Q: Is XP VPN client/service secure enough?
Results 1 to 8 of 8

Thread: Q: Is XP VPN client/service secure enough?

  1. #1
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177

    Question Q: Is XP VPN client/service secure enough?

    Let me start with this: I have zero experience with the Microsoft VPN client/server stuff built into XP (and other versions). I've used it to connect to someones network ONCE, to help them test out their setup. He gave me an IP, a username, and a password, and I connected and viewed a network share.

    So, I've recently had a client tell me they find it perfectly acceptable for use at one of their small office locations. Part of me cringes at this idea, but I want to make sure I'm having a knee-jerk anti-Microsoft response.

    Anyone have any experience with this, and can talk to vulnerabilities? I've not found anything discussing limitations or breaks/patches so far.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  2. #2
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    I haven't dug into microsoft's software specifically yet. My understanding is that the biggest tradeoff you get in using Microsoft's client versus a 3rd party solution is the 3rd party solution generally has a firewall built in so you can manage perimeter security in your remote users while they are connected to your network.

    Even then with Microsoft's built in firewall for xp, you can most likely manage the firewall via AD (though the 2k boxes won't feel the love).

    I'm just now digging into the microsoft vpn/ipsec materials in my sans windows security training...If anything pops up I'll send you a note.
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  3. #3
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    IPSEC is much more secure than PPTP......for the MS VPN client.

    Also...ensure the user password is strong and limit the users account....that way if something should come through it may be easier to contain if they only have access to one folder or very limited access as a whole (read only).

    On the server the vpn log is in the system32\logfile\ (i think thats the dir name) and it logs every conection.

    We have been using MS VPN for several years and have had no issues...great for email..and file transfer\sharing.

    As for being secure...well..you have to open ports

    If you want a really secure connection...I think you should look at a hardware VPN..hardware devices on both ends.


    MHO

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  4. #4
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    From what I've read the hardware vpn versus the windows vpn issue is more performance related than security. I can see the dedicated appliance being easier to configure and maintain tho (at least you don't have to harden the os...). Even then, the performance gains weren't really seen until there were a large number of users/connections. Especially when the crypto was offloaded to a dedicated card.

    Is there more to it beyond that? Can you elaborate a little bit?
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  5. #5
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Going back a few years I attended a CISCO info session thingy (oooh I am sooo technical) and they were going on and on about how a hardware vpn solution was more secure as it was from device to device...as opposed to from anywhere to server....

    This is by no means my area of expertize.....lately my focus has been on SQL databases and an MRP implementation..

    I visit this site to keep up with security issues and try and secure my sites as best I can....I have dealt mostly with small business in the last 8 years or so 3 to 50 computers.....

    Although my first computer job consisted of 2000 computers and 45 networks all consolidated into one building....that was 15 years ago...technology has changed a bit since those days

    Mostly for the small business ...with the new Windows 2003 server...I have found no real issues using the MS VPN solution. (IPSEC)

    I have also heard of some financial sites using checkpoint....but again....I am no expert.

    Just my humble option

    and .02 cdn

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  6. #6
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    Odd...the reasons given don't make all that much sense to me. Ipsec wise, tunneling is the option most often used between the gateways which 'can be' better than your other options, but you can usually do that client to gateway as well if it's really needed.

    Maybe we're just missing some of the context, maybe they were just trying their darndest to sell you some hardware. =p
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  7. #7
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    Going back a few years I attended a CISCO info session thingy (oooh I am sooo technical) and they were going on and on about how a hardware vpn solution was more secure as it was from device to device...as opposed to from anywhere to server....
    you mean a hardware manufacturer was saying a hardware solution is better than a software solution? now THAT is a suprise
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  8. #8
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Oh yeah...I knew they were trying to sell hardware...but many vendors have hardware vpn devices..I wasnt born yesterday...(far from it)

    But it did kinda make sense as you can only connect from device to device...so if some L33t h@xor want to use the vpn connection to get in...wouldnt he\she need the device????

    Just thoughts

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •