To VPN or not to VPN

[Michael Culley]

I was talking to a customer about setting up remote desktop connection on his machine at work so that he could connect from home or
so I could connect for support reasons. Someone else got in his ear (damn I hate it when they do that about running it over a
VPN to stop people hacking into it. I'm sure it would be more secure to use a VPN but is there really any need? Is there a problem
with the security of remote desktop connection? I don't really want to set up a vpn if it is not necessary because of the extra
hassle involved. I know of some large companies that use rdp without a vpn so it can't be that bad.

Thanks,
Michael Culley

 

[Roland Hall]

in message
: I was talking to a customer about setting up remote desktop connection on
his machine at work so that he could connect from home or
: so I could connect for support reasons. Someone else got in his ear (damn
I hate it when they do that about running it over a
: VPN to stop people hacking into it. I'm sure it would be more secure to
use a VPN but is there really any need? Is there a problem
: with the security of remote desktop connection? I don't really want to set
up a vpn if it is not necessary because of the extra
: hassle involved. I know of some large companies that use rdp without a vpn
so it can't be that bad.

Something you might want to hear... A VPN is not secure by itself.
Something you might not want to hear... The workstation should have secure
and then use a VPN to connect to the corporate network.

You can never have enough security, money or sex [replace sex with love, if
not male], not necessarily in that order. (O:=
All of them work best the more layers you have!

HTH...

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201

 

[Ozone]

I know a lot of companies that allow RDP to some servers that do not require
VPN. The RDP stack handles encryption so there is some level of protection
in the protocol itself. To implement a VPN solution just for RDP is
somewhat overkill unless there is a bigger need for the VPN setup.

HTH
Ozone

I was talking to a customer about setting up remote desktop connection on

his machine at work so that he could connect from home or

so I could connect for support reasons. Someone else got in his ear (damn

I hate it when they do that about running it over a

VPN to stop people hacking into it. I'm sure it would be more secure to

use a VPN but is there really any need? Is there a problem

with the security of remote desktop connection? I don't really want to set

up a vpn if it is not necessary because of the extra

 

[Dan]

Not that simple . . .

Sure one can leave the channel exposed. Thats no
different than surfing the net with a simple Web Browser.
Of course you access your Bank or shopping vendor about
your banking over the exposed HTTP session don't you ;-]
I hope not !! If you don't tell the Browser to establish
a SSL session the Bank or store does. While you may have
faith in your local network and IT staff not to be
capturing your transactions do you know the entire pathway
to the remote server system? As an example where I work
our confrence rms are fully monitored anyone connected
within them accessing the I-net is tracked (everything!!)
so unless you had a SSL or VPN connection anything going
across would be caught. My company did this so people
would not surf sex or other sites un-monitored as well as
catch corp spying.

Hopefully I've opened our eyes a bit. In todays world
trust can't be assumed as it once was.

The two big questions are:
- What is the value of this data if the wrong person gets
their hands on it?

- Is the servers data exposed to unknown users and can
they leave something on by system as well. Thats the
other side of the coin I didn't get into here.

It maybe not an important point here if this server holds
is of no great value. But that's what the customer needs
to deside and the risks that come with there choice.

Frankly, all the static (Broadband)Internet setups I do
always use a NAT firewall and the unit has VPN services
available if needed. I won't set someone up otherwise.

-----Original Message-----
I was talking to a customer about setting up remote

desktop connection on his machine at work so that he could
connect from home or

so I could connect for support reasons. Someone else got

in his ear (damn I hate it when they do that about
running it over a

VPN to stop people hacking into it. I'm sure it would be

more secure to use a VPN but is there really any need? Is
there a problem

with the security of remote desktop connection? I don't

really want to set up a vpn if it is not necessary because
of the extra

hassle involved. I know of some large companies that use

rdp without a vpn so it can't be that bad.

 

[Guest]

The orginal RDP is not well encrypted. It's almost as
easy to break as WEP. W2k & XP introduced a newer version
which I understand is harder. The real issue is if the
system can be acccessed so someone could gain control.
VPN's give you better control.

 

[Michael Culley]

Sure one can leave the channel exposed. Thats no
different than surfing the net with a simple Web Browser.
Of course you access your Bank or shopping vendor about
your banking over the exposed HTTP session don't you ;-]
I hope not !! If you don't tell the Browser to establish
a SSL session the Bank or store does.

RDP has encryption but the question is, is it as good as a vpn, or is it good enough for required task. In this case the RDP server
is win2k server but I guess this would apply to winXP pro as well because I set it up for some people on xp also.