Re: Secure workgroups!
From: Steve Riley [MSFT] (steriley_at_microsoft.com)
Date: 10/20/04
- Next message: Brian Tate: "Copy docs from old hard drive"
- Previous message: Lanwench [MVP - Exchange]: "Re: accessing Internet"
- In reply to: Not-My-Real-Name: "Re: Secure workgroups!"
- Next in thread: Not-My-Real-Name: "Re: Secure workgroups!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 20 Oct 2004 11:07:23 -0700
Throughput and high availability... I guess I'd rather build up a farm of
many cheap boxes rather than few expensive boxes. That way, when one fails,
I don't lose such a large percentage of total availability.
RRAS... yes, RRAS relies on AD and (optionally) RADIUS. Pretty much all VPNs
require an authentication server and a directory, though. I guess that if
some shop is having availability problems with those components (their
directory) then their problems are more fundamental than trying to decide
which VPN product to use! :)
ISA Server... true, our target is small and medium businesses. I've deployed
it in some fairly large orgs, too, for specific purposes -- caching, web
publishing, RPC proxying, Exchange OWA publishing -- and it works very well
here, addressing threats (bad HTTP, malformed URLs, etc) that many other
firewalls can't stop. Again, designed right, it can work in very large
environments. I like to load-balance ISA Server firewall farms with
third-party software from Rainfinity; simpler to manage than using hardware
devices for that purpose.
PEAPv2 interop... I agree.
--Steve
steriley@microsoft.com
"Not-My-Real-Name" <someone@micros0ft.com> wrote in message
news:ee$ufJhtEHA.1404@TK2MSFTNGP11.phx.gbl...
> "Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
> news:%23bYd1lftEHA.4040@TK2MSFTNGP09.phx.gbl...
>> "Vanillia" VPN clients and RRAS vs. dedicated hardware solutions... I
>> understand there's lots of debate here. How, in your mind, are they
> "best"?
>> I challenge the assumption that they're more secure simply because
>> they're
>> hardware based.
>
> There sure is lot of debate.
>
> Throughput would be one weekness in a server based product (PCI bus
> limitations, etc). Wire speed (Gig) capable solutions on hardware based
> solutions are very mature now. I don't believe RRAS/ISA can even come
> close Netscreens or Nokias advanced products.
>
> Uptime would be another. How may reboots have most of us had to do for
> service pack hotfixes relating to security risks on
> Microsoft OS's in the last year? I've had 3rd party hardware based
> gateways that have been up (and other than checking logs) untouched for 1+
> years. They just run. To be fair, in a managed, fault tolerant server
> environment down time isn't an issue, you take one server out of the pool,
> upgrade it, put it back in move on. However there are costs associated
> with
> the extra man hours for afterhours/Sunday changes are. It usually takes
> people to manage these hotfixes (even with SMS pushing them out). That's
> something you may not have to worry about with a hardware based solution.
>
>
>>Given the way that L2TP+IPsec inserts itself into the IP
>> stack in Windows, the mere presence of RRAS closes down the attack
>> vectors
>> that could be exploited on an otherwise unpatched server.
>
> True, it shields them, at least from the WAN, is your LAN as safe?
> Someone
> has to be able to admin these boxes, so there's an opening there (that
> goes
> for any product though). Assuming you can get an exemption from patching
> these boxes from say internal audit, then you have a point, however that
> may
> not be fine for some shops.
>
>>Non-VPN traffic is
>> simply dropped at the IP layer and never delivered to higer protocols or
>> applications. Traffic inside the VPN tunnel will get delivered, of
>> course;
>> if you're using ISA Server on your RRAS computer, all that traffic can be
>> passed through ISA Server's application-layer inspection engines. Again,
>> I
>> believe the evidence speaks for the quality and usefulness of the
>> product:
>> none of the networks I've built nor Microsoft's has been hacked through
> the
>> VPN. I can't speak for others, of course.
>>
>
> So you don't patch these boxes, ever? I have no doubt they are safe once
> running, however RRAS is reliant on other Microsoft services to function
> properly in a domain right? What happens if these aren't available?
> I attended a 3 day security seminar on ISA, I wasn't that impressed with
> it,
> for small shops it might be a good thing, I'm not sure if I'd recommend it
> for larger environments though.
>
>> Wireless through VPN... remember that in this approach it isn't just the
>> authentication that goes through the VPN, it's all the traffic that the
>> client generates after authentication, too. *Everything* the client does
>> will pass through the VPN server. And in the large networks I'm familiar
>> with, the clients are busy pretty much all day long. I suspect that
>> 15,000
>> clients all chatting over individually-encrypted sessions at 54mbps is
> going
>> to bog down when forced through three gig-Ethernet devices.
>>
>
> Chatting doesn't necessarily equal saturating. 6 Gig of bandwidth is
> alot
> of bandwidth. Most of the time clients pull more than they push anyhow.
> I
> guessed 3 high end boxes, without a traffic study, network topology
> diagram,
> centralized versus decentralized backbones, etc. it's just that, a guess.
> There are products however that can step up to the plate for bandwidth
> intensive environments.
>
>> Microsoft and Cisco and protocols... Cisco has been encouraging customers
> to
>> move away from LEAP and toward EAP/PEAP. And we are working together to
>> develop an interoperable version of PEAP, called PEAP version 2, that
>> will
>> work with both of our current implementations.
>>
>
> Glad to hear that, proof is in the pudding and we're certainly watching.
> These two companies certainly have the lionshare of their respective
> markets. I think if this works out it will be a good thing personally.
>
>
>
>
>
- Next message: Brian Tate: "Copy docs from old hard drive"
- Previous message: Lanwench [MVP - Exchange]: "Re: accessing Internet"
- In reply to: Not-My-Real-Name: "Re: Secure workgroups!"
- Next in thread: Not-My-Real-Name: "Re: Secure workgroups!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
