VPN Options

Dr Zoidberg · 22 Oct 2008 at 19:38

I am interested in what VPN options people use at work (or rahter out of work)

I have been asked to look into itand come back with options and costs,

At my previous place of work we had VPN software licensed for a number of users, and after that number several just had a windows dial in VPN set up.

Is using a standard windows connection a secure way of doing things?
If so why is there so many other options available?
Is dedicated software/Hardware a better way to go?
What about key generating USB sticks?

What do you use?

Thanks
Keith

Chief Wiggum · 22 Oct 2008 at 20:46

Hi Keith,

it really depends on the security policy - for example two factor authentication using IPSEC tunnels may be specified.

I prefer a hardware endpoint as it's more throughput. Something like a Cisco ASA 5510 which is a lower end firewall, is now an all in one firewall vpn box. You could also use some kind of juniper or checkpoint.

RSA dongles, quite expensive - at least £45 per token is you get a good deal, plus per-user licence. 500 user licence is not cheep - 500-1000 upgrade was looking at 10k+ IIRC - you'll need a server to run this too (vmware is supported on the newer versions 6.1+

I've heard good things about aladin tokens and secure envoy - SE uses SMS one-time codes instead of having a dongle.

Hope that helps

sparkey196 · 22 Oct 2008 at 22:13

OpenVPN is free and based on the same technology which powers the majority of secure sites on the internet (OpenSSL). I've also had good experiences with Microsoft ISA 2006, despite windows-firewall being considered something of an oxymoron.

On the hardware side you have so many options but we would need to know more about the expected throughput before making any recommendations. Sounds like an ASA would be overkill.

bigredshark · 22 Oct 2008 at 22:42

SSL VPN is the future these days, personally I like the Juniper SSL VPN appliances for functionality and ease of use, the Cisco SSL VPN implementation isn't so friendly or feature rich (but it can be run on an ISR, which is nice).

If you must have IPSEC VPNs then cisco is the choice without a doubt, the client is so much better than anything else out there. I have no time for Cisco firewalls usually but for VPNs using IPSEC they're still the best.

FordPrefect · 23 Oct 2008 at 00:36

As others have said it comes down entirely to what you want for the "VPN", your budget and what constraints are imposed on you. For example if you just want access to your exchange email then maybe outlook web access is all you need. If you want to access windows servers than citrix is also a possibility. SSL VPNs using something like the juniper SSL VPN appliances, checkpoint connectra or the cisco SSL VPN devices are also a possibility if you want access to more things internally within your network. Although some things are far more cumbersome on the user to do with an SSL VPN.

However if you want full corporate access like people have in the office your only real choice is still IPSEC based VPN. The two best choices for this would be using a cisco box the low end ASAs as suggested would be a great solution. Also checkpoint secureremote/secureclient are also as good if not better in some ways than the cisco although the checkpoint will cost a hell of a lot more.

Dr Zoidberg · 23 Oct 2008 at 00:56

Thanks for the replys, that gives me more to go on than just searching the net for VPN options.
I have been told 'maybe 10 users' but once those 10 have it im sure that number will increase.
We already use citrix for applications we have hosted off site, which can already be used 'outside' our network with the browser login.
Adding a 2nd citrix setup into things to give access back to the network im sure would confuse some users.

The need to is to gain access to the file servers so they can access files out of the office,

FordPrefect · 23 Oct 2008 at 01:01

Dr Zoidberg said:
Thanks for the replys, that gives me more to go on than just searching the net for VPN options.
I have been told 'maybe 10 users' but once those 10 have it im sure that number will increase.
We already use citrix for applications we have hosted off site, which can already be used 'outside' our network with the browser login.
Adding a 2nd citrix setup into things to give access back to the network im sure would confuse some users.

The need to is to gain access to the file servers so they can access files out of the office,

How technically literate are your users? Have you maybe considered using something like openSSH if these files are stored on a windows server and allowing people to access them remotely using SSH? Its not the most hi tech or most secure method but for only 10 users a seperate hardware solution running into thousands of pounds prolly isnt gonna go down very well with your boss

If you do go for openSSH then if you can filter the IPs allowed to access via your firewall(if your users have static IP addresses) also ensure that you have security settings on windows to enforce regular password changes and force people to use complex passwords > 8 chars in size(the bigger the better).