Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

**Windows 2000 Server w/ VPN Security?** 1

Status
Not open for further replies.
madjakers

madjakers

IS-IT--Management
May 23, 2003
26
0
0
US
I have just installed a VPN W2K server with two NICs one to my private LAN and one connected to our T1 with a public IP for the Remote VPN clients to connect to.

I have 20 or so PPTP ports accepting incoming connections only from my Active Domain Enabled User Accounts, with W2K configured as a router that only passes VPN ports and protocol. Everything works great!

What I don't know, and is quite scarey, is how secure that server is?

1. Does anyone know what vunerabilites I have inflicted upon myself?

2. Is there a way to beef up my security using W2K server?

3. Should I be using other software to prevent attacts/hacks/weaknesses?

4. Currently my ISP passes all traffic to and from the VPN's public IP(It can be configured however I would like they said)


Any and All help would be Awesome!

-Jake Rehmann


 
Sort by date Sort by votes
So you have the VPN server on the Internet? This is not a good idea, in my opinion. One thing, will you have 20 clients connecting at the same time? I normally cut down the number of ports to the max number of clients connecting at once. You should look into a firewall between the VPN server and you LAN. You can configure it to only pass traffic to and from the VPN server over port 1723....

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

 
Upvote 0 Downvote
If your ISP is going to perform packet filtering (my impression from your statement #4) then you could ask that they only forward 1723 traffic, otherwise you should have a firewall to do this.

I have set up servers just like this before, and only had one with problems (I think they never used Windows Update and the server got attacked through know vunerabilities.)

Limit the traffic first, keep the server up-to-date, and decide what is an acceptable level of risk...it will guide you in your next step.

Alex
 
Upvote 0 Downvote
Thank you Matt and Alex...

I think that I will only have 1723 traffic to the VPN public IP.

Matt I have reduced the number of ports to the max number of users using VPN(still if one port can be hacked then what is the difference if I have 5 or 100?)

Keeping it updated is a great idea(not that I wasn't planning on it, i just forgot about it as a security measure)

My level of risk...well...I don't want anyone to be able to get or see my information on a few servers i have on the private lan...Ever!

Thanks again for all of your help

Sincerely,

Jake Rehmann
 
Upvote 0 Downvote
Level of risk is determining who is likely to be looking, and you can never protect it forever, just for a long time. If you are going to guard against the NSA you will have to take extreme steps but if your threat is more likely a bored 13-year-old you could slack off a little.

In most corporate environments I plan that there could be someone with the same resources or somewhat more trying to access e-mail and server-shared files. So I would try to defend against the greatest number of off-site attacks that are possible, and have some on-site protective measures in place.

In your case the Win2K server is hosting the VPN (I usually use a firewall to host VPN, but that is done for server load mainly and not security.) For this case I would write stringent password complexity requirements in the security policy and then I would set those passwords with a short life. (I usually use something like LC3 to try to crack passwords, insuring that the policy requires passwords that take the software a good two days or so to crack. This proves that password should be good for two weeks or so.)


Alex
 
Upvote 0 Downvote
Alex...you're the man! Thanks for your help, the password policy is excellent(although the boss will probably gripe). I will just allow 1723 traffic to pass to that port for added security.

Correct me if I am wrong...hackers use port sniffers to gather info on your password and then use your password to connect as an authorized user.

Once again thanks and I am in your debt!

Sincerely,

Jake Rehmann
 
Upvote 0 Downvote
Port sniffing on VPN is not going to be much of a problem. First the bad guys must get your traffic mirrored to their machine (need to have access to one of the internet switches between your server and your VPN client) but say they do have a sniffer in place.

Depending on your VPN protocol, there is a question & answer session between the client and host to first create the tunnel. (Client machine says "Im looking at this shared key and you must tell me what is the third bit", the server answers "1A, now I'M looking at the seventy-second bit...you tell me what it is" etc. for up to half a minute or so during which time both machines remember these bits for use as the packet encryption key.) Now, every further packet is encrypted using this one-time key. These encrypted packets then carry the actual user authentication to the domain to provide access to the file shares, printer and other resources.

For someone outside to spoof your VPN, they must know the shared key (or collect this by watching the question and answer session MANY times), decrypt the last howevery many batches of traffic to determine a good M$ user name and password, then use the key to make the tunnel, and log onto your domain. Here's how you make it hard for them:

You are going to use a complex shared key and change this key every week, month, year, whatever to make forging a VPN tunnel take a long time. You then have user passwords that change often to prevent someone with a forged tunnel from having a valid password (i.e. if it takes them two weeks to crack the shared key, a week to decrypt the past two weeks traffic to pick out a good user and password, then they connect to find all the user passwords have been changed, they are only have one more week to learn the NEW passwords before you change the shared key...)

First write a good user password policy, get them used to changing passwords, make sure that they aren't flipping between two or three easy-to-guess-the-next-one passwords (john_doe1, john_doe2, john_doe3.) Then start changing your VPN key on some schedule.

(Note all of this is ONLY for VPN traffic, since you said you are closing off all other ports you have a lot less worries.)

Alex
 
Upvote 0 Downvote
Many thanks.....

This is great advise....

-Jake
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
150
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
154
intel233
intel233
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
179
Shmid
Shmid
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
51
Russtoleum
Russtoleum
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
74
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top