and execute only everywhere. All servers will need on the fly virus scanning in place. Using Citrix or TS will help as it will reduce the services that are exposed. You can lock the firewalls down so that only Citrix or TS ports allowed through, even for browsing etc.

Securing VPN remote users.

In reply to Securing VPN remote users.

3) if you go thin client approach will you need local apps? Or are you planning to do offline processing then only transfer information as and when required. Ref installation of apps, the way I have seen it done most successfully is to issue the users with CDs full of the apps, but restrict licence key distribution or Winstall scripts to activate them. It is a whole world of pain to do this on personal machines. You will be forever trying to support problems caused by their kids trying to make room for latest games etc. We have done a roll out where we included a remotely possible capability as part of the standard pack of software so that support staff could access the client PC to remote try and solve problems once the user had dialled in. Trouble is that the users did not like the idea of corporate support staff looking over their home personal machines, so didnt really work. Corporate machines are different, you can apply policies and install and repair apps with msi files and GPOs
4) We tend to use Citrix because we have a mixture of NT4 and 2000, and didnt want to have to support two different remote access clients. In general our users prefer Citrix from a usuability point of view – not sure why.
5) It depends totally on what your remote users are doing. You cannot be generic about it. We tried to work on values about things like how long they would be reading the screen as opposed to interfacing etc, but then tried a small user group and the results were basicallythat people tended to max out their connections what ever they were for about 50% of the time, and then just a small trickle for the rest.

Securing VPN remote users.

In reply to Securing VPN remote users.

6) Awfull. Don’t go there! If you combine encryption with your VPN, you immediately slow everything down because you lose all compression. Therefore for remote use you need to be as slick as you can, dont try and add another application layer, they will rapidly forget any ease of use benefits and curse you for the lack of performance.
7) see above
8) will not repeat those others have already given, obvious place to start is MS to get an idea of what they offer.
9) We use Viruscan TC as the default with auto download of definitions. Personal firewall? depends on the knowledge of the users. Blackice defender is install and forget, with centralised reporting and management if required. Cheaper but more techie is Zonelarm. Norton is too much aimed at home market. We tend to use BlackIce as ISS who bought the company also do Realsecure network and server probes that we use, and so consolidate the security management

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

1) Doesn’t matter who owns the machines. All machines will abide by the rules or no VPN connection.
2) We demand the same virus protection as our LAN desktops. Clients check with their assigned server for updates. Clients cannot change any configuration. Manual updating is still available directly with the vendor. Updates are also scheduled.
3)Company owned machines are initially configured before shipping to final location. Step by step instructions are supplied for non-company owned machines with help desk support. Some VPN clients are also desktop clients, they usually wait until connected to the LAN for updates. Updates are pushed to clients. If connection is very low bandwidth, then CD-ROMs are sent out periodically.
4)No.
5)N/A.6)No.
7)N/A.
8)Search this site, http://www.securityportal.com, http://www.grc.com follow the shields up link, http://www.sans.org/infosecFAQ/homeoffice/homeoffice_list.htm
9)Virus protection: currently Norton Antivirus, Firewall: ZoneAlarm.

Have you considered a VPN DMZ? You can use proxies and firewalls. Even with the safeguards in place on the client machines, you may want to isolate them from the LAN clients.

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

If you haven’t spoken to your Cisco reseller about this, then you shouldn’t reject my answers – unless you think you can do all this for free. What makes you think that Cisco isn’t going to be able to provide you a solution to this. You could havebeen up and running a long time ago.

Securing VPN remote users.

In reply to Securing VPN remote users.

I have talked to my Cisco reseller and infact we are using a Cisco PIX as the VPN server. There are many issues regarding VPN not just the type of VPN server or software that is being used.

Securing VPN remote users.

In reply to Securing VPN remote users.

1. Company owned machines

2. We use Norton enterprise for our company. All definitions are pushed out to all computers including those on the vpn.

3. We use a program called Proxy that allows us to connect to their computer as if it was righthere. We are able to install software and do support through this program. All of our vpn users are on cable connections so we are able to connect with no problem.

4. We looked at Citrix a couple of years ago and decided not to go with it. We are about to look into it once again as there have been improvements and the price has dropped since then.

5. Not tested yet.

6. Not yet.

7. Not yet.

8. Norton for virus. We are currently using Black Ice but we are also looking into HackTracer.

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

Won’t claim to be able to answer all your questions, but point you in a direction for an answer to questions 8 and 9. My organisation is in the very early days of considering VPNs, so much will need to happen before I get a full idea of their implementation across an enterprise.At a recent trade show her in Aust. I came across a vendor called WatchGuard. They gave a good demonstration of their product (as well as some facts about VPNs in regard to security that were rather surprising). They cover two main areas, security devices/firewalls for the remote site as well as a management interface for the corporate site (which from the demo they gave, works in a similar type of fashion to the windows policy editor). I collected most of my information in hard copy from the show, but here is their web address http://www.watchguard.com/

Hope this helps you out.

Regards

Daryl Sheppard
daryl_s@iprimus.com.au

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

Some answers:
1) Keeping your remote users with company owned machines with strong security policies will allow you to relief your administrative work and to improve your security.
2)Any corporate antivirus solution, with an administration tool and automatic distribution of signature files will fit your problem. I.e. McAfee or Panda provide solutions to this issue.
3)Application distribution is made through MS W2K integrated installation services. Some mandatory ones can be deployed previously in a LAN enviroment, in order to don’t have things like Office 2k installing throught a 33.6 kbps modem.
4) I recommend to use them (Windows 2000 ones work fine) only in broadband enviroments. There is too much bandwith used for a modem conection.
5) Windows 2000 QoS and a propper configuration of AD and Sites will help you to manage your bandwith.
6) Sorry, no experience in this issue.
7) Sorry, no real Citrix experience.
8) http://www.netscreen.com
9) Panda Antivirus and Black Ice will fit your users basic needs with a simple interface and configuration.

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

We have several user that connect from home using either a business bought machine or their personal home system. McAfee has an administrative software server called EPolicy Orchastrator. This tool is much better than their previous version. We makeour users sign a form that gives us permission to install the anti-virus software. We configured the anti-virus server to send each machine a configuration. Depending on what your configuration is, the desktops contact the anti-virus server to see if there is a new DAT update. If so, the machine will connect to the Internet and download the update. The EPolicy Orc software also inventories all of the machines and it provides charts that tells what machines have the most current update. If the machine does not have the most current DAT, it tells you how many version back that machine is. You can create several charts. I think it is free with the purchase of your client licenses. You should check this out

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

For better security with a VPN connection try out RSA Security from RSA Security Inc. This security system uses tokens, which have a six digit passcode that changes every minute. Each remote user must have an enabled token that is synchronized with an RSA server. I was surprised how easy it was to setup and maintain.

Go to http://www.rsasecurity.com and create an account. They’ll even send you a promotional 2 user package, so you can try it out.

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

1)Both. We don’t care about the machine, we care more about the user behind it.

2)The user(s) are under signed agreement to maintain the antivirus software (we provide it) and to practice “good computing” methods to avoid viruses. Plus we also apply hotfixes and such on our DMZ and internal network.

3)The systems that belong to us are apart of the windows 200 domain. we deploy software via the software package deployment features in the group policies. As for personal (we dont own them)systems, we do not distribute or allow any of our applications to be installed. (VPN users have different permissions on the network to prevent data theft and minimize virus/worm infections)

4) Both.

5) I used the Windows 2000 Resource Kit tools to help me determine the bandwidth and hardware i needed to provide fast service to our users.

6) No.

7) Citrix goes back and is a lot older than Windows 2000’s Terminal Services. There are far more useful features and benefits in it, but only if you are willing to pay the price.

8) none that are worth looking at.

9) GFI Mail essentials 2000 for Exchange 2000 and GFI Lan Guard for ISA Server. (www.gfi.com)

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

We use the Cisco solution for VPN and Firewall. Our users all use Corporate machines to connect (60% users are mobile), (in addition to site to site WAN). AV is Mcaffee, very managable now, heavy on the server side scanning. Use MetaFrame for some proprietary apps only. Updates are done by user when possible but for those inept we use SMS to take over their machine. Non-corporate entities get data access via Web Portal (MS CMS 2001). So just put up a Cisco 7120, then enable Mcaffee On Demand and On Access scanning, then run your Citrix client from the PC/LT. Update DAT’s religiously, respond quickly to Virus alerts and Bug Track your devices (lots of listservs to be on – pick the right ones). BE PROACTIVE as much as possible.

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

1)90% company owned w/ NT4.0SP5 & 10% “other”, mostly WIn98SE & Win95. Only NT machines get “full” support.
2)KIX script at login checks for Norton AV. We have site license. If not installed, we start auto download WINSTALL to install NAV before user can go further. No NAV running = no access. period.
3)we provide company created CDs with WINSTALL & the software. For NAV we have separate CDs.
4)CITRIX — if the user wishes, but it isn’t required.
5)dunno — another area hanldes that.
6)no — we distribute the Citrix client on CD (again, with WINSTALL)
7)W2K is only avail as client and we don’t use the term. services.
8)none that i’d recommend.
8′)we use Norton AV. We “recommend” users install ZoneAlarm for personal use, but there is no corporate policy.
YOur plan sounds reasonable. Apart form the reliance on Terminal Server exclusivly, it’s not much different from ours. We provide 5 dual processor machines for terminal server use and expect no more than 20 users at a time. We stayed away from expanding terminal server use to avaoid the cost of hardware & admin. The only term serv apps are Lotus Notes, Peoplesoft, and some files share & remote print access.

Securing VPN remote users.

In reply to Securing VPN remote users.

I realized that I tried so hard to “stick to the questions” that I forgot to mention a couple of additional items. We use the Nortel VPN client coupled with the RSA SecureId for authentication. The company has been using Securid for atleast 6 years (or more) and once it was setup, it’s done it’s job well. The VPN client is a breeze to install, althoug the self-extracting .exe is 1.9MB and doesn’t fit on a floppy and takes a while to download over a dialup — which is why we try to distributeon a CD whenever possible.

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

Well, I see you have plenty of answers, so I’ll be brief. I am also looking for similar answers and have at this point decided that a solution suc as the Watchguard firebox, this product acts as a router and a vpn gateway, there are many options depending on the size of your network. It is worth looking into.

Securing VPN remote users.

In reply to Securing VPN remote users.

Poster rated this answer

Securing VPN remote users.

In reply to Securing VPN remote users.

Citrix has many benefits over native terminal services from bandwidth economy of the ICA protocol to true colour display, session shadowing, server farms etc. etc. – see the Citrix website for all the marketing stuff.

The terminal servers should be treated as multi-user workstations and only “client” software loaded onto them e.g. no database, mail server software or the like.

Use a token based VPN remote authentication, don’t rely on fixed passwords.

Locate your server farm in its ownDMZ and use the firewall to control access to your LAN and your terminal servers. This means remote users can ONLY attach to the terminal servers e.g. port 1494 for Citrix. Only allow access from the terminal servers to your LAN via the firewall.Viruses will only come from remote users if they are allowed to upload local files to the terminal servers. If they need to do this then make sure each terminal server has client virus checking software installed and that the definition files are up-to-date.

To determine server and bandwidth requirements you need to do some benchmarking. For terminal servers the main areas are going to be RAM, then CPU, then Disk. RAM is important because you don’t want excessive paging as this will impact user performance. Start with Task Manager and check the memory footprint for a user. For bandwidth don’t assume anything – benchmark using a Packetshaper or Sitara or similar device.

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

We use a hardware vpn with encription built in for our network they are the best overall soloution.specificly we use intel equipment.

1>reply.vpn users can be either remote users or users on the lan. Most of the ones I deal with are users on personal machines over the internet.
2>reply.What we do is use a software like InoculateIt from Computer Associates and run the network install utility through a login script. This one works well because it is reletively lite in overhead but thourogh. We also update the dat files through a login script every time the user logs in it goes out and checks their computer. Very simple to implement.
3>reply.Again we do all of this through login script but you are somtimes limited to what you can do because of the bandwith availible. A script automation utillity eg. Script Logic is useful for this also.Or we will make the user aware that something needs to be updated.
4>reply.I have seen this done but we dont do it often because terminal server apps can be painfully slow over theinternet with a 56k connection, but it works well with cable or dsl.

Securing VPN remote users.

In reply to Securing VPN remote users.

5>reply A good principle is 128 MB of RAM for the base operating system services, plus and additional amount per user. This additional amount varies and should be between 16 MB and 20 MB per session. To compute this additional amount, plan on approximately 13 MB for the user’s desktop, then add the amount needed to run applications. Note that when more than one user runs a particular application, the code for the application is not duplicated in memory (executable code is shared across instances of an application). Applications that are 16-bit require about 25 percent more memory than 32-bit applications. If users will be running memory-intensive applications, such as a client/server application with a large memory footprint, you need to increase the amount of RAM allocated for each user. Each server needs to have enough physical memory to ensure that the page file is almost never used. The amount of disk space devoted to each server page file must be at least one and one-half times the total amount of physical RAM. The amount of processing required per user is dependent on the types of applications being run. This is best determined through trial deployments and monitoring processor time with users connected an then createing fomulas for amount of processor time; (processor devided by number of test users at minimum acceptible performance times number of total users) is a formula I worked out.Windows-based client computers connecting to Terminal Services should have at least an 80386 microprocessor running at 33 MHz (though a 486/66 is recommended), a 16-bit VGA video card, and the Microsoft TCP/IP stack. The Terminal Services client runs on Windows 2000, Windows for Workgroups 3.11, Windows 95, Windows 98, and WindowsNT 3.51 or later. and we like 56kbps per active user minimum over vpn. But this is a very broad subject.

Securing VPN remote users.

In reply to Securing VPN remote users.

6>reply.Terminal services for the web works really well and we do use it for remote administration on our lan. It works well over a 56k connection also if you connect at 44kbps minimum. it is almost like your at the machine.
7>I am not real familiar with metaframe stuff mostly because it hasent been availible that long for windows 2000 only in beta for some time at least it was in july or august when I checked last.
8>reply I like these:http://www.sans.org/infosecFAQ/encryption/VPN_sec.htm http://www.networkcomputing.com/1207/1207centerfoldtext.html Network computing is a very good informative site if you havent ever been there check it out it has lots of security resources but the link I gave is more of a case study about a company that implemented a global vpn.
9>see reply 2 for virus software. We use intel/shiva vpn boxes these make great firewalls also but dont set them up in bridge mode. the client computer runs a client software that connects it to the vpn box and establishes the tunnel it uses 3des encription wich is really the best availible between the client and the firewall. if I were using a web based terminal connection I would use ssl either hardware or software but hardware is much better no server prosessor time required for the hardware ssl and you basicly plug it in.

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

1. Any machine that?s not located on your LAN
2. You don’t. Since the computer is not located in your place it is not possible to protect against viruses from a remote computer that has VPN access to your LAN. You can however install expensive software on your VPN server (or any other router) that will try to filter the contents of the VPN packets to see if it has any viruses. There is one more way you can make use of VPN and not have problem with viruses. Please read number 9.
3. You can putit on an FTP server CD-ROM or in a logon script.
4. Terminal Server or Citrix Meta Frame is the best solution for remote user. If you go with either TS or CMF your questions 2. 3. and 5. has been answered.
5. I have used Windows 2000 TS over a 14.4 connection. It was slow but I was able to manage. Using it over a 56K connection is almost the same as working locally (except when printing high resolution papers or large documents).
6. I use Windows 2k TS over a browser and my experience is excellent. It’s very easy to use it that way.
7. Between others: Sound, File copy between session and local PC (it’s also possible with Windows 2k TS but requires more than just being connected), and many more, check out Microsoft?s web site for more info.
8. The others have given you great links.

Securing VPN remote users.

In reply to Securing VPN remote users.

9. If this were for a user that is going to connect remotely for a long time (more than 2-3 months) I would get them a Syslink DSL/Cable router (if they have Cable/DSL otherwise if it’s only a dial up connection I don’t bother with security, since you are not a target). This only helps for Firewall. For viruses as I mentioned before you cannot be protected from a remote user using VPN. Since you don?t know if the McAfee AV is running on the local machine or not. The only way you can make use of VPN and windows Terminal Server or CMF so you have maximum security:
On your Firewall block access to the RDP Port #3389 (for Windows 2k TS, I don’t know the port number for ICA which is used in CMF) from all IP address.
Use VPN to login behind your Firewall but not to your LAN (you DMZ, Or a zone created just for this and don’t give that zone permissions to logon to your LAN using NETBIOS connections just open the TS ports form that zone to your TS).
Now they are connected to your Network without local access but access to the terminal server. Now have them logon to your TS.
This is the most secure form. Since the packets from the TS session itself is encrypted in the VPN packets. And the remote users cannot connect to your LAN using their computer just the TS Session which makes it secure against Viruses. Also anyone that?s not connected to your VPN server doesn?t have access to your TS.
You however don’t have to use so much security. Since TS alone provides some sort security. Unless the data is very sensitive.

Securing VPN remote users.

In reply to Securing VPN remote users.

My point:
You cannot secure against a virus form a machine that has access to your LAN but you don’t have access to it.

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

1 – Company owned assets, even at 3rd party sites. I personally thin it’s overkill, BUT it makes it easier to manage these connections and systems.
2 – We have these assets locked down and use SMS to push virus updates, just like “LAN” users. (Again, not my personal preference, but it works.)
3 – SMS. (…not my personal pref…)
4 – No. We have a policy of FEAR and do not open these ports.
5 – We’re not running TS, just C/S, etc. For BW, the first few we guessed at, and learned from there.We also learned from our co. WAN.
6 – N/A
7 – N/A
8 – CERT (www.cert.org) and SANS (www.sans.org). Then from there, I start to drop into the vendors’ sites. The vendor site I like best is CCO at Cisco (cco.cisco.com). It gets you past most of thesales hype. And FWIW, I agree 100% that VPN opens up more “concerns”. Not necessarily more “holes”, but certainly “concerns”, i.e., issues which need to be addressed. Issues such as you bring up in your questions.
9 – McAfee AV, with (shudder) SMS doing the pushes to company assets. We also have Trend running on the email servers.

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

Hi,

1. Who are Remote Users – machines not located on your LAN

2)How do you protect against viruses from remote VPN users? – Can’t, since the computer is not located in your place it is not possible to protect against viruses from a remotecomputer that has VPN access to your LAN. You can however install expensive software on your VPN server that will try to filter the contents of the VPN packets to see if it has any viruses. There is one more way you can make use of VPN and not have problem with viruses.

3)How do you install applications on remote users computers and how to you update and support these appliations – You can put it on an FTP server OR logon script.

4) Do you use TS such as Windows 2000 or Citrix Metaframe for applications? – Citrix Meta Frame 1.8.

5) How did you determine the server and bandwidth requirements for terminal server connections – I have used Windows 2000 TS over a 14.4 connection. It was slow but I was able to manage. Using it over a 56K connection is almost the same as working locally (except when printing high resolution papers or large documents).

6) Have you used terminal services through a browser and what were your experiences? – I use Windows 2k TS over a browser and my experience is excellent. It’s very easy to use it that way.

7) If you use Citrix over Windows 2000 please explain the benefits you have found of Citrix compared to Windows 2000.

8) VPNs create even more security concerns – Between others: Sound, File copy between session and local PC (it’s also possible with Windows 2k TS but requires more than just being connected), and many more, check out Microsoft?s web site for more info.

8) What software are you using for virus’s and/or remote user firewall software – McAfee Antivirus & for firewall we have Cisco Pix apart from Microsoft’s ISA 2000 Server.

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

Cisco VPN Security Router 2600

Have you tried this?

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

1)Who are your remote users? ie. company owned machines or individual owned machines.

I?ve worked for two companies where this is relevant. The first allowed any PC to dial in to its modem bank but required cryptocard authentication. The second only allowed company owned machines to dial in. This couldn?t be strictly enforced, though.

Whatever you decide on, you must assume that at some point someone will try to gain access with a non-company machine with no virus protection on it.

2)How do you protect against viruses from remote VPN users? Please be very detailed.

The only way to be sure is to have virus protection installed on every machine in your network. This may well mean purchasing a site license to be cost effective but will be worth it in the long run. See the ?top? 10,000 point question if you don?t believe me!

You can?t assume that the PC connecting to your network remotely will have virus protection on it.

(continued…)

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

3)How do you install applications on remote users computers and how to you update and support these appliations.

The first company used SMS to do this. At least it tried. It was quite time consuming and difficult several years ago. I don?t know what its like now. In the end login scripts were used. The second company exclusively used login scripts.

If you?re planning to use Citrix, then application deployment is a non issue. As you?re no doubt aware the applications themselves live on the servers. Citrix has good support for application deployment across servers too ? if you?re looking at having a farm for load balancing/redundancy.

4) Do you use terminal services such as Windows 2000 or Citrix Metaframe for applications?

Citrix is the best choice when the number of users increases and you need to load balance applications over a number of Citrix servers. It is far superior in its administrative ability and there is lots of support for it. Also it has the benefit of having a client for the Mac and Linux (and Solaris) and probably others too.

(continued…)

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

5) How did you determine the server and bandwidth requirements for terminal server connections.

If you go down the Citrix path, there is official documentation by them on how much bandwidth to allow per user. I?ve used it over dial-up (56000 baud) and its fine ? not super fast but very usable. That equates to 5kb/sec or so.

The thing to watch out for is memory requirements. @4Mb/user, Citrix servers have to have quite a lot of memory. With memory prices these days, its not such an issue,though.

6) Have you used terminal services through a browser and what were your experiences?

I?ve used terminal services to do things like control servers remotely. It works well enough.

But? again, my experiences with Citrix are good here. You can embed applications into browsers as ActiveX controls. Or you can launch the application from the browser window.

You can even publish icons to the desktop that are Citrix applications and seamlessly fire up the application via Citrix (ie. on the server) without the user even realising.

(continued…)

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

7) If you use Citrix over Windows 2000 please explain the benefits you have found of Citrix compared to Windows 2000.

I think my points above cover a lot of the benefits of Citrix and if I were doing an implementation such as yours I would choose Citrix ahead of Terminal services if there were enough users to warrant it.

8) URL’s of good security resources that talk about securing remote VPN users. I am not looking for sites that say that a VPN fixes all of my security concerns because it does not. In fact VPNs create even more security concerns.

Others have covered this so I wont bother.

9) What software are you using for virus’s and/or remote user firewall software.

Both companies I worked for used McAffee. It seemed good.

I hope your implementation turns out well.
Cheers,
Tim

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

Another good source of information is Thaddeus Fortenberry book on “Windows 2000 Virtual Private Networking”. I just finished reading it. The thing I liked most about the book was the many examples he included with both Pros and Cons. I would recommend you read this book if you are setting up a VPN

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

1. All remote users are corporate VP’s on laptops and travel extensively.
The machines used are corporate owned and we discontinued access to personal machines for security and control reasons.
2. All systems have the corporate-chosen McAfee virus protection.
3. We have chosen to have a very tight security system which means that no user can install software directly onto his or her machine without the Admin password and priviledges. Most users don’t have access to high speed lines and since they regularly come in for meetings we simply have them check-in their laptop for a “tune-up” during some down-time.
This also allows us to do a security and policy scan of the system while it’s in our custody. If there are problems we will educate the employee and do an update to their “laptop-checkout” skills. No user can be assigned, check-out, borrow or use a laptop until they have been given a basic skills course, virus education, dial-up basics, etc. This means we have ourselves covered when a VP calls in saying we didn’t get the laptop to dial correctly or gave them a defective machine. They have to sign a carefully worded check-off list.
4. We do not use Win2k-Citrix because of compatibility problems with some software. I haveworked with Citrix/Metaframe and found them to be good, robust and dependable machines except where issues of latest software brings out a bug.
5. Not applicable to our situation.
8. There are a lot of very good resources but you should look not for VPN in a search but things like “remote-security”, “Virtual Network” and “virus” as some of the parameters.
9. We have used CA, McAfee and Sygate for virus/firewall solutions and we also use a local RADIUS server that ties in to the VPN so we have total control. The RADIUS solution is managed through a CISCO software package on the web.

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

Hi there,

1. Remote users can be both co’ owned
machines or individual machines.

2. Using TM OfficeScan, clients will
automatically download latest scan engine
and pattern files when the logon to domain
servers via VPN.

3.Users will need to logon to server and
get whatever applications that needed to
be installed on their machine. Support
and upgrade would be done the same way.
Any new patches or upgrades posted on
server to be upgraded by users.
(readme files included – idiot proof)

4. Yes, Terminal Services and Citrix.

5. Bandwidth requirements for terminal server
connections depends on how intensive the
applications needs the bandwidth. Running
normal MSOffice applications on server
and remote users access such apps could
make do over modem/isdn connections.
(that’s minimum only, higher the better)

6. Terminal Services thru browser gives you
the feeling as if “you’re at the remote
desktop” similar to PCanywhere or stuffs
like that. Speed depends on connection.

7. Pretty subjective on this question.
Terminal services engine came from Citrix
and is custom made for Windows
environment. Other applications other than MS could be better used thru Citrix
compared to Win2K.

8. Most mentioned by the above experts.

9. TrendMicro, CheckPoint on Nokia box and
NetScreen FW. Both FWs using their
proprietry Remote VPN SW.

10.Any logon to the server would initiate
the connection to TMOfficeScan to
update and initiate a scan session on
user desktop.

Hope it helps.
Thanks.
Nala

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

To prevent problems, you should consider the following router-to-router design issues before you implement router-to-router VPN connections.

On-demand or persistent connections:

You must decide whether your router-to-router VPN connections will be on-demand or persistent:

On-demand demand-dial connections require that the answering router is permanently connected to the Internet. The calling router connects to the Internet by using a dial-up link such as an analog phone line or ISDN. You need to configure a single demand-dial interface at the answering router. You need to configure two demand-dial interfaces at the calling router: one to connect to a local Internet service provider (ISP) and one for the router-to-router VPN connection. Demand-dial router-to-router VPN connections also require an additional host route in the IP routing table of the calling router. For more information, see An on-demand router-to-router VPN. Persistent connections require that both routers are connected to the Internet by using permanent WAN connections. You only need to configure a single demand-dial interface at each router. Permanent connections can be initiated and left in a connected state 24 hours a day.
Restricting the initiation of an on-demand connection. To prevent the calling router from making unnecessary connections, you can restrict the calling router from making on-demand router-to-router VPN connections in two ways:

Demand-dial filtering
You can use demand-dial filtering to configure either the types of IP traffic that do not cause a demand-dial connection to be made or the types of IP traffic that cause a connection to be made.

(continued in comments…)

Securing VPN remote users.

In reply to Securing VPN remote users.

.
.
Dial-out hours
You can use dial-out hours to configure the hours that a calling router is either permitted or denied to make a router-to-router VPN connection. For more information, see To configure dial-out hours

One-way or two-way initiated connections
You must decide whether your router-to-router VPN connections will be initiated by one router or by both routers:

With one-way initiated connections, one router is the VPN server and one router is the VPN client. The VPN server accepts the connection and the VPN client initiates the connection. One-way initiated connections are well suited to a permanent connection spoke-and-hub topology where the branch office router is the only router that initiates the connection. One-wayinitiated connections require that:
The VPN server (the answering router) is configured as a LAN and WAN router.
A user account is added for the authentication credentials of the calling router that is accessed and validated by the answering router.
A demand-dial interface is configured at the answering router with the same name as the user account that is used by the calling router. This demand-dial interface is not used to dial out, therefore it does is not configured with the host nameor IP address of the calling router or with valid user credentials.
For more information, see One-way initiated demand-dial connections

With two-way initiated connections, either router can be the VPN server or the VPN client depending on who is initiating the connection. Both routers must be configured to initiate and accept a VPN connection. You can use two-way initiated connections when the router-to-router VPN connection is not up 24 hours a day and traffic from either router is used to create the on-demand connection. Two-way initiated router-to-router VPN connections require that:
Both routers are connected to the Internet by using a permanent WAN link.
Bot

Securing VPN remote users.

In reply to Securing VPN remote users.

.
.
Dial-out hours
You can use dial-out hours to configure the hours that a calling router is either permitted or denied to make a router-to-router VPN connection.

One-way or two-way initiated connections
You must decide whether your router-to-router VPN connections will be initiated by one router or by both routers:

With one-way initiated connections, one router is the VPN server and one router is the VPN client. The VPN server accepts the connection and the VPN client initiates the connection. One-way initiated connections are well suited to a permanent connection spoke-and-hub topology where the branch office router is the only router that initiates the connection. One-way initiated connections require that:
The VPN server(the answering router) is configured as a LAN and WAN router.
A user account is added for the authentication credentials of the calling router that is accessed and validated by the answering router.

A demand-dial interface is configured at theanswering router with the same name as the user account that is used by the calling router. This demand-dial interface is not used to dial out, therefore it does is not configured with the host name or IP address of the calling router or with valid user credentials.

With two-way initiated connections, either router can be the VPN server or the VPN client depending on who is initiating the connection. Both routers must be configured to initiate and accept a VPN connection. You can use two-way initiated connections when the router-to-router VPN connection is not up 24 hours a day and traffic from either router is used to create the on-demand connection. Two-way initiated router-to-router VPN connections require that:
Both routers are connected to the Internet by using a permanent WAN link.
Both routers are configured as LAN and WAN routers.

(continued in comments…)

Securing VPN remote users.

In reply to Securing VPN remote users.

.
.
User accounts are added for both routers so that the authentication credentials for the calling router are accessed and validated by the answering router. Demand-dial interfaces, with the same name as the user account that is used by the calling router, must be fully configured at both routers, including settings for the host name or IP address of the answering router and user account credentials to authenticate the calling router.

Number of PPTP or L2TP ports needed:
The default number of PPTP and L2TP ports is five. For a corporate router in a spoke-and-hub configuration, five ports may not be enough.

Routing:
Both routers on a router-to-router VPN connection must have the appropriate routes in their routing tables to forward traffic across the connection. Routes can be static or dynamic. You can add static routes to the routing table either manually or through an auto-static update. You can add dynamic routes to the routing table by adding the VPN connection demand-dial interface to a routing protocol. However, enabling a routing protocol on the VPN connection demand-dial interface is only recommended when the demand-dial interface is permanently connected.

Note:
Unlike demand-dial routing by using direct links, you cannot use a default IP route for the VPN demand-dial interface to summarize all the routes of the corporate office. Because the branch office router is connected to the Internet, the default route must be used to summarize all the routes of the Internet and configured to use the interface that connects the router to the Internet.

(continued in comments…)

Securing VPN remote users.

In reply to Securing VPN remote users.

.
.
Single hop across VPN connection
For the purposes of designing a routed infrastructure, you can consider the router-to-router VPN connection as a single hop regardless of how many routers are crossed when the encapsulated data is sent across the Internet.

Creating a remote access policy for router-to-router VPN connections:
By using remote access policies, you can create a policy that requires router-to-router VPN connections to use a specific authentication method and encryption strength.

For example, you can create a Windows 2000 group called VPN Routers whose members are the user accounts that are used by calling routers when a router-to-router VPN connection is created. Then, you create a policy with two conditions on thepolicy: the NAS-Port-Type is set to Virtual (VPN) and the Windows-Group is set to VPN Routers. Finally, you configure the profile for the policy to select a specific authentication method and encryption strength.

You can also use the Tunnel-Type condition to create separate remote access policies for PPTP and L2TP connections. For example, to require a specific authentication method and encryption strength for PPTP connections, set the Tunnel-Type condition to Point-to-Point Tunneling Protocol.

L2TP over IPSec connections:
To create L2TP over IPSec router-to-router VPN connections, you must install machine certificates on the VPN client and the VPN server.

———————

Disclaimer: The preceding came from Microsoft article, “Router-To-Router Design Considerations”.

Maxwell

Securing VPN remote users.

In reply to Securing VPN remote users.

.
.
The following link:

http://www.cisco.com/warp/public/779/largeent/design/vpn.html

is to “Virtual Private Network Design”, by Cisco Systems

(REMOVE SPACES from the pasted URL)

Best of luck and have a GREAT 2002!

Maxwell

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

A security strategy should start with a clear statement of the business objectives. From these objectives solutions will evolve.

VPN will answer some business objectives but is certainly not a cure-all for remote network security issues. Windows Terminal Server and Citrix are also excellent solutions for accomplishing certain specific security objectives. These same solutions will prove disastrous in other cases.

I would strongly council view your security strategy as a whole. It is also important to not reply on any one specific area for security. For example do not attempt to provide all of the security in the network.

I hope this is helpful.

Securing VPN remote users.

In reply to Securing VPN remote users.

The question was auto-closed by TechRepublic

Securing VPN remote users.

In reply to Securing VPN remote users.

This question was auto closed due to inactivity

[Author]

Replies