Re: Why use VPN?

Tech-Archive recommends: Speed Up your PC by fixing your registry

I agree with you Vincent. The main issue today is a simple word: paranoid.
People are paranoid about the whole security thing.
When I ask people with properly setup and patched TSs if they were ever
hacked the answer is always no.
VPNs can be exploited the same way as a TS I do agree and for most
companies, TS security will be more than enough. Add something like the 2X
LoadBalancer for SSL and you have top notch security at a very low cost.

--

Cláudio Rodrigues

Microsoft MVP
Windows Server - Terminal Services
"Vincent Delporte" <vincent.delporte@xxxxxxxxxx> wrote in message
news:7bf3829aj0k7g8679iimq7mfdvu376m263@xxxxxxxxxx
On Sat, 3 Jun 2006 09:01:24 -0400, "Jeff Pitsch"
<jeff@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
A VPN connection creates a secure tunnel over the Internet.
It typically terminates in the DMZ not the internal network.

Indeed, but there's nothing different here with an RDP connection to a
TS server (I already said our customers will typically _not_ need
access to anything at the central office besides the TS server, hence
a single connection to a single host is fine.) The VPN solution also
involves opening up a port on the router, and the firewall (whether
the VPN endpoint is located in the DMZ or in the private network.) And
since RDP encryptes data, there's not practical difference.

Your suggestion of using RDP is not secure because you are completely
bypassing your firewall and allowing access to ANYONE that has your IP
information which is very very public.

How does the VPN box at the branch office connect to the VPN box at
the main office? Through a port. A port that any one can find by
scanning the router, connect to, and try some exploits. Just like
opening up TCP 3389. For added security, and as you mentionned, 2X
SecureRDP for Windows Terminal Services lets admins allow only certain
remote clients.

If our customers have the budget, I'll suggest getting a VPN box for
each office, but if they don't, there is the cheaper alternative of
just setting up TS + 2X.


.

Relevant Pages

  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)
  • Re: Router selection? Im a Computer and Internet/Newsgroup Newbie
    ... There is so many security options offered. ... Packet Log, Security Event Log, E-mail Log; VPN Functionality: ... NAT is probably the biggest feature. ... If you don't do any port forwarding with the router, ...
    (alt.comp.hardware.pc-homebuilt)
  • RE: VPN & Security Question
    ... Just one port: TCP Port 3389 ... I don't believe in using VPN to connect home/SOHO users because it's very ... difficult to know the status of their end of the connection. ... > VPN was a critical piece of security best practices, ...
    (microsoft.public.windows.terminal_services)
  • Re: BEFVP41 -2003 SBS Help Please
    ... Couple of things to keep in mind about exposed ports, VPN, and security ... + 1723 is authentication, it doesn't pass the data stream. ... 1723 is an authentication port, if someone authenticated, they get in. ...
    (microsoft.public.windows.server.sbs)
  • Re: Firewall advice required please
    ... 2./ How do you provide "SECURE" access without a VPN? ... suggesting you are achieving as-good-as security using a standard SSL, ... > and air-gap is the only product we carry. ... > no other firewall can touch. ...
    (comp.security.firewalls)