Jump to content

  • Log in with Facebook Log in with Twitter Log In with Google      Sign In   
  • Create Account

Subscribe to HRA Now!

 



Are you a Google Analytics enthusiast?

Share and download Custom Google Analytics Reports, dashboards and advanced segments--for FREE! 

 



 

 www.CustomReportSharing.com 

From the folks who brought you High Rankings!



Photo
- - - - -

Vpn Help Required, Techy Forums No Use.


  • Please log in to reply
8 replies to this topic

#1 1dmf

1dmf

    Keep Asking, Keep Questioning, Keep Learning

  • Active Members
  • PipPipPipPipPipPipPip
  • 2,167 posts
  • Location:Worthing - England

Posted 30 March 2010 - 11:12 AM

Hi,

Not really an SEO post, but I've had it on a couple of techy forums for over a week and no-one seems to be able to help, so I'm really hoping someone here might.

=======================================

We currently have our remote access users set up so they must go to certificate services and download a user SSL certificate. (which I control access to via IIS)

I have then set up RRAS/IAS to only allow SSL certificated users to connect to the work server via VPN.

However, our support company says this is an obscure and non-standard way of setting up VPN.

Yet when they messed with it they tried to set it up so it allowed username / password to connect and not SSL. (doesn't this send credentials in plain text?)

Surely their way is much more unsecure plus the data transfer wouldn't be encrypted would it?.

They now have suggested we should get a VPN hardware box for VPN users.

Why are they suggesting this, what's wrong with using the server's RRAS & ISA with SSL encryption / security.

What does a VPN box do, how is it better or 'the normal way' of doing things.

Why do they think the way I have it configured is obscure and non-standard?

I'm a little confused over this, so your help is appreciated.

Thanks,
1DMF.

#2 Randy

Randy

    Convert Me!

  • Moderator
  • 17,540 posts

Posted 01 April 2010 - 10:03 AM

Perhaps I am missing the plot, but couldn't you use a basic Username/Password type of query, then send it over to an SSL stream? Once the data enters the SSL/HTTPS stream it's going to be encrypted, so the only real point where it's plain text is when the user is typing it in at their computer. So as long as they do not have a keystroke logger on their system it should still be safe.

#3 1dmf

1dmf

    Keep Asking, Keep Questioning, Keep Learning

  • Active Members
  • PipPipPipPipPipPipPip
  • 2,167 posts
  • Location:Worthing - England

Posted 01 April 2010 - 11:25 AM

Sorry Randy, but I don't understand what you mean - lol.gif

I'm not sending / doing anything, it's all part of Windows.

You go to network connections, add new connection and choose VPN, it creates an icon / network connection for the VPN.

I'm a little hazy on whether the username and password (if that method is used) is sent plain text, someone mentioned about IPSec, so perhaps I'm worrying about nothing and VPN client apps (inlcuding the MS Windows one), automatically encrypts all communications using one protocol or or another.

Either way I'm still unsure why this so called MS gold partner support company thinks using SSL user certificates is strange?

They spent 2 days cocking things up and then said they would have to esculate things as they couldn't fix it, so I had a dabble and got it working perfectly within an hour. Was my first attempt too smile.gif

Problem is they are telling my Boss i've set it up wierd (though we've run it this way for 5 years+ and that's how the previous support company set it up!), only I don't know enough about it to categorically tell my Boss this company is talking out their arse!

#4 Randy

Randy

    Convert Me!

  • Moderator
  • 17,540 posts

Posted 05 April 2010 - 12:33 PM

QUOTE
I'm not sending / doing anything, it's all part of Windows.


I'm out of the picture for sure then. You couldn't get me to fiddle with a 'Doze network if ... well if you paid me to do it! lol.gif I have no idea how their networking stuff works. Heck, even my own network isn't a Windows one technically speaking, though it does have Windows computers using it. Each computer is connected through the Linksys router and the router is what controls most of the security. wink1.gif

Have you checked out places like WindowsSecurity.com or even the Support.Microsoft.com knowledge base? I'm pretty sure both of those would have articles that explain a basic VPN configuration that should work.

One important thing to remember. The P in VPN stands for Private. And while Privacy can be a component of Security, it is not security. It sounds like you're already taking the other stuff into account, but it's an important point. VPN is not security. It is Privacy, which can be made secure with a few extra bits and pieces.

#5 1dmf

1dmf

    Keep Asking, Keep Questioning, Keep Learning

  • Active Members
  • PipPipPipPipPipPipPip
  • 2,167 posts
  • Location:Worthing - England

Posted 06 April 2010 - 06:58 AM

Thanks Randy,

That's where I'm a bit lost, someone on another thread said that VPN by its nature is already encrypted, I guess that's why they think the word 'Private' is used.

However, you seem to have the same opinion as me, it's only 'secure' if you make it that way.

I'll check out the URL's you have given and see if I can get to the bottom of this. I wish you did windows, i'm sure you'd be a fountain of knowledge if you did!



#6 1dmf

1dmf

    Keep Asking, Keep Questioning, Keep Learning

  • Active Members
  • PipPipPipPipPipPipPip
  • 2,167 posts
  • Location:Worthing - England

Posted 07 April 2010 - 06:45 AM

Well It's not looking promising with that WindowSecurity.com site, my post has had 31 views and no replies and out of the 13 topics on the front page(Not including stickies) 6 have had no reply and these threads go back to 24th March!

It's not as though I can ask our IT support company for help either lol.gif



#7 1dmf

1dmf

    Keep Asking, Keep Questioning, Keep Learning

  • Active Members
  • PipPipPipPipPipPipPip
  • 2,167 posts
  • Location:Worthing - England

Posted 13 April 2010 - 04:16 PM

Well I guess patience is a virtue as I've had some helpfull input into my VPN woes from the WindowSecurity forum, so thanks for the link.

Though I'm still having problems, nothing is ever as straight forward as it should be.

I don't suppose you know anything about L2TP & IPSec and this potential issue
QUOTE
I've changed the windows VPN client to use L2TP & IPSec, which is now causing error 789 : the L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.
I know the I've been recommended to do some error loggin / debuging for errors, but if anyone knows the quick answer it would be most appreciated.

#8 Randy

Randy

    Convert Me!

  • Moderator
  • 17,540 posts

Posted 14 April 2010 - 10:48 AM

There are potentially lots of moving parts, so it's going to be tough to pinpoint quickly. Including the potential of a 3rd party firewall interfering with the connection. It's been awhile, but I seem to recall running into this exact type of situation once years ago in an office setting (VPN connection from "remote" computers that were in different buildings on the campus) and the root cause ended up being a Cisco router that was in the picture. I don't even recall how it was resolved to be honest, but do remember it was a real bear to get sorted.

Can you connect via Terminal Services, but not using L2TP? That's where I'd start. Knowing the answer to this question should go a long way towards telling you if it's something happening at the VPN server or a 3rd party firewall/security system. So try first establishing a connection via Terminal Services between the machines. They try to establishing a Layer Two Tunneling Protocol (L2TP) from the Terminal/Remote computer to connect to the VPN server. If the first works and the second fails, chances are pretty high it's not a 3rd party something-or-the-other in the way.

If that's what you see then it might be as simple as establishing a pre-shared key on both ends of the VPN connection. This basically makes use of IKE (Internet Key Exchange) authentication to support the connection. While MS does not recommend IKE authentication, all of their servers going back to Windows 2000 support it to the best of my knowledge.

What this pre-shared key set up entails is to add a ProhibitIpSec registry value to both the VPN server and the remote machine(s). After establishing they all machines would need to be rebooted to bring it online. Then you'd need to manually configure IPSec policies on the computers on both end of the connection to make use of IKE.

Not easy. Not 100% secure since hacked PC's could end up having an entry point to the VPN, but then again nothing is 100% secure. So as long as you're careful with security in other ways it's not terrible. Mostly because VPN is not utilized on most PC's so most hackers don't even look for it.



#9 1dmf

1dmf

    Keep Asking, Keep Questioning, Keep Learning

  • Active Members
  • PipPipPipPipPipPipPip
  • 2,167 posts
  • Location:Worthing - England

Posted 20 April 2010 - 04:43 AM

Well the person helping me on windowsecurity.com has come to the conclusion that IPSec doesn't work on windows and you need to use the VPN client provided with the firewall.

I've decided to give up with this idea. If windows can't work with IKE & IPSec then using the firewall VPN is not an option.

I'm now going to see if the support company will set up a permanent VPN tunnel (gateway 2 gateway) to give them access from any machine on their network.

I'm guessing that will only work however if their internal IP structure isn't the same as ours!

But as you say that leaves us open on another front so if they got hacked we are wide open!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

We are now a read-only forum.
 
No new posts or registrations allowed.