How To VPN Everything?

T

TechieSooner

Supreme [H]ardness
Joined
Nov 7, 2007
Messages
7,601
I've got two things I'd like to connect to the domain at HQ office. 1) The Laptops when on the road and 2) Remote offices

My main purpose, is just to get them VPN'd in so that I can control their group policy, redirect their stuff to the server, they can login to the domain, etc. Pretty much all the advantages of a domain that they aren't getting being workgroups right now.
The Laptop users... I'd like them to be able to logon to the domain when outside of the office as well.

What kind of solutions are there?
First, for the laptop users? The Windows VPN client really won't work too well, as then the logon scripts won't be connected to run.

Second, the remote offices? A router to router VPN would be awsome. Is there any kind of appliance I can just sit inside the firewalls (I can open ports if I have to), and they connect each network together?
 
Citrix servers are a godsend for when you get a lot of remote users, is this an option?

What firewalls/routers are you using now?
 
Can you give us a current equipment list, firewalls, routers, ect.

Also, budget will be a big factor, Do you want split tunneling on VPN clients?
 
Malk-a-mite said:
Also known as how highly do you value your company's proprietary information?
Click to expand...

NO, meaning do you want to allow local internet browsing or pipe it all throught he VPN. The company information should sit on the servers.
 
k1pp3r said:
NO, meaning do you want to allow local internet browsing or pipe it all throught he VPN. The company information should sit on the servers.
Click to expand...

If you allow split tunneling you allow some traffic across the VPN and some across the net... it provides the ability to give a backdoor via the laptop into the company network.

Once connected via the VPN all traffic should be tunneled across the VPN if security is any type of a concern.
 
Malk-a-mite said:
If you allow split tunneling you allow some traffic across the VPN and some across the net... it provides the ability to give a backdoor via the laptop into the company network.

Once connected via the VPN all traffic should be tunneled across the VPN if security is any type of a concern.
Click to expand...

I have NEVER seen an exploit that uses split tunneling to capture data, please provide your source for this security hole.
 
xtox said:
Citrix servers are a godsend for when you get a lot of remote users, is this an option?

What firewalls/routers are you using now?
Click to expand...
Citrix wouldn't really be an option. Really, I just want something transparent so they get practicall the same experience as those at HQ. (Minus running big applications off the server over a VPN- would still be too slow no matter what I did without spending money on upgrading all the internet connections).

k1pp3r said:
Can you give us a current equipment list, firewalls, routers, ect.

Also, budget will be a big factor, Do you want split tunneling on VPN clients?
Click to expand...
HQ is a Cisco 2801. Remote Offices are stuff like WRT54Gs. For 2-3 people offices you really don't need much. Some of them are proprietry ATT DSL router/modems as well.

Split tunneling- yes. I figure my long-term goals is getting everyone hooked up to HQ- from that point I'll look at maybe doing Untangle machines at each branch.

Malk-a-mite said:
If you allow split tunneling you allow some traffic across the VPN and some across the net... it provides the ability to give a backdoor via the laptop into the company network.
Click to expand...
That's no different than having any other computer connected to the internet.
 
TechieSooner said:
HQ is a Cisco 2801. Remote Offices are stuff like WRT54Gs. For 2-3 people offices you really don't need much. Some of them are proprietry ATT DSL router/modems as well.
Click to expand...

You can configure the 2801 to use the cisco VPN client, however this client does NOT have 64 bit support from Cisco, and likely never will. The 2800 series should handle the VPN's without issue.[/QUOTE]

The wrt54G's are another question, you may want to look at a linksys RV042 as a low cost, stable vpn hardware device for your remote office, also make sure they have static IP's
 
k1pp3r said:
I have NEVER seen an exploit that uses split tunneling to capture data, please provide your source for this security hole.
Click to expand...

You definately don't need a pre-defined exploit. If you hijack someones box over the net you can route traffic through their computer over the tunnel. Thats why more secure VPN clients allow you to toggle the split tunneling feature.
 
capnstabn said:
You definately don't need a pre-defined exploit. If you hijack someones box over the net you can route traffic through their computer over the tunnel. Thats why more secure VPN clients allow you to toggle the split tunneling feature.
Click to expand...

Show me an atricle that talks about this exploit please, or that says its possible, from a credible source, not wikipedia
 
k1pp3r said:
You can configure the 2801 to use the cisco VPN client, however this client does NOT have 64 bit support from Cisco, and likely never will. The 2800 series should handle the VPN's without issue

The wrt54G's are another question, you may want to look at a linksys RV042 as a low cost, stable vpn hardware device for your remote office, also make sure they have static IP's
Click to expand...
I've tried the CiscoVPN and it trashed my configuration... Seemed ridiculously complicated.
Can I get these RV042s and terminate them at the 2801?

capnstabn said:
You definately don't need a pre-defined exploit. If you hijack someones box over the net you can route traffic through their computer over the tunnel. Thats why more secure VPN clients allow you to toggle the split tunneling feature.
Click to expand...
That's kindof redundant... "If I hijack someones box over the net" I'd be worried about alot more than my VPN... Like how they hijacked my box over the net.
 
TechieSooner said:
That's kindof redundant... "If I hijack someones box over the net" I'd be worried about alot more than my VPN... Like how they hijacked my box over the net.
Click to expand...

Say you work for a healthcare organization....and have access to several databases containing client social security numbers, tax ids, dob, and other phi/pii. Your laptop being hacked pales in comparison to the million dollar law suit that breach will cause. Once hes hijacked your box he has direct access into whatever you VPN to. Assuming the VPN client isn't properly secured.
 
capnstabn said:
Say you work for a healthcare organization....and have access to several databases containing client social security numbers, tax ids, dob, and other phi/pii. Your laptop being hacked pales in comparison to the million dollar law suit that breach will cause. Once hes hijacked your box he has direct access into whatever you VPN to. Assuming the VPN client isn't properly secured.
Click to expand...

So... You're assuming someone will hack it? Why not just ensure that never happens? If someone hijacks a node on the network in ANY configuration on ANY network, chances are that they'll be able to get valuable data regardless.
 
So we are just arguing that split tunneling CAN be insecure. There are many ways to decrease the risk of someone using split tunneling to steal/destroy valuable data. However most of the world uses Remote Access VPN (Using a client or SSL) to work from home. At home you are not sitting behind enterprise firewalls and other perimeter security devices. It is much easier for your machine to be compromised in this state. Any responsible admin should think about what these users have access to from home before implementing insecure features.
 
TechieSooner said:
First, for the laptop users? The Windows VPN client really won't work too well, as then the logon scripts won't be connected to run.
Click to expand...

This will work. Create the VPN connection so that all users have access to it, then check the Dialup box on the logon screen. If you're connected to the internet, the VPN will connect, and you'll logon just as if you were plugged into the LAN.

I've even set a few up with a second copy of the VPN connection which is set to first connect through the cellular card. Check the dialup box at logon, pick the Cell-VPN connection, and it dials up the cellular connection, then the VPN connection, then logs on as normal.
 
site to site VPN - untangle? PFSense?

not sure if those would suffice, but encrypte VPN is encrypted VPN?

OpenVPN if the windows one isnt working too well?

i recall hearing thet Cisco VPN client doesnt work on x64 windows...
 
k1pp3r said:
I have NEVER seen an exploit that uses split tunneling to capture data, please provide your source for this security hole.
Click to expand...

Sorry for the delay.... had a chat with the rest of the NetOps team about this topic, dragged a couple of the Networking team in as well.

I'm willing to step up and say it - more hype than overall threat.

In general the concern was more over current malware (of whatever type) on the laptop already causing problems by directing all traffic over the Corp. network (be it infection attempts or scanning), than the concern of an active attacker using a route from a laptop with some kind of malware to route data from the Corp. network back out to a 3rd party on the net.

So to k1pp3r good on you for calling me out.
TechieSooner, apologies for the slight thread hijack.
 
Good to know, i mena any point into a network could be vulnerable, that is why any NA with laptop access need to properly lock down the systems for those remote users, make sure their systems are as protected as possible and provide proper scanning server side.
 
You must log in or register to reply here.
Back
Top