Re: PPTP or L2TP/IPSec?
- From: "Larry Struckmeyer [SBS-MVP]" <lstruckmeyer@xxxxxxxxxxxxxxx>
- Date: Tue, 27 Jan 2009 08:40:04 -0500
Hi Al:
Very complicated subject with no simple answer. Security is always a cost benefit ratio, measured in either time, money, agro, or all of the above. I think your distrust of the SBS RWW is misplaced, and recommend it over VPN, but that is your call and your comfort level, as all of this discussion really.
MS ISA is a true software firewall, and one of the best. It gets a bum rap for living on the DC, as it does in SBS, and some will argue that it is less secure as a result. But if you do keep a strong pass phrase policy in place, and change them frequently, you are unlikely to be compromised. Manche$ter 3 Tottenh@m 2 Hurrah! is a strong pass phrase.
Beyond this, there are edge devices that will require incoming users to enter a (hopefully) second set of credentials before being offered a logon by your server, and there are token devices that require that you enter a second set of credentials at the RWW page before gaining access. Watchguard, Cisco, SonicWall and other offer the first, and http://www.scorpionsoft.com/ offers the second, specifically for the SBS space.
Regarding "attack of the password" given enough time and effort, any one device can be breached, or the financial insitutions, the defense departments, etc would not have such a difficult job. All you can hope for is to make it so difficult as to require the bad guys to look elsewhere. Frankly, I am not sure that the bad guys are specifically targeting "joe the plumber", or "larry the IT wiz" sites, so much as the drive by scanners who do it becuase they can hoping to find sites with "administrator" and pw = "admin" or, worse, no pw.
--
Larry
Please post the resolution to your
issue so that others may benefit.
"Al" <nospamplease@xxxxxxxxxxxxxxxxxx> wrote in message news:gln15a$qp$2@xxxxxxxxxxxxxxxxxxxx
SBS 2k3 R2 Premium site. Just need some pointers please as to the differences in real life between VPN protocols.
Small office with a couple of VPN sites into it. Currently PPTP but I would ideally like some form of token access (like RSA) but this is too expensive for the scale of site (unless there is an alternative version?); not too keen on web access (it just seems too open!) hence stuck with VPN.
We can filter the connections based on the IP of the site via the Router before it hits ISA so that creates an extra level ofsecurity (yes, I knowIP can be spoofed but attacker would have to know to try that), but as far as I can see thereafter the incoming client is authenticated based on their user name & password? Is my thinking correct at that point?
Does this not provide an opportunity for an attack of the password - I assume the answer there is to have strong passwords and to set eg 3 wrong password & locked out routines plus restrict which user accounts have VPN dial in allowed?
What I am wondering about beyond that, is whether L2TP gives anything beyond PPTP security wise? and in particular is it possible to have both the existing user name/password security backed up with eg a pre-shared password/passkey (in the absence of a RSA style revolving passkey)
Thanks
.
- References:
- PPTP or L2TP/IPSec?
- From: Al
- PPTP or L2TP/IPSec?
- Prev by Date: Re: Laptop users file sync error
- Next by Date: Re: Exchange conflicting with VPN
- Previous by thread: PPTP or L2TP/IPSec?
- Next by thread: Re: PPTP or L2TP/IPSec?
- Index(es):
Relevant Pages
|
