?
Solved

How can I secure VPN connections

Posted on 2007-10-03
10
Medium Priority
?
282 Views
Last Modified: 2010-04-11
Hi,

You know that remote users of VPN  use thier own PCs which may have security issues.

I need to make VPN connections to our LAN as secure as I can. How is that possible?

Regards,

0
Comment
Question by:yasserd
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 1600 total points
ID: 20006889
Use Cisco ASA 5500 series Firewall/VPN with SSL VPN and Cisco Secure Desktop.
http://www.cisco.com/en/US/docs/security/csd/csd311/csd_for_asa/configuration/guide/CSDJntro.html
0
 
LVL 6

Expert Comment

by:nathana21
ID: 20007050
You can also use a pix firewall. Its a smaller and cheaper solution. if you don't need as much as the asa provides.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20007094
The ASA is the next-generation PIX and the PIX line will be going away. The ASA is a much better value for less money than a PIX.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 6

Expert Comment

by:nathana21
ID: 20007221
ok, i'm only familiar with the pix line. So thats a better choice
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20007316
Smaller PIX 501/506 will not support the SSL VPN or CSD.
Small ASA 5505 will.
0
 
LVL 6

Expert Comment

by:nathana21
ID: 20007426
yes i was agreeing with you in case i wasn't clear. I just learned something new. TY
0
 
LVL 19

Assisted Solution

by:CoccoBill
CoccoBill earned 400 total points
ID: 20020864
Cisco schmisco. You need to set up secure authentication to the VPN connections, preferably smart card/certificate-based, one-time-passwords or other forms of two-factor authentication. Make sure the authentication and data connections use adequate encryption, and in case of PIN/password use, enforce strong passwords, preferably passphrases. Enforce password changes at regular intervals, 90 or 180 days should be adequate. Make sure local LAN access on the clients is blocked, so that the connecting machines will not act as a bridge between your corporate LAN and other networks. Limit the allowed networks ports to those required, do not allow unlimited access. Make sure all connections are logged, and that the logs contain all relevant information to create an audit trail, that is, at the bare minimum access times, usernames, source IPs etc. Also recommended would be the use of network quarantine methods (eg. Cisco NAP), that block access until predetermined criteria is filled by the client, such as up-to-date AV, installed hotfixes etc.
0
 
LVL 10

Author Comment

by:yasserd
ID: 20029906
Hi,

Thank you all.

What if the solution we are using is Cisco VPN 3000 Concentrator? what are the options for maximum security?

CoccoBill, how can I implement the rules you stated? Is there any product that does do?

Regards,
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 1600 total points
ID: 20030115
The VPN 3000 concentrator is a dead product and Cisco will not be releasing new updates or features.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_eol_notice0900aecd805cd5a0.html
It does support SSL VPN and CSD, but only in the latest, but end-of-lifed software.

For maximum security, you need a current, supported technology that can change with the security environment.
Dollar for Dollar, the ASA is the Cisco product of choice for VPN support.

The Cisco ASA/SSL and Secure Desktop can enforce the (good) rules that CoccoBill outlines. You can enforce Antivirus, end point firewall rules, you can enforce password security and there are multiple ways to identify endpoints before letting them in, even if the user has the password. You can even use an on-screen keyboard to prevent keyloggers fro seeing the password entry. You can even force a keylogger check on the PC before allowing the VPN session. You can clean the PC of all temp files, cookies and other debris after closing the VPN session.
The rest of it is all policy driven with acceptible use policies and end user education.

0
 
LVL 10

Author Comment

by:yasserd
ID: 20032853


Thank you all.

Thank you Irmoore for your very helpful information.

Regards,
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question