• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 302
  • Last Modified:

security with VPN

I have successfully configured several VPN connections between my LAN and those of some of my clients using Vigor ADSL routers. I have used DES-MD5 so the data is encrypted so am relatively happy with the tunnelling using L2TP but my question is concerning the security of data on the networks using the default firewall settings. At present it seems that NAT is the only thing protecting the workstations. There is a default filter in the firewall settings that blocks TCP/IP /UDP on ports 137-139 and 53. I have also changed the default port for remote access of the router and the VPN connections are between fixed stated IP addresses.

How can I acertain whether the security settings are secure or what can I do to further improve scurity?

 
0
ramick
Asked:
ramick
  • 3
  • 3
1 Solution
 
lrmooreCommented:
There are lots of things you can do, but the question is, how much value do they add, and how much value is the data you want to protect? You don't want to spend $50K to protect $1K worth of data, but you can certainly justify spending $50K to protect business loss of $50M if a network gets compromised.
You can be reasonably assured that you have taken prudent measures for the data you have, if the routers contain a stateful packet inspection engine (LinkSys does, D-Links does, I don't know about the Vigor). If you want to go one step further, look into an intrusion detection package that would alert you to potential intrusions, then you can adjust the ports that are blocked.
Network Ice (formerly BlackIce Defender) from ISS is a relatively good product:
http://www.iss.net

Just remember that security is a process, not a one-time implementation. You have to continually evaluate and adjust to the changing climate.
0
 
ramickAuthor Commented:
Thanks for that Irmoore. There is a 'Keep State' and 'Source Route' box under the default filter sets that I mentioned in the question but they are not checked. Should I not be blocking other un-used ports  - I only access the networks for remote control of machines.
0
 
BeermanCommented:
If you mean blocking from the internet to the lan, then block all ports unless you have a web server,etc.  If you mean blocking ports from the lan to the internet, or across the vpn then that depends on your company and its users.  If you have users that use kazaa, irc,etc, or abuse the internet then yes, block outgoing.  If you want to be the most secure, then yes, block outgoing except the bare minimum.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
lrmooreCommented:
I would enable Keep State, but not Source Route. Which model Vigor do you have?

0
 
ramickAuthor Commented:
I use the Vigor 2600 ADSL modem/router. Only concerned about access from the internet to the LAN's. Users only have internet access, no mail, web or ftp servers or other services used.
0
 
lrmooreCommented:
The built in firewall on the 2600 should do you fine. If you want that extra measure of verification that it is doing the job, then a host-based intrusion detection such as BlackIce will be a very low-cost addition.
If you don't have any internal web or mail servers, and you are using NAT, then essentially all inbound traffic that is not a direct response from an internal client is already blocked.
0
 
ramickAuthor Commented:
Thanks. Reassuring. Will keep an eye on things though.
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now