vpn woes

From: Michael van Zwieten (MvanZwieten@flcities.com)
Date: 12/12/01

From: Michael van Zwieten <MvanZwieten@flcities.com>
To: focus-ms@securityfocus.com
Date: Wed, 12 Dec 2001 15:34:12 -0500

Hi all,

Being relatively new to the world of VPN and knowing how scary it can be to
have "always-on" DSL & Cable users on the other end connecting in, I was
wondering if anyone has any good ideas on what other "free or cheap" options
are out there to have some sort of secondary method of authentication that
isn't easily duplicated by a hacker... I'd like not only to use domain
authentication, but perhaps a secondary method of using certificates or
other various programs to provide a secondary means of authentication. I'd
like to see that even if a hacker got someone's domain\username & password,
that they still wouldn't be able to get in unless they have one other
component, somewhere on the VPN users' machine...

I'm using NT4 domain authentication, through a Win2k RRAS/VPN server (with
1-way trusts to NT)... and have a Win2k certificate server at my disposal to
issue any certificates if I need to. The only unfortunate thing with this
whole situation is that I'm not able to use Win2k domain authentication in
addition to using L2TP & certificates, and have to kind of circumvent this
all in order to continue using NT4...

Can anyone suggest anything solid to make me sleep better at night? I dream
of hackers installing keylogging trojans on our remote users machines... a
recurring nightmare! :)

Take care,
Michael J. van Zwieten, MCSE
IS Department
(407) 835-3471 x162
Florida League of Cities
Orlando, Florida