Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

vpn security

Status
Not open for further replies.
scurl1968

scurl1968

MIS
Jan 6, 2003
4
US
I just finished building a Win2000 VPN server but I want to lock it down before I enable the external interface in order to keep my network as secure as possible (it will also be behind a firewall). Does anyone know of any good resources for learning how to harden a VPN server? Website suggestions would be great.

Thanks!
 
Sort by date Sort by votes
Since you already have a firewall in place, use it to tighten your VPN security. If the solution is out there, let us know it was helpful, so others can benefit from it as well..
 
Upvote 0 Downvote
Firewall security is not enough, in my opinion. The servers and clients behind the firewall should also be as secure as possible. I did find one nice tool on Microsoft's website which is called the Microsoft Baseline Security Analyzer. After you install it, it will run a scan on your server and give you tips about things you should alter/add/remove in order to make it more secure. I still don't think this will be totally sufficient, but it's a start.
 
Upvote 0 Downvote
Not enough? If you don't trust your firewall .. well ... If the solution is out there, let us know it was helpful, so others can benefit from it as well..
 
Upvote 0 Downvote
It has nothing to do with my firewall being trustworthy or not. Do you read the posts to NTBugtraq or any of the IPF forums? New exploits are being discovered every day. Any sysadmin worth his/her paycheck knows that no one solution is absolutely perfect. So the more layers of security we can provide, the better.
 
Upvote 0 Downvote
I agree with that, but then don't use VPN unless you go entirely encrypted. If the solution is out there, let us know it was helpful, so others can benefit from it as well..
 
Upvote 0 Downvote
BTW, I work at a firewall company, so I do know the issues about security ;-) If the solution is out there, let us know it was helpful, so others can benefit from it as well..
 
Upvote 0 Downvote
[rant]

I can't help it . . . gotta chime in on this one.

Man it is obvious that you work at a firewall company and not a security company.

That statement . . . don't trust your firewall . . .?!??!

That's kinda like saying 'Hey, I live in a secure building, so I don't need to lock the door to my apartment!'

What were you thinking and/or smoking?

[/rant]

Now that's out of the way, so . . . .

I can't offer any real advice with a W2K Server, other than you have the right idea. I usually deal with Unix/Linux servers, but the same general ideas work. I turn off everything. Then I make a chart of what I need and where I need it. Those get turned back on, only on the specific interfaces where they are needed. If someone cries that they need something else, I sit on it. Three days, minimum. If I here about it again, I'll consider turning it on . . . maybe.

marcs41 has a good point in his first post . . . not sure what happened . . . Anyway, take a look at your firewall rules. Your ability to control that will depend upon your firewall and experience, but again same general idea. Turn EVERYTHING off. Your default policy should be drop. Set up rules to allow in only what is necessary. When possible, be specific about where it should be coming from and where it should be going. Reject nothing. If you need it in, accept (or forward), if you don't need it, drop it. Rejected requests simply tells others that you have a firewall, and you might have something behind it looking in to.

Sorry for the rant, hope some of the rest of this makes sense.
 
Upvote 0 Downvote
Never mind the rant, you have a point if I re-read my (incomplete) statements (was too obvious perhaps but nevertheless not true).
Basically, what I mean mhkwood, is that the firewall comes in first. I do not promote our brand or anything, that is not the issue, even, like your own, it is based on a Linux Kernel.
Of course we do handle security, but I had not idea I had to elaborate on those aspects here ;-)
With me, security comes 1st as well, but my point is still, start with the firewall, it is your first point of entry. Whatever gap is in there will compromise anything else behind it, no matter how secure you make it.
As mhkwood states, drop everything and open what you REALLY need, in a controlled and monitored way. Build in shutdown and alerts when attacks are detected.
When I asked 'don't trust your firewall .?!??! ' the same applies for any security measures. If you don't trust them, don't use them. So, alternatively, if you DO use them, you should trust them (or yourself).

My building is locked and so are the doors ;-) If the solution is out there, let us know it was helpful, so others can benefit from it as well..
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

eleafpod
  • Locked
  • Question
ISO the best security camera monitoring system
Replies
2
Views
925
Pigasque
Pigasque
teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
440
GlobeTrekkerGal
GlobeTrekkerGal
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
327
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
272
sircles
sircles
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
234
Joon Smith
Joon Smith

Part and Inventory Search

Sponsor

Back
Top