Replace existing VPN

Matthew Hinchliffe
Matthew Hinchliffe used Ask the Experts™
on
Hi Everyone

I have recently started a new job and I am just looking at the existing infrastructure and listing areas that I think should be changed or improved.  There appears to be a few !!

The first thing I've noticed is that we are currently using a PPTP VPN connection which is set up on a RAS server.  From what I know, PPTP is no longer recommended and is not secure.

We have a Xyxel ZyWALL 1050 firewall that appears to offer both IPSec and SSL VPN connections.  Would it be better to use this as opposed to a software VPN as we currently have ?

As far as I can gather there are not a lot of VPN users, and my plan is to only provide VPN accounts to those with company issued laptops.  I think currently people are connecting in with all sorts of different devices, which I guess in itself is not a problem but as I have doubts about how the VP is working at the moment I would like to get away from that and just assign VPN accounts to those that need them.

I have set up an Open VPN server on my home network, so I have done a bit of work on this before but otherwise I'm a relative newbie.

Thanks
Matthew
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
We use Hardware IPsec VPN at all our clients. We use Juniper and Cisco and there are other products as well.

Site to Site needs a box at each end and static IP addresses.  

Client to Site needs an application. We use NCP Secure Entry for all our clients and they are very happy with it. www.ncp-e.com
Software Engineer
Distinguished Expert 2018
Commented:
PPTP was not recommended from 1998 onwards, from 2010-ish it could be near real time broken. and the PPTP implementation  sends the encryption key almost in clear text during setup, and it also aids in enumerating usernames and makes guessing passwords fairly easy.
Moxie Marlinspike had a Amazone based service that would crask any PPTP in max 24 hrs. for the estimated cost of compute time $100,- ish. (2010).

Besides that, IPSEC on Zywall  is actualy a solid implementations. It can pass NAT (NAT-T) is needed, and also run from dynamic IP's adresses.
(In that case the dynamic side must initiate any connection).  For Client to Central Lookinto L2TP works like a charm.
Matthew HinchliffeIT Engineer

Author

Commented:
Thanks
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You are very welcome and I was happy to help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial