How can I secure VPN connections

Hi,

You know that remote users of VPN  use thier own PCs which may have security issues.

I need to make VPN connections to our LAN as secure as I can. How is that possible?

Regards,

LVL 10
yasserdAsked:
Who is Participating?
 
lrmooreCommented:
Use Cisco ASA 5500 series Firewall/VPN with SSL VPN and Cisco Secure Desktop.
http://www.cisco.com/en/US/docs/security/csd/csd311/csd_for_asa/configuration/guide/CSDJntro.html
0
 
nathana21Commented:
You can also use a pix firewall. Its a smaller and cheaper solution. if you don't need as much as the asa provides.
0
 
lrmooreCommented:
The ASA is the next-generation PIX and the PIX line will be going away. The ASA is a much better value for less money than a PIX.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
nathana21Commented:
ok, i'm only familiar with the pix line. So thats a better choice
0
 
lrmooreCommented:
Smaller PIX 501/506 will not support the SSL VPN or CSD.
Small ASA 5505 will.
0
 
nathana21Commented:
yes i was agreeing with you in case i wasn't clear. I just learned something new. TY
0
 
CoccoBillCommented:
Cisco schmisco. You need to set up secure authentication to the VPN connections, preferably smart card/certificate-based, one-time-passwords or other forms of two-factor authentication. Make sure the authentication and data connections use adequate encryption, and in case of PIN/password use, enforce strong passwords, preferably passphrases. Enforce password changes at regular intervals, 90 or 180 days should be adequate. Make sure local LAN access on the clients is blocked, so that the connecting machines will not act as a bridge between your corporate LAN and other networks. Limit the allowed networks ports to those required, do not allow unlimited access. Make sure all connections are logged, and that the logs contain all relevant information to create an audit trail, that is, at the bare minimum access times, usernames, source IPs etc. Also recommended would be the use of network quarantine methods (eg. Cisco NAP), that block access until predetermined criteria is filled by the client, such as up-to-date AV, installed hotfixes etc.
0
 
yasserdAuthor Commented:
Hi,

Thank you all.

What if the solution we are using is Cisco VPN 3000 Concentrator? what are the options for maximum security?

CoccoBill, how can I implement the rules you stated? Is there any product that does do?

Regards,
0
 
lrmooreCommented:
The VPN 3000 concentrator is a dead product and Cisco will not be releasing new updates or features.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_eol_notice0900aecd805cd5a0.html
It does support SSL VPN and CSD, but only in the latest, but end-of-lifed software.

For maximum security, you need a current, supported technology that can change with the security environment.
Dollar for Dollar, the ASA is the Cisco product of choice for VPN support.

The Cisco ASA/SSL and Secure Desktop can enforce the (good) rules that CoccoBill outlines. You can enforce Antivirus, end point firewall rules, you can enforce password security and there are multiple ways to identify endpoints before letting them in, even if the user has the password. You can even use an on-screen keyboard to prevent keyloggers fro seeing the password entry. You can even force a keylogger check on the PC before allowing the VPN session. You can clean the PC of all temp files, cookies and other debris after closing the VPN session.
The rest of it is all policy driven with acceptible use policies and end user education.

0
 
yasserdAuthor Commented:


Thank you all.

Thank you Irmoore for your very helpful information.

Regards,
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.