Re: Secure workgroups!
From: Steve Riley [MSFT] (steriley_at_microsoft.com)
Date: 10/19/04
- Next message: LuckyStrike: "Re: New version of CWShredder version 2.0 (by Intermute)"
- Previous message: Brian Komar: "Re: Certificate Renewal / Smart Cards"
- In reply to: Not-My-Real-Name: "Re: Secure workgroups!"
- Next in thread: Not-My-Real-Name: "Re: Secure workgroups!"
- Reply: Not-My-Real-Name: "Re: Secure workgroups!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 19 Oct 2004 09:34:12 -0700
"Vanillia" VPN clients and RRAS vs. dedicated hardware solutions... I
understand there's lots of debate here. How, in your mind, are they "best"?
I challenge the assumption that they're more secure simply because they're
hardware based. Given the way that L2TP+IPsec inserts itself into the IP
stack in Windows, the mere presence of RRAS closes down the attack vectors
that could be exploited on an otherwise unpatched server. Non-VPN traffic is
simply dropped at the IP layer and never delivered to higer protocols or
applications. Traffic inside the VPN tunnel will get delivered, of course;
if you're using ISA Server on your RRAS computer, all that traffic can be
passed through ISA Server's application-layer inspection engines. Again, I
believe the evidence speaks for the quality and usefulness of the product:
none of the networks I've built nor Microsoft's has been hacked through the
VPN. I can't speak for others, of course.
Wireless through VPN... remember that in this approach it isn't just the
authentication that goes through the VPN, it's all the traffic that the
client generates after authentication, too. *Everything* the client does
will pass through the VPN server. And in the large networks I'm familiar
with, the clients are busy pretty much all day long. I suspect that 15,000
clients all chatting over individually-encrypted sessions at 54mbps is going
to bog down when forced through three gig-Ethernet devices.
Microsoft and Cisco and protocols... Cisco has been encouraging customers to
move away from LEAP and toward EAP/PEAP. And we are working together to
develop an interoperable version of PEAP, called PEAP version 2, that will
work with both of our current implementations.
Steve Riley
steriley@microsoft.com
"Not-My-Real-Name" <someone@micros0ft.com> wrote in message
news:e1Y1IFftEHA.2196@TK2MSFTNGP14.phx.gbl...
>
> "Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
> news:uaES7hZtEHA.220@TK2MSFTNGP15.phx.gbl...
>> I don't suspect you and I are going to change each other's views here.
>> But
>> you're mixing threat models when you introduce theft of laptops. That's a
>> different threat than what most people consider when evaluating wireless
>> security.
>
> Oh my mind can be changed, it's going to take a while for Wireless to win
> me
> over.
> My point is IF a laptop is in the mix, that's not mixing threat models,
> it's
> part of the larger threat and HAS to be considered.
>
>>
>> With properly-configured security, both VPN and 802.1x/EAP/PEAP/WPA
> provide
>> the same level of protection. You can steal the laptop, but if you don't
>> possess domain credentials (either what's cached on the laptop or some
> other
>> stolen set) then you aren't going to get very far into the wireless
> network.
>> I've built 802.1x/EAP/PEAP networks for several customers and so far
> they've
>> not been hacked -- and don't think no one has tried.
>>
>
> Excellent, good to hear. When I hear more of this I may reconsider.
>
>> I try to avoid add-ons like VPN clients and such. They hook into the
>> stack
>> often in undocumented ways and there's usually a lag between OS releases
> and
>> updates to VPN clients. The built-in VPN functionality in the OS is
>> perfectly acceptable. We use it here, of course, and again I've built
>> very
>> large networks (80,000 nodes) using Windows VPN clients and RRAS. Does
>> its
>> job very well with minimal intrusion.
>>
>
> That hasn't been my experience
> I wouldn't necessarily run a vanilla VPN client and certainly wouldn't
> use/recommend RRAS (yes I evaluated it).
> Dedicated hardware based solutions are best IMO.
>
>> One other problem with VPNs for wireless: how many VPN servers do you
>> want
>> to buy? Consider: we've got 30,000 employees (roughly) on campus in
> Redmond.
>> Maybe half of them are using wireless. That's 15,000 nodes, running
>> full-throttle at 11mbps. We'll be upgrading to 802.11g over time. How
>> many
>> VPN servers do you need for 15,000 11mpbs sessions? How about for 15,000
>> 54mbps sessions?
>>
>
> How big of a wired infrastructure/network do you need to buy for that much
> data as well?
> I doubt they'd all be "firing" at once anyhow, so your typical peak load
> times would come into play.
> Logons in the morning, then picking up after lunch, tapering off into the
> afternoon, etc.
> I'm guessing 3 well placed, high end VPN/Firewalls would do the trick (Gig
> uplinks of course).
> I believe Netscreens/Nokias do Gig wirespeed.
>
>> You're correct, of course, in mentioning defense in depth. AV/firewall
>> are
>> good, as is disk/file/folder encryption for laptops especially. If I need
> to
>> make a VPN connection, then VPN software is appropriate and useful. But
>> if
> I
>> need to control access to a physical network port, I'd prefer to use a
> suite
>> of protocols that's designed for this purpose, which is what
>> 802.1x/EAP/PEAP/WPA are.
>>
>
> I'm still waiting to see if your company and Cisco can come to terms on
> this.
>
>
>> I guess I trust wireless and wired about the same, if both are properly
>> configured.
>>
>
> I trust wireless less than I trust wired, even properly configured, mainly
> because of the other risks laptops pose.
>
>
>
- Next message: LuckyStrike: "Re: New version of CWShredder version 2.0 (by Intermute)"
- Previous message: Brian Komar: "Re: Certificate Renewal / Smart Cards"
- In reply to: Not-My-Real-Name: "Re: Secure workgroups!"
- Next in thread: Not-My-Real-Name: "Re: Secure workgroups!"
- Reply: Not-My-Real-Name: "Re: Secure workgroups!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
