Trihimbulus
asked on
IPSec VPN help needed- how does this work?
Ok, well at my company we are using a hardware firewall (Smoothwall Express 2.0- fix6, with the VPN IPSec3.1.1 pack).
I succesfully configured my firewall with the VPN IPSec mod- and a client (my laptop- a test road-warrior) using SSHSentinel as the IPSec client for the laptop. Successfully made the connection with shared secret etc... I just have a couple questions- I am a complete newbie to VPN's and need some guidance.
- Here at work we are an Active Directory Integrated domain (Win2003and 2k servers)
1) Now that I can succesfully connect to the firewall from the laptop using SSHSentinel, what do I need to do next on my domain (internal) side to allow for individual users to authenticate and access pre-determined resources via the VPN tunnel?
Since the Firewall is the VPN endpoint, I guess I do not need to configure a Routing and remote access server. I want to allow only pre-determined users (which will be mobile users and a couple at-home users) to:
a.) Access their User Folders
b.) Remote Desktop Connection to their individual work computer
2) I want to make these connections as SECURE as possible- Is a shared secret enough security for the client (SSHSentinel) to authenticate to the firewall?
3) I gave this a test run from my house and succesfully connected to the domain. Since I know the IP addresses of my domain, I tried accessing a file server's shares and was succesful (and was prompted for username and password before it let me) as logging in as the admin. Is this how the users will be doing it? I need a push in the right direction here!!!
I want to keep security in mind as I am setting this up, and very much appreciate any and all help.
I succesfully configured my firewall with the VPN IPSec mod- and a client (my laptop- a test road-warrior) using SSHSentinel as the IPSec client for the laptop. Successfully made the connection with shared secret etc... I just have a couple questions- I am a complete newbie to VPN's and need some guidance.
- Here at work we are an Active Directory Integrated domain (Win2003and 2k servers)
1) Now that I can succesfully connect to the firewall from the laptop using SSHSentinel, what do I need to do next on my domain (internal) side to allow for individual users to authenticate and access pre-determined resources via the VPN tunnel?
Since the Firewall is the VPN endpoint, I guess I do not need to configure a Routing and remote access server. I want to allow only pre-determined users (which will be mobile users and a couple at-home users) to:
a.) Access their User Folders
b.) Remote Desktop Connection to their individual work computer
2) I want to make these connections as SECURE as possible- Is a shared secret enough security for the client (SSHSentinel) to authenticate to the firewall?
3) I gave this a test run from my house and succesfully connected to the domain. Since I know the IP addresses of my domain, I tried accessing a file server's shares and was succesful (and was prompted for username and password before it let me) as logging in as the admin. Is this how the users will be doing it? I need a push in the right direction here!!!
I want to keep security in mind as I am setting this up, and very much appreciate any and all help.
2) I want to make these connections as SECURE as possible- Is a shared secret enough security for the client (SSHSentinel) to authenticate to the firewall?
It depends. It's "ok" ... but you could do more. It depends on how much you want to spend on a better solution, or what the risk is like and what is the value of the risk being realized. We use two factor authentication - something you have, and something you know. With your shared secret - if someone loses their laptop, the secret goes with it. A third party could find the laptop and use the VPN to connect to the last connection they did without being prompted to identify themselves - since the laptop has the shared secret. Whereas, if they had a SecureID token - this token changes every 60 seconds and requires the user to enter a PIN also. So, it's something they have and something they know. You could get fancier and make it three factor with biometrics - so it could be have, know, and something they ARE - (finger scan, iris scan, type writing analysis, etc).
So, as lr mentioned, your encryption is good (3DES or AES), but your authentication is a little weak.
It depends. It's "ok" ... but you could do more. It depends on how much you want to spend on a better solution, or what the risk is like and what is the value of the risk being realized. We use two factor authentication - something you have, and something you know. With your shared secret - if someone loses their laptop, the secret goes with it. A third party could find the laptop and use the VPN to connect to the last connection they did without being prompted to identify themselves - since the laptop has the shared secret. Whereas, if they had a SecureID token - this token changes every 60 seconds and requires the user to enter a PIN also. So, it's something they have and something they know. You could get fancier and make it three factor with biometrics - so it could be have, know, and something they ARE - (finger scan, iris scan, type writing analysis, etc).
So, as lr mentioned, your encryption is good (3DES or AES), but your authentication is a little weak.
ASKER
Great posts so far! So now where I am at is I have established that secure tunnel to both endpoints. Now I need user Authentication, which I have learned requires help from a Routing and Remote Access Server on my LAN.
Ok, so once the IPSec tunnel is established between the client and the firewall endpoints, I am going to need to forward some ports to my RRAS. Here at my company we use Outlook Web Access over HTTPS which means we are port forwarding ports 25, 80, and 443 to the exchange server.
1) What traffic do I forward to my Routing and Remote Access server? As I mentioned, this will provide for the Authentication part of this process. I am guessing once Authenticated into the domain, they will be able to access only what I have set permissions on (making a VPN Users Group and assigning permissions to objects that they may r/w/x)
This is where I am lost... I am almost there...
Ok, so once the IPSec tunnel is established between the client and the firewall endpoints, I am going to need to forward some ports to my RRAS. Here at my company we use Outlook Web Access over HTTPS which means we are port forwarding ports 25, 80, and 443 to the exchange server.
1) What traffic do I forward to my Routing and Remote Access server? As I mentioned, this will provide for the Authentication part of this process. I am guessing once Authenticated into the domain, they will be able to access only what I have set permissions on (making a VPN Users Group and assigning permissions to objects that they may r/w/x)
This is where I am lost... I am almost there...
ASKER
Ok I think I get it- so now that I have created an IPSec tunnel between remote workstation and the firewall (endpoint), I should set up a PPTP connection inside this tunnel. This will provide for Authentication and added security. Is this correct???
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Regarding #2, yes, it is secure. The shared secret is only used as a hash to establish the encrypted tunnel. Assuming that you are using 3DES or AES encryption level, then all traffic between the client and the LAN is encrypted within this tunnel, so it is very secure.
#3 - yep, that's exactly how I would expect it to work, with the security of the AD domain username/password protecting individual hosts within the LAN. If you use a VPn client that allows you to start the tunnel session before logging in to the computer, then you can log in just like you're on the local lan and only be authenticated once. I don't know that the SSH Sentinel can do that. I do know that the Cisco VPN client can, but you probably can't use that client with the smoothwall..
Nice job!