Replace existing VPN

Hi Everyone

I have recently started a new job and I am just looking at the existing infrastructure and listing areas that I think should be changed or improved.  There appears to be a few !!

The first thing I've noticed is that we are currently using a PPTP VPN connection which is set up on a RAS server.  From what I know, PPTP is no longer recommended and is not secure.

We have a Xyxel ZyWALL 1050 firewall that appears to offer both IPSec and SSL VPN connections.  Would it be better to use this as opposed to a software VPN as we currently have ?

As far as I can gather there are not a lot of VPN users, and my plan is to only provide VPN accounts to those with company issued laptops.  I think currently people are connecting in with all sorts of different devices, which I guess in itself is not a problem but as I have doubts about how the VP is working at the moment I would like to get away from that and just assign VPN accounts to those that need them.

I have set up an Open VPN server on my home network, so I have done a bit of work on this before but otherwise I'm a relative newbie.

Matthew HinchliffeIT EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
We use Hardware IPsec VPN at all our clients. We use Juniper and Cisco and there are other products as well.

Site to Site needs a box at each end and static IP addresses.  

Client to Site needs an application. We use NCP Secure Entry for all our clients and they are very happy with it.
nociSoftware EngineerCommented:
PPTP was not recommended from 1998 onwards, from 2010-ish it could be near real time broken. and the PPTP implementation  sends the encryption key almost in clear text during setup, and it also aids in enumerating usernames and makes guessing passwords fairly easy.
Moxie Marlinspike had a Amazone based service that would crask any PPTP in max 24 hrs. for the estimated cost of compute time $100,- ish. (2010).

Besides that, IPSEC on Zywall  is actualy a solid implementations. It can pass NAT (NAT-T) is needed, and also run from dynamic IP's adresses.
(In that case the dynamic side must initiate any connection).  For Client to Central Lookinto L2TP works like a charm.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Matthew HinchliffeIT EngineerAuthor Commented:
JohnBusiness Consultant (Owner)Commented:
You are very welcome and I was happy to help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.