VPN

[Mark Lewis]

I have permanent internet connection at the office and home and are
wondering what security issues I have to take for a VPN ?

I've set up the VPN connection and have tested it and its works OK.

I'm obviously using the Microsoft Client Firewall, is my connection secure
enough with this ? can I improve it ? any other advise appreciated.

What other options do I have

Regards

Mark

 

[Steven L Umbach]

Vpns themselves are pretty secure, with ipsec tunnel or l2tp being more secure than
pptp. To make it more secure, try to configure your firewall/internet appliance to
accept vpn traffic from your home ip public address only. That would be the single
best thing you could do to secure it. You will need a static ip address to do. Also
make sure that you use strong passwords as a vpn is a backdoor into a network. In
particular administrator passwords need to be complex and yes you can write it down
somewhere assuming you have no malicious users at your home. You did not describe
your set up much, but if you are using rras vpn then edit the profile in remote
access policy to accept only mschap v2 authentication and only strongest
authentication. --- Steve

 

[Bob_M]

Hi Steven

Vpns themselves are pretty secure<

I am getting close to putting in a VPN here. I want to give 10 or so users
access to our local LAN from home. I am not worried about the VPN being
hacked I am more worried as to what will be on the users home machine. Say
he picks up a trogen at home what will prevent it from infecting the rest of
my internal LAN. I must have missed something here since other companies
allow VPN's all the time.

Bob

 

[Lanwench [MVP - Exchange]]

I'd look into a third party solution - I sound like a broken record, I know,
but Sonicwalls handle this very well. And the global client will, when
activated, prevent any non-VPN traffic on that computer. Make sure everyone
has good antivirus software, and that your server(s) are running good AV
software as well.

 

[Steven Umbach]

Hi Bob.

That is something to be very concerned with. Ideally the users would be using
company supplied computers logging on as regular usurers in which case you could
control what is installed on them including virus protection [all emails must be
scanned also], critical updates, and a personal firewall. If they are going to
use their personal home computers the risk rises quite a bit do to the fact that
risk of infection will be much higher. That does not mean that it can not be
done. The usual precautions such as quality virus protection, prompt patch
management, minimum needed share permissions, firewall logging/alerts, and
effective passwords will go a long ways to protect your network. You also will
want to use your vpn device or server to manage where vpn users can go. In W2K
rras for instance you can edit the profile for remote access policy to filter
packets for the vpn connection to manage traffic to and from your lan. It may
also make sense to create user accounts for just using the vpn if they are using
domain accounts where remote access can be controlled via account properties.
You could then create a group for the vnp users and give that group the explicit
user right for deny access to this computer from the network to computers you do
not want them to access as an extra precaution. Password policy for your lan
computers is very important - particularly any administrator accounts domain or
local. Trojans often run a short dictionary attack against administrator
accounts to take advantage of built in administrative shares. --- Steve