Solved

VPN "Best Practices"

Posted on 2004-09-08
3
506 Views
Last Modified: 2010-10-20
As an IT person, I'm often asked about setting up VPNs with existing hardware.  While I'm aware of certain security risks, I'd really like to discuss with someone the pros and cons of the following setups:

assume just 2 offices.  Each behind a NATed firewall with no DMZ

1. Firewalls(same model at each office) also perform VPN.
2. Internal VPN devices (Cisco VPN router, etc...)
3. ISA to ISA.
4. W2kSever to W2kServer

Basically, my main client has offices in LA and NY and is looking to connect them.  They both simply have a 30-50 computers, a couple of DCs and a NATed firewall (Watchguard FireBox X700).  We would like to connect the offices and consolidate the domain, and I would prefer to do it 100% the right way.  I often spout out "best practices", but always like to be reminded of why they are so.  Especially since the computer world changes so rapidly, and it's always good to re-verify your feelings before committing to a big project.

Don't need answers specific to my situation.  Not looking for you guys to do my job or anything, just thought I might spark a general conversation about various VPN methodologies that could benefit other people too.

Thanks for all your input.

AdamDrayer
0
Comment
Question by:adamdrayer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 9

Expert Comment

by:jdeclue
ID: 12008699


Here are my thoughts, broken down in two parts. Let me know if I am on the right track.

J


VPN:
As far as VPN is concerned, I look at two things. Strength of Encryption and Keys, and then Path to resources.

Strength of VPN, essentially if you are comfortable with the key strength and type of authentication protocols used by a specific setup.

Path to resources, is a bigger issue. A straight connection between two routers that allow for restricted IP ranges, is most secure. You start running into issues when you have multiple clients connecting from different ranges (such as home users), and when you begin to allow NAT and tunnelling through Firewalls directly into a network, where the authentication and setups occur. Given the list of VPN setups you have, I would list them in order of preference as:

VPN Devices, in a DMZ
Firewalls or ISA (they are both firewalls)
W2kServer in a DMZ, and lastly behind a Firewall and in a network.


Connecting Domains:
Anytime you are connecting two AD structures you have a choice between a Single Domain with a Root and Sites, or Multiple Domains with Trusts. Personally I prefer to do a Headquarters scenario, where there is a Single Root and Sites at other locations. I prefer this because it allows for redundancy between locations. Here is a bunch of KB's on Sites.

Here is a whole bunch of information for you. This should get you started on creating a "London" Site for your active directory.


HOW TO: Create and Configure an Active Directory Site in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;318480&Product=win2000

How to Create a Site Link:
http://support.microsoft.com/default.aspx?scid=kb;en-us;316812&Product=win2000

How to configure Windows 2000 Subnets:
http://support.microsoft.com/default.aspx?scid=kb;en-us;269098&Product=win2000






0
 
LVL 15

Author Comment

by:adamdrayer
ID: 12010668
what makes the VPN better in the DMZ rather than behind the firewall.  What makes seperate VPN devices better than using firewalls with VPN capabilities?
0
 
LVL 9

Accepted Solution

by:
jdeclue earned 500 total points
ID: 12015841
Remember these are my own opinions.

what makes the VPN better in the DMZ rather than behind the firewall?

When the DMZ is behind the firewall, the traffic to set up the connection must pass through the firewall and into the VPN device. This is a pontential hazard, as you must open up multiple connection for inbound and outbound connectivity directly through the Firewall and into the Lan. In this configuration if the router is configured to connect directly to a VPN device, that does not offer other services (such as web, file and print etc.), then you are pretty safe. If it has to pass through to a VPN connection on a Server or MultiPurpose device than there is a greater potential of accessing a service other than VPN and using it to stage an attack against the internal network.

WWW(unprotected)-----(protected)FireWall-----(unprotected)PrivateNetwork

When the VPN is located in a DMZ, you still have the same issue as VPN Device vs Server or MultiPurpose, but you can still protect the internal network. The Connection is made through a firewall and into the VPN device, the traffic goes through the device and has to get through the firewall again to access the internal network. If the VPN is attacked and "owned" it can still be difficult to access the internal network if the inside DMZ connection is not allowing anything but specific VPN connections through.

WWW(unprotected)-----(protected)FireWall(inbound)----VPN-----(protected)FireWall(internalNetwork)-----(unprotected)PrivateNetwork


What makes seperate VPN devices better than using firewalls with VPN capabilities?

As stated above Servers and Multipurpose Devices typically have more functions available than a VPN only device. This gives those devices a larger "footprint" as far as attacks are concerned. Simply, the more capabilities of a device, the more chances of having one of those function have a vulnerability. A windows 2000 server is a good example. The server itself has many, many capabilities. If you set up a Windows 2000 server as a web server, just like any other server, you must stay up to date on many patches. These patches fix security vulnerabilities in many components, not just the IIS server. All servers are going to be more acceptable to attacks, by default.

A VPN only device, will be inherently more secure by design. The ability to create a device, and then strip an operating system of all but essential components and then harden the os, allows for a very small footprint to an attack. These device have very few services, and require fewer sucrity updates and patches. In addition, there are no concerns of interoperability with multiple services on the box. These machines are designed to do one thing very well, and they typically do.


J

0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Microsoft is moving in-place eDiscovery & hold from ECP to EOP console under Content Search in Search and Investigation Options.  In this post, I will be showing you how to export emails to a PST file using the Content Search Options.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question