VPN Windows 2000

  • Thread starter Thread starter cptkirkh
  • Start date Start date
C

cptkirkh

I inherited a network that uses 2000 server for the VPN. The server
has two nics one for the external and the other for the internal. Did
this device really need to have two nics? Isn't that a little
dangerous placing a windows box outisde of the firewall? Can't
i just tell my PIX to port over VPN to that particualr box and use one
nic with the internal Ip address? If so what ports do I need port
over? thanks for your help.
 
cptkirkh said:
I inherited a network that uses 2000 server for the VPN. The server
has two nics one for the external and the other for the internal. Did
this device really need to have two nics? Isn't that a little
dangerous placing a windows box outisde of the firewall?
Click to expand...

I'd have no problem with this as long as the server is properly locked down
and patched.

Can't i just tell my PIX to port over VPN to that particualr box
and use one nic with the internal Ip address?
If so what ports do I need port over?
Click to expand...

If it's just a PPTP VPN server so other Windows boxes can connect form the
outside world, you can use just the internal NIC and fprward port 1723. If
you're using L2TP or IPSec tunnels, you'll probably have the best luck
leaving the second NIC with a public address.

....kurt
 
I am with you 100%. I never and I mean NEVER allow a server to be outside of
a firewall. Net protocol (FTP,HTTP,SMTP, etc) servers reside in a firewall
protected DMZ and communicate with SQL servers, etc... within the intranet
through very controlled limits.

I have personnaly used port forwarding for PPTP (port 1723) to access my
office remotely for years and have never had problems. More over I would not
feel comfortabkle with anything less since my client data is of a sensitive
nature.

cheers,
James
 
Just to throw my 2 cents worth here, PPTP is not nearly as secure as
L2TP/IPSec. So you've got to choose your devil. A lesser encryption on the
data stream or a publicly available server. I'm not saying one is better or
worse than the other, just that both have their risks. Sometimes it's not
possible to use pptp - sometimes the other end is not a Windows client and
just doesn't support it. Sometimes IPSec may be a security requirement of
the other party (or medical or governmental data). In any case, a locked
down MS RRAS server isn't generally any less secure than any other server
(Even Cisco PIX has had security flaws).

....kurt
 
Back
Top