ISA and VPN

On a Windows 2000 sp 4, with ISA in firewall mode only. How secure is VPN? Some of our staff need to connect to a sql database from off campus and I want to ensure that is will not open up holes in the firewall. Is there additonal hardware or software I should purchase?

Thanks

Sue

 

It depends on the type of VPN you are using. IPSec VPNs are generally more secure than PPTP and L2TP. Most VPN are good at encrypting the data so that it is very difficult to read. However, a common weakness is the authentication systems. While being difficult for those not using the tunnel to read data passing, it is relatively easy to create a tunnel by pretending you are someone with rights to do so.

Therefore the main task is to prevent people who are not authorised to connect to the VPN from obtaining the information they need to set up a tunnel. This is the main weakness of PPTP and L2TP, they tend to have weak authentication key exchanges at the initial setup stage of the tunnel creation. A good IPSec system will use something like a two way Diffie-Hellman key exchange to ensure that key exchange is difficult to snoop.

Secure passwords (upper and lower case with numbers, and longer than 7 characters) are essential. Changing passwords regularly would be a good idea too. Also it is worth looking at restricting the IP addresses of those who are connecting in, if you can. This can be trivial for site to site VPN tunnels, but difficult for single user access, where home users have different IP each time they connect.

VPN systems that use their own client software add a little more security, although it is not usually that difficult to get hold of the software if someone is determined.

In my experience the most secure and easy to set up VPN come with dedicated hardware such as VPN gateways and Firewalls. However, this does come at a cost, and can cost thousands if you have a lot of people connecting in.

Another advantage of a hardware VPN Gateway is that they often have good control of where a user can go once they connect in via VPN. You can set up rules that say, "VPN users can only use these services on these computers ". Such rules are provided by other systems and I would recommend using them where they are available. It is too easy to set up a VPN tunnel that allows anyone accessing it full access to the remote network.

There are Linux systems that provide open source IPSec implementations, but I would only recommend them if you are familiar with securing Linux.

Another consideration is where do you put the VPN gateway. Most people put it behind the firewall. However, there are good arguments for putting the gateway along side the firewall, so that you don't have to put a hole in the firewall for the VPN traffic to pass to the gateway. The down side of that is that you then have to secure both the firewall and the VPN gateway. However, if the gateway is only offering the VPN service this can be stragiht forward.

The VPN systems built into Windows XP and 2000 are cheap (as they are free with the OS) and easy to use. However they are L2TP and PPTP based and therefore they are not as good as IPSec VPN. If you use them you should monitor them regularly and often to ensure they are not being hijacked and enforce a strict secure password policy.

Windows Server systems do allow more secure VPN set ups. However, you should read the documentation carefully to ensure you are setting up a secure IPSec VPN and not the default PPTP system if you require the added security.

Lastly if it is a single service or information that is being provided, Secure Sockets Layer (SSL) VPN are an option. They are definitely in vogue at the moment. this page contains a lot of information on these and comparison with more traditional IPSec systems.