?
Solved

security with VPN

Posted on 2003-02-23
7
Medium Priority
?
284 Views
Last Modified: 2013-11-29
I have successfully configured several VPN connections between my LAN and those of some of my clients using Vigor ADSL routers. I have used DES-MD5 so the data is encrypted so am relatively happy with the tunnelling using L2TP but my question is concerning the security of data on the networks using the default firewall settings. At present it seems that NAT is the only thing protecting the workstations. There is a default filter in the firewall settings that blocks TCP/IP /UDP on ports 137-139 and 53. I have also changed the default port for remote access of the router and the VPN connections are between fixed stated IP addresses.

How can I acertain whether the security settings are secure or what can I do to further improve scurity?

 
0
Comment
Question by:ramick
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8003817
There are lots of things you can do, but the question is, how much value do they add, and how much value is the data you want to protect? You don't want to spend $50K to protect $1K worth of data, but you can certainly justify spending $50K to protect business loss of $50M if a network gets compromised.
You can be reasonably assured that you have taken prudent measures for the data you have, if the routers contain a stateful packet inspection engine (LinkSys does, D-Links does, I don't know about the Vigor). If you want to go one step further, look into an intrusion detection package that would alert you to potential intrusions, then you can adjust the ports that are blocked.
Network Ice (formerly BlackIce Defender) from ISS is a relatively good product:
http://www.iss.net

Just remember that security is a process, not a one-time implementation. You have to continually evaluate and adjust to the changing climate.
0
 

Author Comment

by:ramick
ID: 8004619
Thanks for that Irmoore. There is a 'Keep State' and 'Source Route' box under the default filter sets that I mentioned in the question but they are not checked. Should I not be blocking other un-used ports  - I only access the networks for remote control of machines.
0
 
LVL 1

Expert Comment

by:Beerman
ID: 8005715
If you mean blocking from the internet to the lan, then block all ports unless you have a web server,etc.  If you mean blocking ports from the lan to the internet, or across the vpn then that depends on your company and its users.  If you have users that use kazaa, irc,etc, or abuse the internet then yes, block outgoing.  If you want to be the most secure, then yes, block outgoing except the bare minimum.
0
Are You Using the Best Web Development Editor?

The worlds of web hosting and web development are constantly evolving. Every year we see design trends change, coding standards adapt and new frameworks/CMS created. With such a quick pace of change it’s easy to get lost trying to keep up.

See if your editor made the list.

 
LVL 79

Expert Comment

by:lrmoore
ID: 8006225
I would enable Keep State, but not Source Route. Which model Vigor do you have?

0
 

Author Comment

by:ramick
ID: 8007231
I use the Vigor 2600 ADSL modem/router. Only concerned about access from the internet to the LAN's. Users only have internet access, no mail, web or ftp servers or other services used.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
ID: 8008271
The built in firewall on the 2600 should do you fine. If you want that extra measure of verification that it is doing the job, then a host-based intrusion detection such as BlackIce will be a very low-cost addition.
If you don't have any internal web or mail servers, and you are using NAT, then essentially all inbound traffic that is not a direct response from an internal client is already blocked.
0
 

Author Comment

by:ramick
ID: 8015152
Thanks. Reassuring. Will keep an eye on things though.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month8 days, 18 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question