VPN and authentication/securities

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

What are the other major precautions in deploying VPN (to better protect a
company's network), other than:
- limiting authentication to certain Domain account to log onto the Network.
- tight control of VPN server logon password, of course
- firewall?

BTW, someone said to me the "finger-print" (such as mac address of the
network card) of the machine connecting to the vpn server (via an ISP) could
be traced. I do not agree. I think the IP address the vpn server is
communicating to could be traced (when things go wrong), the phone no calling
to the ISP might also be tracable, but not the mac address. Am I right?
 
ykffc said:
What are the other major precautions in deploying VPN (to better protect a
company's network), other than:
- limiting authentication to certain Domain account to log onto the Network.

Yes.

- tight control of VPN server logon password, of course
Yes

- firewall?
Click to expand...

Meaningless. VPN is "local" traffic. It does not go "through" a firewall.
The VPN Tunnel may terminate at a Firewall or it may use VPN Pass-Through on
the Firewall to get to a VPN Server behind tha Firewall,...but do *not*
confuse the VPN Tunnel with the VPN Traffic, they are two different things.

A VPN Client, once connected, is effectively the same and any machine
plugged into an Ethernet port on one of your hubs or switches.

Now you could have VPN Clients be on a special subnet and use a LAN Router
with ACLs between them and the LAN to do some amount of filtering, but if in
the process you wreck their "accessability" they need to do their jobs then
what good is that?
BTW, someone said to me the "finger-print" (such as mac address of the
network card) of the machine connecting to the vpn server (via an ISP) could
be traced. I do not agree. I think the IP address the vpn server is
communicating to could be traced (when things go wrong), the phone no calling
to the ISP might also be tracable, but not the mac address. Am I right?
Click to expand...

Never heard of that,..it sounds like "babble", but even if true,..who
cares?, it is meaningless. It is like worrying about someone knowing what
color hair you have if you go out in public even if you wear a hat because
some might stick out from the hat,...when the truth is,...who cares what
color your hair is?

As far as the VPN IP#, I could do that with a simple port scanner, I don't
need you to connect to it first for anything. As far as the ISP's phone
number?,...they advertise them!....I'd just go to their web site and look up
their dialin numbers or just call their voice line and ask them what the
numbers are.
 
Phillip Windell said:
need you to connect to it first for anything. As far as the ISP's phone
number?,...they advertise them!....I'd just go to their web site and look up
their dialin numbers or just call their voice line and ask them what the
numbers are.
Click to expand...

....and what good would their phone numbers do me?....nothing at all,...I
don't have a dialup account with them, therefore I can't use them,...and
none of that matters at all anyway since I don't need their phone number to
create a VPN connection to your VPN Server anyway.
 
Thanks for advices, Phil. I not not sure if I express my last question
correctly.

Someone said the "finger-print" of the machine connecting to the vpn server.
I mean when something goes wrong, and if the dirty job is done by Mr. Badman.
People could track down Badman has connected to the server because the ISP
knows Badman connects to the ISP with Badman's phone no. xxxx, or if Badman
connects to the ISP via a broadband service, the equipment of Badman has
certain mac address. These is what someone said.

Is the above comment of someone right?
 
ykffc said:
People could track down Badman has connected to the server because the ISP
knows Badman connects to the ISP with Badman's phone no. xxxx, or if Badman
connects to the ISP via a broadband service, the equipment of Badman has
Click to expand...

Maybe. I'm not sure. The best one to ask would be someone that actually
works at an ISP who would be willing to be "honest" about what can be done
and not be trying to "impress" you with their abilities which may be
exaggerated.
 
In theory that is correct each and every network card has a unique
"fingerprint" that could be tracked. This "fingerprint" is called a MAC
address
 
ewtaylor2001 said:
In theory that is correct each and every network card has a unique
"fingerprint" that could be tracked. This "fingerprint" is called a MAC
address
Click to expand...

Many NIC's have programmable MAC's - so do many NAT devices. I can
change the MAC on every computer in my office and the Linksys BEFSR41
NAT router too - changing it use to allow me to hop subnets when I used
Road Runner residential service.
 
True though you are not actually changing the MAC address as much as masking
it. The MAC address is actually burned into the interface.
 
Back
Top