Re: Windows 2003 server and VPN: Security(?)

Hi Mark,

I don't think it is a problem of punching few holes in the firewall
(actually you would usually need a few).
Main problem with VPN is how to make sure that remote computers are safe.

E.g. how do you know that a remote computer that is trying to connect to VPN
is not infected with a virus? Once connected over the VPN it will infect
whole network (actually I saw thins in few real environments).
How do you know that remote computer is well protected and that there is not
some 3rd party (unknown attacker) using your PC at home to VPN into the
corporate network.

These would usually be main concerns. Most of these can be solved by VPN
quarantine where you can check if the computer is patched, updated, has
antivirus running, etc.

Best think to do is to ask your administrator what does he see as the
biggest threat and maybe we can give you more information that you can take
to your administrator.

--
Mike
Microsoft MVP - Windows Security

"Mark" <mark@xxxxxxxxxxxxxxx> wrote in message
news:OuhVLaoAGHA.2704@xxxxxxxxxxxxxxxxxxxxxxx
> Hi, at work we would like to move towards remote access to employees via a
> VPN.
>
> Now, our admin seems reluctant citing security as an issue which is fair
> enough.
>
> Given that our employees are on static IP addresses external and our
> network is behind a firewall surely we could punch a single hole in the
> fireall and give access to *only* that IP address? Once through the
> firewall, the user would still have the Windows 2003 security so we would
> have at least two levels of security.
>
> How safe is setting up a VPN network under Windows 2003?
>
> TIA
> Marcus
>
>


.

Relevant Pages

  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)
  • Re: Travelling laptops over VPN
    ... >>> on the user's machine within the properties of the VPN Dialup Connectiod. ... >> network administrators would want to do that to prevent the users from enabling ... when the user connects to the VPN using the Cisco ... the firewall shuts off because it sees the domain. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Travelling laptops over VPN
    ... >>> on the user's machine within the properties of the VPN Dialup Connectiod. ... >> network administrators would want to do that to prevent the users from enabling ... when the user connects to the VPN using the Cisco ... the firewall shuts off because it sees the domain. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Firewall advice required please
    ... 2./ How do you provide "SECURE" access without a VPN? ... suggesting you are achieving as-good-as security using a standard SSL, ... > and air-gap is the only product we carry. ... > no other firewall can touch. ...
    (comp.security.firewalls)
  • Re: Using a Linksys router, should I also use Zonealarm?
    ... public internet to access corporate network. ... In the "old days" when people used to use Dial-In instead of VPN you ware ... protected by corporate Firewall -- since there was no public Internet ...
    (microsoft.public.security)