How hackable is a VPN on an SBS 2003 R2 system, how do you set yours up and do you feel that is the best possible?

a client that has an SBS2003 R2 network (server has 2 nics, and is connected to the web via a cable modem and linksys befsx4.  He had a quickbooks 'expert' in recently pitching how he will need to move to quickbooks enterprise soon, or start with a different QB database because their lists are getting too long and the file too big.

Users at this client use either RWW when they have desktops to connect to or for those with only laptops, use the VPN built into SBS.  The quickbooks folder is on the sbs server (the only server they have) and has restricted permissions to just a few employees.

There's password complexity enabled - length, mixed case, expires every 3 months, etc.  Lockout occurs after 5 failed attempts, etc..

Anyway, I got a note from my client saying the person mentioned that she had a couple of clients that had their systems hacked into through their VPN's and when she heard we had a VPN with potential access to the accounting files suggested we touch base with our IT dept. to make sure that we had adequate firewall/security etc to protect things.   Can you please verify and summarize where we are with protecting the integrity of the server from outside 'hacking'.

I always say that if it's networked, it's potentially accessible / hackable.  I'd be curious how you would answer, how you set your networks for remote access and if you feel it's as unhackable as possible or what you could do to make it more hacker proof and why you aren't doing those extra things (costs? usability / complexity?)

Thank you!

babaganooshAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bhnmiCommented:
The encryption on the tunnel its self is for all intents and purposes is near unbreakable. The point of failure would come from a compromised user account (Someone giving their password away, intentionally or not). The QB rep is smoking the good stuff.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NeilParbrookCommented:
The blokes on crack.  People saving paswords or writing them down is the normal problem.

He's just trying to make some money get him to back it up.
0
chikenheadCommented:
The fact that you are using a file server as your firewall is a serious security risk.  Microsoft is in the business of selling stuff, and they love to push their security and acceleration server.

Think of it this way the vpn is running on windows....  How secure do you consider windows to be in general.  

The real problem is that an SBS server has much more surface area to attack than a dedicated box running linux, and is susseptable to many more types of attack.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

bhnmiCommented:
chickenhead:

SBS is not that bad! A dedicated linux box for vpn? How many smb's can afford to have someone come in a manage a linux system for them? Might as well just get a pix for your firewall if you want to go that route. And anyway we are talking about VPN tunnels being hacked, not the security risks of the OS.
0
chikenheadCommented:
I don't think he's on crack I think you guys are a little naive as to how easy it is to compromise a system.  Especially one that users are saving files to, and that requires constant patching to maintain any semblance of security.  

0
chikenheadCommented:
Most of the ones I've seen run linux  

for example the watchguard firebox can be had for less than $2000

0
chikenheadCommented:
all the cisco products run linux
0
bhnmiCommented:
No they dont! they run on IOS.
0
NeilParbrookCommented:
That was not the question.  

It was how hackable is a VPN?

All we are saying is that if username and password policys are good then the VPN should be OK.  We never said that the system was completely bullet proof but that was not the question.
0
bhnmiCommented:
NeilParbrook,
Exactly, I got pulled off topic.
0
chikenheadCommented:
Your right I'm thinking of their home line of product (linksys) ....

The point is the more subsystems you have the more surface are you have for attack...

Windows is littered with vulnerabilities that can be exploited.... new ones are found every month...  All it takes is one script kiddie to get to your computer before a patch comes out and they own you.  

Never once will they need to guess a password to accomplish this.  don't profess to be an expert on security if you think that dictionary attacks are the main method of entry into a network these days.
0
NeilParbrookCommented:
I will tell you a story though and it will make you think.  

I went to a new client yesterday to discuss there IT support.

On investigating the network I found their main file server (just an xp box) in the DMZ of their filewall.  When I asked what the hell was going on I was told that the last guy set it up so the client can access the machine from the internet!!!!

Now that guy was on crack!

The bottom line is you can argue the merits of this and that till the end of time but something is better than nothing.
0
bhnmiCommented:
Password complexity on the edge devices and listening services will thwart any dictionary attack. I have logs full of attempts on my edge devices and ftp servers. No dictionary attack can break a password with symbols numbers and caps.

And as far as me being an Expert, I am. You don't need to start making veiled insults.

You drag the whole thread off topic to bash a windows platform used my companies that don't want to spend money on all kinds of stuff. And if you follow best practices you greatly reduce chances of being compromised.


0
chikenheadCommented:
You are missing the point, the EDGE device in this case is not just an edge device, it is a file server.  File servers are open to many more types of attack than a typical edge device, therefore you have to worry about alot more than just dictionarry attacks, which he has already put  a strong password policy to prevent against....

although your current security settings should be reviewed.  I would make sure that you have renamed your domain admin account and that it is not allowed to be accessed through the VPN.  otherwise with your current settings it is possible for someone to launch a denial of service attack simply by performing a dictionarry attack against your network.  After about ten minutes then could lockout all of your accounts.  Typically you are either going to use strong passwords or account lockout, but not both at the same time.
0
bhnmiCommented:
Where does he say he is using the server as the router/firewall?
0
babaganooshAuthor Commented:
strong passwords or account lockout, but not both at the same time. ??? Really!?  Interesting

using the sbs as the firewall - no, it does have a firewall built in (this is standard), rudimentary, yes.  but it has the linksys in front of that.  
0
naughtonCommented:
guys,

focus, and answer the question:  

does anyone know of a situation where an SBS r2 box vpn was compromised?

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.