Solved

Windows VPN

Posted on 2004-04-13
2
355 Views
Last Modified: 2013-11-16
Hello, I want to know what the best practices are for setting up a VPN.

I will be using CheckPoint NG Feature Pack 3 and Safaware Safe at Home Pro Devices.

If there was a checklist of things that are essential for adequate security/ best practices to be obtained, what would they be?  

Thanks
0
Comment
Question by:sublimation
2 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 10816191
The most secure VPN would use:

AES-256 encryption, SHA-1 hash, plus certificates at both ends for authentication.

In practice, many organisations do not have and do not want the extra burden of certificate servers, so the best you could get that is workable would be AES-256, SHA-1 and pre-shared secrets that are KEPT SECRET FOREVER (not written down!).

Also, ensure phase 1 and phase 2 timeouts are set to 14400 seconds (4 hours) throughout.  This means that keys can only be cracked by only supercomputers / arrays within this 4 hour timeout before data is sniffed.  Attackers would have to crack the keys every time they timed out henceforth.

I usually go by what the CESG have to say - www.cesg.co.uk.

Does this help ?

Also make sure ONLY RELEVANT services can pass through the tunnel - eg HTTP, HTTPS.  A lot of people just setup VPNs to encrypt everything between the two networks, but this is not necessary and opens up the risk of 'back infection' by the remote network should it become infected by a virus.
0
 
LVL 4

Author Comment

by:sublimation
ID: 10821808
Thanks
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5505 NAT question 8 107
Exchange OWA - failed logins and brute force monitor 7 225
VPN client software 7 44
Unblock a website in Cisco ASA 3 74
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now