• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 610
  • Last Modified:

IPSec VPN help needed- how does this work?

Ok, well at my company we are using a hardware firewall (Smoothwall Express 2.0- fix6, with the VPN IPSec3.1.1 pack).

I succesfully configured my firewall with the VPN IPSec mod- and a client (my laptop- a test road-warrior) using SSHSentinel as the IPSec client for the laptop. Successfully made the connection with shared secret etc... I just have a couple questions- I am a complete newbie to VPN's and need some guidance.

- Here at work we are an Active Directory Integrated domain (Win2003and 2k servers)

1) Now that I can succesfully connect to the firewall from the laptop using SSHSentinel, what do I need to do next on my domain (internal) side to allow for individual users to authenticate and access pre-determined resources via the VPN tunnel?
Since the Firewall is the VPN endpoint, I guess I do not need to configure a Routing and remote access server. I want to allow only pre-determined users (which will be mobile users and a couple at-home users) to:
a.) Access their User Folders
b.) Remote Desktop Connection to their individual work computer

2) I want to make these connections as SECURE as possible- Is a shared secret enough security for the client (SSHSentinel) to authenticate to the firewall?

3) I gave this a test run from my house and succesfully connected to the domain. Since I know the IP addresses of my domain, I tried accessing a file server's shares and was succesful (and was prompted for username and password before it let me) as logging in as the admin. Is this how the users will be doing it? I need a push in the right direction here!!!


I want to keep security in mind as I am setting this up, and very much appreciate any and all help.


0
Trihimbulus
Asked:
Trihimbulus
  • 2
  • 2
1 Solution
 
lrmooreCommented:
Looks like you're definately on the right track. You've already noted that users can accomplish both 1a and 1b.
Regarding #2, yes, it is secure. The shared secret is only used as a hash to establish the encrypted tunnel. Assuming that you are using 3DES or AES encryption level, then all traffic between the client and the LAN is encrypted within this tunnel, so it is very secure.
#3 - yep, that's exactly how I would expect it to work, with the security of the AD domain username/password protecting individual hosts within the LAN. If you use a VPn client that allows you to start the tunnel session before logging in to the computer, then you can log in just like you're on the local lan and only be authenticated once. I don't know that the SSH Sentinel can do that. I do know that the Cisco VPN client can, but you probably can't use that client with the smoothwall..

Nice job!
 
0
 
pseudocyberCommented:
2) I want to make these connections as SECURE as possible- Is a shared secret enough security for the client (SSHSentinel) to authenticate to the firewall?

It depends.  It's "ok" ... but you could do more.  It depends on how much you want to spend on a better solution, or what the risk is like and what is the value of the risk being realized.  We use two factor authentication - something you have, and something you know.  With your shared secret - if someone loses their laptop, the secret goes with it.  A third party could find the laptop and use the VPN to connect to the last connection they did without being prompted to identify themselves - since the laptop has the shared secret.  Whereas, if they had a SecureID token - this token changes every 60 seconds and requires the user to enter a PIN also.  So, it's something they have and something they know.  You could get fancier and make it three factor with biometrics - so it could be have, know, and something they ARE - (finger scan, iris scan, type writing analysis, etc).

So, as lr mentioned, your encryption is good (3DES or AES), but your authentication is a little weak.
0
 
TrihimbulusAuthor Commented:
Great posts so far! So now where I am at is I have established that secure tunnel to both endpoints. Now I need user Authentication, which I have learned requires help from a Routing and Remote Access Server on my LAN.

Ok, so once the IPSec tunnel is established between the client and the firewall endpoints, I am going to need to forward some ports to my RRAS. Here at my company we use Outlook Web Access over HTTPS which means we are port forwarding ports 25, 80, and 443 to the exchange server.

1) What traffic do I forward to my Routing and Remote Access server? As I mentioned, this will provide for the Authentication part of this process. I am guessing once Authenticated into the domain, they will be able to access only what I have set permissions on (making a VPN Users Group and assigning permissions to objects that they may r/w/x)

This is where I am lost... I am almost there...
0
 
TrihimbulusAuthor Commented:
Ok I think I get it- so now that I have created an IPSec tunnel between remote workstation and the firewall (endpoint), I should set up a PPTP connection inside this tunnel. This will provide for Authentication and added security. Is this correct???
0
 
lrmooreCommented:
Once you have a tunnel, that's it. You don't need to create yet another pptp connection within that tunnel.

>I tried accessing a file server's shares and was succesful (and was prompted for username and password before it let me)
This *is* your authentication and security - the OS of every box that you're trying to touch once you have created the VPN tunnel.

You *could* forward the initial authentication of the VPN tunnel over to Windows using Radius, but it won't buy you much. SSH Sentinel is not a "windows" networking client, and will not carry the credentials over to the other systems that you want to touch. You'll still get prompted for username/password each time.

0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now