|
Posted by Jarryd on July 19, 2005, 9:44 am
Please log in for more thread options
Hi,
I have a Windows Server 2003 machine configured as a VPN server. Access is
restricted to L2TP IPSec using MS-CHAP v2 only and users of the VPN security
group. Is there anything else that I can do to make it more secure. I am
also wondering about getting a hardware VPN. I am using the MS one and it
is working very well, but if a hardware solution is really that much more
secure then I suppose it is worth shelling out a bit more. So what I am
looking for is educated opinions on the matter.
TIA,
Jarryd
|
|
Posted by Chris Leiter on July 19, 2005, 8:54 am
Please log in for more thread options
Depending on who you ask, this could get sticky.
First of all, there's no such thing as a "hardware" vpn solution. All VPN
devices must use some kind of software to control access to the network.
The question really becomes, do I buy a product that is a dedicated VPN
solution, or do I continue using the product I have.
A couple of questions you might want to ask yourself include:
Is it worth the monetary and administrative cost to set up a new VPN
solution?
Is the product really more secure? How many IOS updates have there been
for it within the last couple of years?
Can it offer Quarantine Services (or something similar) to protect my
internal network (2K3 can!)
I would say if you've dedicated your win2k3 server to the VPN solution, and
have taken the necessary precautions to secure it (i.e. disabling any
unnecessary services and keeping the software up to date), there's no need
to reinvent the wheel.
Products like Firewalls, routers, and VPN concentrators are only as secure
as the administrator who maintains them makes them.
Just my $0.02
Chris Leiter
> Hi,
>
> I have a Windows Server 2003 machine configured as a VPN server. Access
> is restricted to L2TP IPSec using MS-CHAP v2 only and users of the VPN
> security group. Is there anything else that I can do to make it more
> secure. I am also wondering about getting a hardware VPN. I am using the
> MS one and it is working very well, but if a hardware solution is really
> that much more secure then I suppose it is worth shelling out a bit more.
> So what I am looking for is educated opinions on the matter.
>
> TIA,
>
> Jarryd
>
|
|
Posted by Steven L Umbach on July 19, 2005, 1:11 pm
Please log in for more thread options I would stay with the Windows 2003 Server if it is working well for you. One
thing it has going for it is you can configure Remote Access Polices for a
fine degree of control over VPN access. One thing I would check is the
input/output filters in Remote Access Policies to make sure that users are
able to access only the ports/protocols/IP addresses you want them to on
your lan. You can also have different Remote Access Polices based on Windows
groups if need be. --- Steve
> Hi,
>
> I have a Windows Server 2003 machine configured as a VPN server. Access
> is restricted to L2TP IPSec using MS-CHAP v2 only and users of the VPN
> security group. Is there anything else that I can do to make it more
> secure. I am also wondering about getting a hardware VPN. I am using the
> MS one and it is working very well, but if a hardware solution is really
> that much more secure then I suppose it is worth shelling out a bit more.
> So what I am looking for is educated opinions on the matter.
>
> TIA,
>
> Jarryd
>
|
|
Posted by S. Pidgorny on July 21, 2005, 9:44 pm
Please log in for more thread options Want more security? Use certificate/smart card authentication insted of
passwords. Otherwise MS L2TP/IPsec implementation is a good choice.
Hardware solutions are only better because they come pre-hardened. Nokia
boxen have hard drives and all that; Cyberguard SG series is stock standard
Linux with smart Web GUI. Checkpoint offers "secure platform", which is also
Linux that installs from a CD on any computer up to specs (256MB RAM, 2
NICs, no extraordinary hardware). Really, there is not much difference
b/ween "hardware" and "software" solutions any more.
And BTW - as the vendors don't have much to offer on top of what MS does,
they all are moving to SSL VPNs that are "flavour of the month" now.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
> Hi,
>
> I have a Windows Server 2003 machine configured as a VPN server. Access
is
> restricted to L2TP IPSec using MS-CHAP v2 only and users of the VPN
security
> group. Is there anything else that I can do to make it more secure. I am
> also wondering about getting a hardware VPN. I am using the MS one and it
> is working very well, but if a hardware solution is really that much more
> secure then I suppose it is worth shelling out a bit more. So what I am
> looking for is educated opinions on the matter.
>
> TIA,
>
> Jarryd
>
>
|
| Similar Threads | Posted | | Domain Local Security vs Global Security vs Universal Security Groups | October 16, 2006, 1:26 pm |
| Role-based security from Windows Server 2003 Security Guide gives problems | November 6, 2006, 8:00 am |
| Windows Server Baseline Security - IE security warning | June 5, 2007, 9:35 am |
| security in AD | June 22, 2005, 5:38 am |
| Security? | July 25, 2005, 8:56 am |
| COM + Security | October 13, 2005, 6:02 am |
| No Security Tab | November 28, 2005, 2:33 pm |
| FTP security | September 27, 2006, 1:21 am |
| Security | July 24, 2007, 10:58 am |
| FTP Security... | August 4, 2008, 12:56 pm |
|
XML Sitemap