focusen
asked on
2003 server vpn
I setup routing and remote access for users to vpn to my windows 2003 server. They are using the windows vpn client. I was wondering what the security risks are ?
The 3 concerns I usually have are:
1) the Windows VPN, or any software VPN, (1 exception www.hamachi.cc) requires you open/forward a port. This is a security risk to some degree. A hardware VPN using a VPN capable router eliminates this risk
2) you or more importantly the user, need to realize there is a wide open door between the client computer and the server, thus you have effectively brought what may be an unknown and possibly infected computer, into your office. Anything that user does or connects to their computer could have an impact on your network.
3) there is also the concern that the remote user may be connected to other network devices or inappropriately surfing the net at the same time the tunnel is connected, increasing the risk to your network. The Windows VPN client has protection for this, enabled by default, called "Use default gateway on remote network", on the advanced TCP/IP properties of the virtual adapter. Ensure this is checked to block the user from local access to other networks such as the internet
1) the Windows VPN, or any software VPN, (1 exception www.hamachi.cc) requires you open/forward a port. This is a security risk to some degree. A hardware VPN using a VPN capable router eliminates this risk
2) you or more importantly the user, need to realize there is a wide open door between the client computer and the server, thus you have effectively brought what may be an unknown and possibly infected computer, into your office. Anything that user does or connects to their computer could have an impact on your network.
3) there is also the concern that the remote user may be connected to other network devices or inappropriately surfing the net at the same time the tunnel is connected, increasing the risk to your network. The Windows VPN client has protection for this, enabled by default, called "Use default gateway on remote network", on the advanced TCP/IP properties of the virtual adapter. Ensure this is checked to block the user from local access to other networks such as the internet
hi,
do u have a firewall sitting between ur VPN Server and the internet. if no then u need to put one in there. basically the firewalls block all traffic except the ones that are allowed. ISA2004 + Windows 2003 would be a good combination. there are lots of other products as well providing hardware solutions. you can use the VPN quarantine feature.
regards,
prem.
do u have a firewall sitting between ur VPN Server and the internet. if no then u need to put one in there. basically the firewalls block all traffic except the ones that are allowed. ISA2004 + Windows 2003 would be a good combination. there are lots of other products as well providing hardware solutions. you can use the VPN quarantine feature.
regards,
prem.
one of them is packet sniffing you can secure it by openvpn its secure vpn connection
2- use IPSEC with your Ras
best regard's
2- use IPSEC with your Ras
best regard's
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks focusen,
--Rob
--Rob
If this VPN is used for users to log in from remote sites, I think they - being non-security conscious bozos - are the biggest risk. Second would be poorly/erroneously configured VPN device.
Two factor authentication helps, but this guy doesn't think that does much good.
http://www.schneier.com/blog/archives/2005/03/the_failure_of.html