How hackable is a VPN on an SBS 2003 R2 system, how do you set yours up and do you feel that is the best possible?
a client that has an SBS2003 R2 network (server has 2 nics, and is connected to the web via a cable modem and linksys befsx4. He had a quickbooks 'expert' in recently pitching how he will need to move to quickbooks enterprise soon, or start with a different QB database because their lists are getting too long and the file too big.
Users at this client use either RWW when they have desktops to connect to or for those with only laptops, use the VPN built into SBS. The quickbooks folder is on the sbs server (the only server they have) and has restricted permissions to just a few employees.
There's password complexity enabled - length, mixed case, expires every 3 months, etc. Lockout occurs after 5 failed attempts, etc..
Anyway, I got a note from my client saying the person mentioned that she had a couple of clients that had their systems hacked into through their VPN's and when she heard we had a VPN with potential access to the accounting files suggested we touch base with our IT dept. to make sure that we had adequate firewall/security etc to protect things. Can you please verify and summarize where we are with protecting the integrity of the server from outside 'hacking'.
I always say that if it's networked, it's potentially accessible / hackable. I'd be curious how you would answer, how you set your networks for remote access and if you feel it's as unhackable as possible or what you could do to make it more hacker proof and why you aren't doing those extra things (costs? usability / complexity?)
Thank you!
Users at this client use either RWW when they have desktops to connect to or for those with only laptops, use the VPN built into SBS. The quickbooks folder is on the sbs server (the only server they have) and has restricted permissions to just a few employees.
There's password complexity enabled - length, mixed case, expires every 3 months, etc. Lockout occurs after 5 failed attempts, etc..
Anyway, I got a note from my client saying the person mentioned that she had a couple of clients that had their systems hacked into through their VPN's and when she heard we had a VPN with potential access to the accounting files suggested we touch base with our IT dept. to make sure that we had adequate firewall/security etc to protect things. Can you please verify and summarize where we are with protecting the integrity of the server from outside 'hacking'.
I always say that if it's networked, it's potentially accessible / hackable. I'd be curious how you would answer, how you set your networks for remote access and if you feel it's as unhackable as possible or what you could do to make it more hacker proof and why you aren't doing those extra things (costs? usability / complexity?)
Thank you!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't think he's on crack I think you guys are a little naive as to how easy it is to compromise a system. Especially one that users are saving files to, and that requires constant patching to maintain any semblance of security.
Most of the ones I've seen run linux
for example the watchguard firebox can be had for less than $2000
for example the watchguard firebox can be had for less than $2000
all the cisco products run linux
No they dont! they run on IOS.
That was not the question.
It was how hackable is a VPN?
All we are saying is that if username and password policys are good then the VPN should be OK. We never said that the system was completely bullet proof but that was not the question.
It was how hackable is a VPN?
All we are saying is that if username and password policys are good then the VPN should be OK. We never said that the system was completely bullet proof but that was not the question.
NeilParbrook,
Exactly, I got pulled off topic.
Exactly, I got pulled off topic.
Your right I'm thinking of their home line of product (linksys) ....
The point is the more subsystems you have the more surface are you have for attack...
Windows is littered with vulnerabilities that can be exploited.... new ones are found every month... All it takes is one script kiddie to get to your computer before a patch comes out and they own you.
Never once will they need to guess a password to accomplish this. don't profess to be an expert on security if you think that dictionary attacks are the main method of entry into a network these days.
The point is the more subsystems you have the more surface are you have for attack...
Windows is littered with vulnerabilities that can be exploited.... new ones are found every month... All it takes is one script kiddie to get to your computer before a patch comes out and they own you.
Never once will they need to guess a password to accomplish this. don't profess to be an expert on security if you think that dictionary attacks are the main method of entry into a network these days.
I will tell you a story though and it will make you think.
I went to a new client yesterday to discuss there IT support.
On investigating the network I found their main file server (just an xp box) in the DMZ of their filewall. When I asked what the hell was going on I was told that the last guy set it up so the client can access the machine from the internet!!!!
Now that guy was on crack!
The bottom line is you can argue the merits of this and that till the end of time but something is better than nothing.
I went to a new client yesterday to discuss there IT support.
On investigating the network I found their main file server (just an xp box) in the DMZ of their filewall. When I asked what the hell was going on I was told that the last guy set it up so the client can access the machine from the internet!!!!
Now that guy was on crack!
The bottom line is you can argue the merits of this and that till the end of time but something is better than nothing.
Password complexity on the edge devices and listening services will thwart any dictionary attack. I have logs full of attempts on my edge devices and ftp servers. No dictionary attack can break a password with symbols numbers and caps.
And as far as me being an Expert, I am. You don't need to start making veiled insults.
You drag the whole thread off topic to bash a windows platform used my companies that don't want to spend money on all kinds of stuff. And if you follow best practices you greatly reduce chances of being compromised.
And as far as me being an Expert, I am. You don't need to start making veiled insults.
You drag the whole thread off topic to bash a windows platform used my companies that don't want to spend money on all kinds of stuff. And if you follow best practices you greatly reduce chances of being compromised.
You are missing the point, the EDGE device in this case is not just an edge device, it is a file server. File servers are open to many more types of attack than a typical edge device, therefore you have to worry about alot more than just dictionarry attacks, which he has already put a strong password policy to prevent against....
although your current security settings should be reviewed. I would make sure that you have renamed your domain admin account and that it is not allowed to be accessed through the VPN. otherwise with your current settings it is possible for someone to launch a denial of service attack simply by performing a dictionarry attack against your network. After about ten minutes then could lockout all of your accounts. Typically you are either going to use strong passwords or account lockout, but not both at the same time.
although your current security settings should be reviewed. I would make sure that you have renamed your domain admin account and that it is not allowed to be accessed through the VPN. otherwise with your current settings it is possible for someone to launch a denial of service attack simply by performing a dictionarry attack against your network. After about ten minutes then could lockout all of your accounts. Typically you are either going to use strong passwords or account lockout, but not both at the same time.
Where does he say he is using the server as the router/firewall?
ASKER
strong passwords or account lockout, but not both at the same time. ??? Really!? Interesting
using the sbs as the firewall - no, it does have a firewall built in (this is standard), rudimentary, yes. but it has the linksys in front of that.
using the sbs as the firewall - no, it does have a firewall built in (this is standard), rudimentary, yes. but it has the linksys in front of that.
guys,
focus, and answer the question:
does anyone know of a situation where an SBS r2 box vpn was compromised?
focus, and answer the question:
does anyone know of a situation where an SBS r2 box vpn was compromised?
SBS is not that bad! A dedicated linux box for vpn? How many smb's can afford to have someone come in a manage a linux system for them? Might as well just get a pix for your firewall if you want to go that route. And anyway we are talking about VPN tunnels being hacked, not the security risks of the OS.