Re: Secure workgroups!

From: Not-My-Real-Name (someone_at_micros0ft.com)
Date: 10/19/04 

Date: Tue, 19 Oct 2004 16:32:27 -0300

"Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
news:%23bYd1lftEHA.4040@TK2MSFTNGP09.phx.gbl...
> "Vanillia" VPN clients and RRAS vs. dedicated hardware solutions... I
> understand there's lots of debate here. How, in your mind, are they
"best"?
> I challenge the assumption that they're more secure simply because they're
> hardware based.

There sure is lot of debate.

Throughput would be one weekness in a server based product (PCI bus
limitations, etc). Wire speed (Gig) capable solutions on hardware based
solutions are very mature now. I don't believe RRAS/ISA can even come
close Netscreens or Nokias advanced products.

Uptime would be another. How may reboots have most of us had to do for
service pack hotfixes relating to security risks on
Microsoft OS's in the last year? I've had 3rd party hardware based
gateways that have been up (and other than checking logs) untouched for 1+
years. They just run. To be fair, in a managed, fault tolerant server
environment down time isn't an issue, you take one server out of the pool,
upgrade it, put it back in move on. However there are costs associated with
the extra man hours for afterhours/Sunday changes are. It usually takes
people to manage these hotfixes (even with SMS pushing them out). That's
something you may not have to worry about with a hardware based solution.

>Given the way that L2TP+IPsec inserts itself into the IP
> stack in Windows, the mere presence of RRAS closes down the attack vectors
> that could be exploited on an otherwise unpatched server.

True, it shields them, at least from the WAN, is your LAN as safe? Someone
has to be able to admin these boxes, so there's an opening there (that goes
for any product though). Assuming you can get an exemption from patching
these boxes from say internal audit, then you have a point, however that may
not be fine for some shops.

>Non-VPN traffic is
> simply dropped at the IP layer and never delivered to higer protocols or
> applications. Traffic inside the VPN tunnel will get delivered, of course;
> if you're using ISA Server on your RRAS computer, all that traffic can be
> passed through ISA Server's application-layer inspection engines. Again, I
> believe the evidence speaks for the quality and usefulness of the product:
> none of the networks I've built nor Microsoft's has been hacked through
the
> VPN. I can't speak for others, of course.
>

So you don't patch these boxes, ever? I have no doubt they are safe once
running, however RRAS is reliant on other Microsoft services to function
properly in a domain right? What happens if these aren't available?
I attended a 3 day security seminar on ISA, I wasn't that impressed with it,
for small shops it might be a good thing, I'm not sure if I'd recommend it
for larger environments though.

> Wireless through VPN... remember that in this approach it isn't just the
> authentication that goes through the VPN, it's all the traffic that the
> client generates after authentication, too. *Everything* the client does
> will pass through the VPN server. And in the large networks I'm familiar
> with, the clients are busy pretty much all day long. I suspect that 15,000
> clients all chatting over individually-encrypted sessions at 54mbps is
going
> to bog down when forced through three gig-Ethernet devices.
>

Chatting doesn't necessarily equal saturating. 6 Gig of bandwidth is alot
of bandwidth. Most of the time clients pull more than they push anyhow. I
guessed 3 high end boxes, without a traffic study, network topology diagram,
centralized versus decentralized backbones, etc. it's just that, a guess.
There are products however that can step up to the plate for bandwidth
intensive environments.

> Microsoft and Cisco and protocols... Cisco has been encouraging customers
to
> move away from LEAP and toward EAP/PEAP. And we are working together to
> develop an interoperable version of PEAP, called PEAP version 2, that will
> work with both of our current implementations.
>

Glad to hear that, proof is in the pudding and we're certainly watching.
These two companies certainly have the lionshare of their respective
markets. I think if this works out it will be a good thing personally.

Relevant Pages

  • Re: Secure workgroups!
    ... many cheap boxes rather than few expensive boxes. ... require an authentication server and a directory, ... which VPN product to use! ... simpler to manage than using hardware ...
    (microsoft.public.security)
  • Re: VPN Question(s) - Neophyte
    ... >> Have a small office Netwrok running W2k3 Small Business server. ... >> a need to access the network remotely, so I am looking at possibly a VPN ... Is Hardware VPN better ... > but this is largely due to the fact that RRAS is about ...
    (microsoft.public.windows.server.networking)
  • Re: connecting to a Firebox
    ... it could be the hardware issue. ... Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on ... > of my XP Pro/98/95/Me machines just great to this thing, ... > Server 2K3 Standard to connect to the internet/obtain an IP/ANYTHING. ...
    (microsoft.public.windows.server.networking)
  • Re: ISA2004 kills VPN outbound
    ... the system originating the outbound VPN has a hardware ... >I have the same problem connecting to several different VPN servers. ... >> Can you please tell me some information about the remote VPN Server? ... >> |> How to permit PPTP clients to access the external network through ISA ...
    (microsoft.public.windows.server.sbs)
  • Re: want to add VPN to our network
    ... No, if you have windows server, you can setup a VPN without additional ... > 1) Do I need additional hardware to setup a VPN server? ...
    (microsoft.public.windows.server.networking)