• Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 48
  • Last Modified:

Replace existing VPN

Hi Everyone

I have recently started a new job and I am just looking at the existing infrastructure and listing areas that I think should be changed or improved.  There appears to be a few !!

The first thing I've noticed is that we are currently using a PPTP VPN connection which is set up on a RAS server.  From what I know, PPTP is no longer recommended and is not secure.

We have a Xyxel ZyWALL 1050 firewall that appears to offer both IPSec and SSL VPN connections.  Would it be better to use this as opposed to a software VPN as we currently have ?

As far as I can gather there are not a lot of VPN users, and my plan is to only provide VPN accounts to those with company issued laptops.  I think currently people are connecting in with all sorts of different devices, which I guess in itself is not a problem but as I have doubts about how the VP is working at the moment I would like to get away from that and just assign VPN accounts to those that need them.

I have set up an Open VPN server on my home network, so I have done a bit of work on this before but otherwise I'm a relative newbie.

Thanks
Matthew
0
Matthew Hinchliffe
Asked:
Matthew Hinchliffe
  • 2
2 Solutions
 
JohnBusiness Consultant (Owner)Commented:
We use Hardware IPsec VPN at all our clients. We use Juniper and Cisco and there are other products as well.

Site to Site needs a box at each end and static IP addresses.  

Client to Site needs an application. We use NCP Secure Entry for all our clients and they are very happy with it. www.ncp-e.com
0
 
nociSoftware EngineerCommented:
PPTP was not recommended from 1998 onwards, from 2010-ish it could be near real time broken. and the PPTP implementation  sends the encryption key almost in clear text during setup, and it also aids in enumerating usernames and makes guessing passwords fairly easy.
Moxie Marlinspike had a Amazone based service that would crask any PPTP in max 24 hrs. for the estimated cost of compute time $100,- ish. (2010).

Besides that, IPSEC on Zywall  is actualy a solid implementations. It can pass NAT (NAT-T) is needed, and also run from dynamic IP's adresses.
(In that case the dynamic side must initiate any connection).  For Client to Central Lookinto L2TP works like a charm.
0
 
Matthew HinchliffeIT EngineerAuthor Commented:
Thanks
0
 
JohnBusiness Consultant (Owner)Commented:
You are very welcome and I was happy to help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now