Re: VPN
- From: "SuperGumby [SBS MVP]" <not@xxxxxxxxxxx>
- Date: Wed, 18 Jan 2006 08:23:43 +1100
I haven't missed a word you've said and it is specifically the questions of
open port requirements which I am trying to address.
Most SBS owners are going to have port 443 open for OWA and/or Exchange RPC
over HTTPS. The RDP Proxy (port 4125) is only opened to the specific IP from
which the request comes, it is opened dynamically after SSL authentication.
If VPN is required additional ports (for either PPTP or IPSec) need be
opened. RDP via RWW is inherently more secure due to this.
Of course, we can do either/or, close 443 and open 1723 instead, forcing
users to establish a VPN before accessing OWA, in which case only one port
is opened for either scenario. When the CEO of the company is at an airport
and quickly needs to check email I'd rather have him use HTTPS and any
ability to establish a VPN may be blocked anyway.
In the discussion of NAT appliances you seem to be supporting my arguments,
thank you. YES, most SBS owners and implementers would either terminate the
VPN at a simple VPN capable NAT appliance or at the SBS which, these days,
commonly does not have ISA installed. In which case traffic control across
the VPN (only allowing certain port traffic) is not implemented. Again, RDP
via RWW is inherently more secure.
Where I support your argument is if a proper firewall is implemented,
correctly. I prefer ISA but have also used devices for this. In this case a
limited VPN can be established, only allowing certain traffic through the
VPN. If not for the HTTPS requirements I could accept this, except for one
consideration - if a novice user configures such a device they are unlikely
to configure it in this manner. I've seen advanced firewall configurations
so full of holes they may as well not exist. In many cases this has been
performed by the MAIN TARGET AUDIENCE for SBS, the DIY SBS owner or the
'Network Administrator' of a small firm, you know, Reg in accounting who
actually knows where the 'any key' is. RDP via RWW is more secure.
You mention driving back through the VPN to control the user's PC. I admit
to some utility here but prefer not to do it. Got a problem with your home
PC? Bring it into the office tomorrow and I'll fix it. It is not an urgent
matter to me because I control, through RDP via RWW, the access. A simple
change to the RDP connection page disallows the ability for remote users to
connect their local drives, which is by default turned off anyway. As long
as their browser works and the ActiveX control can be loaded they have the
access I want. If something is interfering with this I want my hands on the
PC.
"Leythos" <void@xxxxxxxxxxx> wrote in message
news:EJ5zf.18702$PY6.15907@xxxxxxxxxxxxxxxxxxxxxxxxx
> In article <#W$1ZD2GGHA.1396@xxxxxxxxxxxxxxxxxxxx>, not@xxxxxxxxxxx
> says...
>> try acessing an ACT! database over VPN, the user will _most likely_
>> corrupt
>> the database due to slow transfer times.
>>
>> and yes, I recognise that you are an 'advanced' user, able to implement
>> restricted VPN in the manner you describe, but the great majority of
>> (even
>> advanced) firewalls I've seen allow fully unrestricted access to the LAN.
>> You and I can recognise this, Joe Bloggs doesn't even see the problem.
>>
>> RWW is better for Joe's needs.
>
> You missed what I said, I do Remote Desktop or T/S through the VPN, or
> even VNC, so that I don't expose the unneeded ports on the server to the
> internet.
>
> As for being Advanced, anyone that has access to about any firewall
> appliance on the market can do the same - most of them have simple VPN
> client tools or even support a PPTP connection terminating at the
> firewall. Firewall rules are also another simple thing, if it doesn't
> have the port/service you need, you just add one and then limit the rule
> to the firewall group/users and then the internal node. If you think
> that locking down inbound connections is an Advanced function then I
> feel a little sorry for you - just consider all the exposure your SSL
> connection has if you don't lock it down with a firewall, or what if the
> admin doesn't enforce strong passwords or that they be changed every XX
> days....
>
> Many people don't have this setup because they are given the impression
> that using Dual NIC's will save them in all cases. Even worse, using a
> cheap NAT appliance will save them..... Forgive the rant, but all MS has
> done is make it easier for non-security minded people to setup a remote
> connection and then expose more than needed when perfectly working
> solutions already existed.
>
> RWW is just a cheap/simple way to get into the network doing what we've
> been doing for years with simple VPN solutions - the Remote Desktop
> connection is still available to both RWW and VPN users, but the VPN
> user can be terminated and controlled at the firewall appliance BEFORE
> it reaches the server interface. This means that the user has several
> less exposure points than using RWW.
>
> The point is that RD over a VPN uses about the same bandwidth as your
> SSL RWW connection, but the VPN can be terminated at the firewall
> instead of exposing unneeded ports on the server to the Internet. Using
> a VPN with file level access would be problematic in the case of normal
> users, which was never suggested by me as a viable means - why is it
> that people always think that VPN means that you're going to access
> files through it - why not just realize that a VPN is just a secure
> connection and that you can also TS/RD using it?
>
> All that RWW does is make it easy for non-technical users to expose
> their servers to more threats. It does not solve any problem that was
> not already solved.
>
> One other benefit of VPN is that if the user has VNC or other remote
> control app on their home/remote PC, I can back channel into it and
> support them from the LAN (even when I'm VPN'd into it from a remote
> location).
>
> How many people do you see in these groups that install SBS2003 on a
> network WITHOUT a firewall - almost all the posters mention a NAT
> Appliance which doesn't do anything in the way of firewalling, only
> routing (NAT). Heck, most NAT Appliances can't tell the difference
> between HTTP and FTP on port 80, don't have the ability to proxy SMTP to
> remove attachments/bogus headers, don't know what SSL is over port 443,
> etc...
>
> RWW doesn't offer any security advantages over VPN for remote desktop,
> it doesn't expose less than VPN, and it's a newer technology path than
> VPN, and it could be exploited by OS issues and weak user controlled
> passwords. When it comes to firewalls, users don't generally have
> permission to change user/password combinations (they are set by an
> admin) and they don't have near the threat exposure that Windows does.
>
> --
>
> spam999free@xxxxxxxxxx
> remove 999 in order to email me
.
- References:
- Prev by Date: Re: Changing a username due to marrage?
- Next by Date: SBS Backup Does Not Recognize Tape Drive
- Previous by thread: Re: VPN
- Next by thread: Re: Notebook Login
- Index(es):
Relevant Pages
|
Loading
