Win2k Authentication over VPN / Pix

[phong256]

I am shortly to upgrade our company network to Win2k. I have begun setting up a trial lab to test for issues etc.

I will need to connect 25 remote sites (1 user / 1 win2k pro PC / 1 adsl link @ each site) to the head office via a vpn. Our iSP will be providing a leased line to the Internet with a managed router on our site, which will be connected to a Pix 515 firewall. My concerns are over authenticating the remote users onto the central domain. Do I need to get speacialist software (I''ve heard a bit about ASC / Radius or something) or can I configure the pix firewall to accept certain types of traffic - and then get the remote clients to authenticate on the DC's. I will want them to assume their particular permissions and mapped drives.

Basically can any one suggest a way to authenticate remote WinXP clients over a VPN using a Pix firewall

Any help much appreciated

Thank you.

Marcus

 

[yizhar]

HI.

The pix supports RADIUS authentication, and Win2K has built in RADIUS server support called IAS, so you do not need an additional service for that.

I also suggest that you use different user names and passwords for VPN authentication, then those used to access the servers. This can make an attacker work a bit harder.

However there are some limitations with the pix that you should consider:

* Currently the pix does not support IPSec encapsulation over UDP/TCP - you might find that your ADSL clients will have problems to VPN to the pix with IPSec.
If you have this problem you will need to use a different VPN technology, either using the pix or another device.
Anyway, you MUST do a pilot test using ADSL before you start with the full scale implementation, and best to do before you "close the deal"..

* Does your pix support 3DES or only DES (or none)?
Check the "show ver" output.

* Some alternate solutions if you have problems:
Use a different device as VPN server. This can be a Cisco VPN concentrator, a W2K server, or another device.
Some advantages - better management and control at a dedicated VPN server, offloading the pix, and more.
Disadvantages - additional cost.

The pix will act as dedicated firewall and will forward VPN traffic to the VPN server behind it.
In such case you should plan the placement of VPN server - a good idea is to put it on a dedicated pix interface (or two) so you can both protect the VPN server with the pix, and also control the unecrypted traffic from VPN server to LAN at the pix.

One more tip, not directly related to your question - if you haven't already, you can also plan for a terminal server at the main office, this can dramaticly improve performance for your clients and save bandwidth, and also to allow for better central management and support.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[phong256]

Hi Yizhar,

Thanks very much for you input. I shall take a look at Radius / IAS authentication service. I think that's what I've been looking for.

I haven't actually purchased the Pix yet, though I have in mind a PIX-515... which I beleive uses DES + 3DES encription.

You mentioned about the Pix not supporting IPSec encapsulation over TCP. I thought IPSec was supported, or at least I have seen refernce to it in product doc's etc, though I am probably talking about something else. Please could you expand on this limitation you have mentioned.

Much appreciated,
Marcus