Q: Is XP VPN client/service secure enough?

Printable View

August 17th, 2005, 04:34 PM
zencoder

Q: Is XP VPN client/service secure enough?

Let me start with this: I have zero experience with the Microsoft VPN client/server stuff built into XP (and other versions). I've used it to connect to someones network ONCE, to help them test out their setup. He gave me an IP, a username, and a password, and I connected and viewed a network share.

So, I've recently had a client tell me they find it perfectly acceptable for use at one of their small office locations. Part of me cringes at this idea, but I want to make sure I'm having a knee-jerk anti-Microsoft response.

Anyone have any experience with this, and can talk to vulnerabilities? I've not found anything discussing limitations or breaks/patches so far.
August 17th, 2005, 04:40 PM
Juridian

I haven't dug into microsoft's software specifically yet. My understanding is that the biggest tradeoff you get in using Microsoft's client versus a 3rd party solution is the 3rd party solution generally has a firewall built in so you can manage perimeter security in your remote users while they are connected to your network.

Even then with Microsoft's built in firewall for xp, you can most likely manage the firewall via AD (though the 2k boxes won't feel the love).

I'm just now digging into the microsoft vpn/ipsec materials in my sans windows security training...If anything pops up I'll send you a note.
August 17th, 2005, 05:00 PM
morganlefay

IPSEC is much more secure than PPTP......for the MS VPN client.

Also...ensure the user password is strong and limit the users account....that way if something should come through it may be easier to contain if they only have access to one folder or very limited access as a whole (read only).

On the server the vpn log is in the system32\logfile\ (i think thats the dir name) and it logs every conection.

We have been using MS VPN for several years and have had no issues...great for email..and file transfer\sharing.

As for being secure...well..you have to open ports :(

If you want a really secure connection...I think you should look at a hardware VPN..hardware devices on both ends.

MHO

MLF
August 17th, 2005, 05:07 PM
Juridian

From what I've read the hardware vpn versus the windows vpn issue is more performance related than security. I can see the dedicated appliance being easier to configure and maintain tho (at least you don't have to harden the os...). Even then, the performance gains weren't really seen until there were a large number of users/connections. Especially when the crypto was offloaded to a dedicated card.

Is there more to it beyond that? Can you elaborate a little bit?
August 17th, 2005, 06:40 PM
morganlefay

Going back a few years I attended a CISCO info session thingy (oooh I am sooo technical) and they were going on and on about how a hardware vpn solution was more secure as it was from device to device...as opposed to from anywhere to server....

This is by no means my area of expertize.....lately my focus has been on SQL databases and an MRP implementation..

I visit this site to keep up with security issues and try and secure my sites as best I can....I have dealt mostly with small business in the last 8 years or so 3 to 50 computers.....

Although my first computer job consisted of 2000 computers and 45 networks all consolidated into one building....that was 15 years ago...technology has changed a bit since those days ;)

Mostly for the small business ...with the new Windows 2003 server...I have found no real issues using the MS VPN solution. (IPSEC)

I have also heard of some financial sites using checkpoint....but again....I am no expert.

Just my humble option

and .02 cdn

MLF
August 17th, 2005, 07:24 PM
Juridian

Odd...the reasons given don't make all that much sense to me. Ipsec wise, tunneling is the option most often used between the gateways which 'can be' better than your other options, but you can usually do that client to gateway as well if it's really needed.

Maybe we're just missing some of the context, maybe they were just trying their darndest to sell you some hardware. =p
August 17th, 2005, 08:44 PM
XTC46

Quote:

Going back a few years I attended a CISCO info session thingy (oooh I am sooo technical) and they were going on and on about how a hardware vpn solution was more secure as it was from device to device...as opposed to from anywhere to server....

you mean a hardware manufacturer was saying a hardware solution is better than a software solution? now THAT is a suprise ;)
August 17th, 2005, 09:13 PM
morganlefay

Oh yeah...I knew they were trying to sell hardware...but many vendors have hardware vpn devices..I wasnt born yesterday...(far from it)

But it did kinda make sense as you can only connect from device to device...so if some L33t h@xor want to use the vpn connection to get in...wouldnt he\she need the device????

Just thoughts :)

MLF