Setting up a VPN, where should I start?

T

The Tom Bomb

Limp Gawd
Joined
Jun 13, 2007
Messages
145
My parents are interested in occasionally working from home and I'd like to setup a VPN for them to do so. Right now, their office consists of five computers, one acting as a file server, all of them running Windows xp pro with a consumer grade linksys router. I'd need the VPN to support only two concurrent users. While I'm at it, I'm probably going to upgrade all of the computers to Windows 7 and dual cores, the P4's they have now are really starting to show their age. What's the most inexpensive, secure way I could do it without having to roll my own firewall? I'd like to be able to just buy off the shelf with minimal setup.
 
The most simple and best performing way...just port forward for RDP. Computer A at default port of 3389, computer B at a custom port like 3391.

A lot of people are under the false impression that RDP is not secure.
2x common sense things (which they probably failed or would fail to do thus their incorrect impression).......
*Good password for the Administrator account, or just disable it or rename it
*Good password for the user account that is setup to allow remote access.

Now...the old, original version of remote desktop..did have (to the best of my knowledge) one vulnerability in it. And that was ONLY documented in a lab environment...via a man in the middle attack, which realistically is not really replicable out in the real world. Since then...Microsoft has added substantial security to RDP. It's well encrypted. And you can even set the local policy to have the remote host refuse connections for XXX amount of minutes after XXX amounts of failed login attempts (although seriously..that's not really necessary)
 
YeOldeStonecat said:
The most simple and best performing way...just port forward for RDP. Computer A at default port of 3389, computer B at a custom port like 3391.

A lot of people are under the false impression that RDP is not secure.
2x common sense things (which they probably failed or would fail to do thus their incorrect impression).......
*Good password for the Administrator account, or just disable it or rename it
*Good password for the user account that is setup to allow remote access.

Now...the old, original version of remote desktop..did have (to the best of my knowledge) one vulnerability in it. And that was ONLY documented in a lab environment...via a man in the middle attack, which realistically is not really replicable out in the real world. Since then...Microsoft has added substantial security to RDP. It's well encrypted. And you can even set the local policy to have the remote host refuse connections for XXX amount of minutes after XXX amounts of failed login attempts (although seriously..that's not really necessary)
Click to expand...

I was orignally looking at just an RDP to the server (is that not safe?). It seemed every thread I can across was just a flame war about RDP being secure/insecure so I figured VPN was the way to go.
 
Just have them remote into their individual computers at work via RDP, they don't have to RDP into the server.
 
The Tom Bomb said:
I was orignally looking at just an RDP to the server (is that not safe?). It seemed every thread I can across was just a flame war about RDP being secure/insecure so I figured VPN was the way to go.
Click to expand...

Ask those people that claim it is unsafe...to show you proof.
See my first reply above.
If you're using Windows XP....you can still update the RDP client to the new secure version, and bring in CredSSP..which is the component of the newer RDP client (currently at version 7) which brings in Keberos and SSL security. When you use those settings, you are MORE secure than browsers doing HTTPS at your bank!!!

If you're using Windows 7 host...you're all set, you can force it to allow only remote users to connect using NTLM.
 
If you go for RDP, just make sure you harden whatever box/boxen are being RDP'd into. You really don't want some user or system account with a weak password resulting in a compromise. VPN does give you an additional layer of security.
 
..or at least block brute force attacks which most firewalls can filter anyway.
//Danne
 
Thanks for all the help guys. Now if you go with RDP, which ever box you RDP into will no longer be able to be used by a local user, correct?
 
Either they remote into their personal desktop, or they remote into a machine running terminal services. Only some versions of Windows support dedicated Terminal Svcs if I recall correctly, and you might need like a 5 or 10 seat CAL.
 
The Tom Bomb said:
Thanks for all the help guys. Now if you go with RDP, which ever box you RDP into will no longer be able to be used by a local user, correct?
Click to expand...

That is Correct

YeOldeStonecat said:
The most simple and best performing way...just port forward for RDP. Computer A at default port of 3389, computer B at a custom port like 3391.
Click to expand...

I've been a fan of flipping that around. Changing the port on the outside and leaving the computer on the inside at 3389. I usually start somewhere at 45445, 45446 and so on and so forth. The router should be able to make the translation from outside to inside
 
calvinj said:
I've been a fan of flipping that around. Changing the port on the outside and leaving the computer on the inside at 3389. I usually start somewhere at 45445, 45446 and so on and so forth. The router should be able to make the translation from outside to inside
Click to expand...

Yeah that way you don't have to molest the registry of the host machine. Not all routers support port redirection though...so dunno what OP currently has, or plans on getting. I don't get too crazy with the ports...I've usually just gone up in increments of 1 or 2...start with 3389, go to 3390, 3391, etc etc. While picking wonky ports way up in the stratosphere can give the old "security through obscurity" thing...in reality, if setup at least partially correctly, RDP is secure in the first place.
 
Three weeks ago, we had a customer hacked from having RDP open 3389 in Windows XP Pro. They had an old home based linksys router with no security, and just straight port forwarding. It was pretty slick (of the hackers, that is) they just sniffed the port and got the password - no brute force needed. Overnight they disabled their managed anti virus, installed worms/trojans and uploaded essentially their entire hard drive info + info from the server shares.
They had a good 16+ gigs uploaded through a proxy by the time morning came. We don't know where the source is of course, i'm sure they proxied off a proxy.. it's a hard lesson for a business to learn.
The network was installed by a previous company - and the insecurities were quite apparent when we took them over as a customer - but too cheap to do anything about it. We quoted them, and they declined - and decided to use us solely as a "break fix" company.
We're installing a new juniper + setting up remote users with a proper vpn tunnel.

RDPing in a VPN is the only solution I would recommend to a customer. Either that, or run RWW on SBS08/2011. I'm sure the windows 7, or windows XP with updated RDP would suffice - but I wouldn't want to be responsible for it.
 
Rison said:
Three weeks ago, we had a customer hacked from having RDP open 3389 in Windows XP Pro. They had an old home based linksys router with no security, and just straight port forwarding. It was pretty slick (of the hackers, that is) they just sniffed the port and got the password - no brute force needed. Overnight they disabled their managed anti virus, installed worms/trojans and uploaded essentially their entire hard drive info + info from the server shares..
Click to expand...

So how do you know this problem came in via breaking through RDP? I'm not buying it....just "sniff the port and get the password". The user/pass is encrypted. Or..they had something really basic or common for a password on the Administrator account. The symptoms you describe are simply typical of most of the malware you get from websites with drive by exploits. Some of the better malware today even sits and waits dormant for weeks or months before it springs into action so you never know when you caught it.
 
Rison said:
Three weeks ago, we had a customer hacked from having RDP open 3389 in Windows XP Pro. They had an old home based linksys router with no security, and just straight port forwarding. It was pretty slick (of the hackers, that is) they just sniffed the port and got the password - no brute force needed. Overnight they disabled their managed anti virus, installed worms/trojans and uploaded essentially their entire hard drive info + info from the server shares.
They had a good 16+ gigs uploaded through a proxy by the time morning came. We don't know where the source is of course, i'm sure they proxied off a proxy.. it's a hard lesson for a business to learn.
The network was installed by a previous company - and the insecurities were quite apparent when we took them over as a customer - but too cheap to do anything about it. We quoted them, and they declined - and decided to use us solely as a "break fix" company.
We're installing a new juniper + setting up remote users with a proper vpn tunnel.

RDPing in a VPN is the only solution I would recommend to a customer. Either that, or run RWW on SBS08/2011. I'm sure the windows 7, or windows XP with updated RDP would suffice - but I wouldn't want to be responsible for it.
Click to expand...


I call bull shit,


YeOldeStonecat said:
So how do you know this problem came in via breaking through RDP? I'm not buying it....just "sniff the port and get the password". The user/pass is encrypted. Or..they had something really basic or common for a password on the Administrator account. The symptoms you describe are simply typical of most of the malware you get from websites with drive by exploits. Some of the better malware today even sits and waits dormant for weeks or months before it springs into action so you never know when you caught it.
Click to expand...


I bet he can't prove it. I think he is just pulling our leg, feeding us BULL SHIT!
 
Non the less, most network admins have a separate VPN or a VLAN for network configuration. I'm also using VPN to admin networks/machines remotely because of security concerns.
//Danne
 
ugh, guys, i'm not feeding you bullshit. I'm also not about to say which customer it happened to, for obvious reasons.
When we came in, in the morning - the system was logged in under a different account (AAAA00001 or something - new admin account) with the RDP screen locking the local console, an account that was not previously on the system.
When we checked the event viewer logs, it showed an RDP login for the regular users account from an external IP that was not the regular users home IP. With a call to our ISP, we scanned the host, port 8080 winsock open and determined it was sent through the proxy, which means pretty much a dead end. We petitioned that ISP for logs, but that's been met with no response at all.
The user who was hacked was the controller for the company, someone who would not browse nefarious sites and they used to use their ISPs webmail, and reported no strange occurrences.

The end result is that with the non-updated RDP session (the only thing open on the external net) they were able to retrieve the regular system users name and password, without a brute force attack.. I would have seen that in the logs. The logs were untampered with, as far as we can tell.
What I recommend to people, is that if you're responsible for the connections of external users to an internal business network - do everything reasonable to ensure security, as the blame will lie squarely on your shoulders if something goes wrong.
 
Rison said:
ugh, guys, i'm not feeding you bullshit. I'm also not about to say which customer it happened to, for obvious reasons.
When we came in, in the morning - the system was logged in under a different account (AAAA00001 or something - new admin account) with the RDP screen locking the local console, an account that was not previously on the system.
When we checked the event viewer logs, it showed an RDP login for the regular users account from an external IP that was not the regular users home IP. With a call to our ISP, we scanned the host, port 8080 winsock open and determined it was sent through the proxy, which means pretty much a dead end. We petitioned that ISP for logs, but that's been met with no response at all.
The user who was hacked was the controller for the company, someone who would not browse nefarious sites and they used to use their ISPs webmail, and reported no strange occurrences.

The end result is that with the non-updated RDP session (the only thing open on the external net) they were able to retrieve the regular system users name and password, without a brute force attack.. I would have seen that in the logs. The logs were untampered with, as far as we can tell.
What I recommend to people, is that if you're responsible for the connections of external users to an internal business network - do everything reasonable to ensure security, as the blame will lie squarely on your shoulders if something goes wrong.
Click to expand...

That still doesn't prove anything.....lots of malware will do this to systems, especially those that plant netbots. Some malware is even capable of creating new user accounts. There's malware that can install keyloggers...which of course can send user/passes "back home". There is malware that can even log into many popular routers web admin..and stick the computers LAN IP in the DMZ, since many routers leave their user/pass for the web admin on defaults. Linksys router you say....there's a prime candidate.

When the words "malware" and "website/drive by installs" are mentioned...many people still cling to the false believe that the computer user has to be someone that goes to "nafarious" websites, midget porn sites and adult sites or warez or torrents/p2p crap. While "yes" those are nearly a guaranteed way to get malware, since you appear to be in the IT industry..hopefully you do know that malware is spread to a much wider audience through normal websites. Advertising banners/subscription streaming ads that websites subscribe to for income...sometimes a malware injected ad will slip in until it's found and removed. Other websites are hacked into...and the drive by code is injected in them, often exploiting outdated web players (java, flash, pdfs, etc). Popular forums too...I've seen it happen here at least once!

If anything...your post simply attests to not being lazy and taking proper precautions.
Even "if" the RDP host was actually "hacked into" as you claim...you mention it was not updated, and I don't see any mention of other prudent things that should have been done. Local policy to cancel out failed login attempts, any sign of a decent password on the user account, was the admin password a good one. Regardless...key logger installed ahead of time would have snagged that. Un-updated XP host is also simply inexcusable.

Regardless, the OP of this post is talking about Windows 7 host, which naturally includes a far more secure RDP setup.
 
Regardless if RDP is or isn't secure, let's say I want to go witn a vpn just for piece of mind. Would the router damacus recommended be a good entry level solution, or are there better options available?
 
The Tom Bomb said:
Regardless if RDP is or isn't secure, let's say I want to go witn a vpn just for piece of mind. Would the router damacus recommended be a good entry level solution, or are there better options available?
Click to expand...

Should be :) Looks like it does all the vpn, i'm not sure if it needs a client or if yuo can use the built in windows vpn, but that's something you might want to look into.
 
All you need is a spare machine (or an ESX host) to run a firewall distro that supports VPN access. I run pfSense and Astaro as VMs in vSphere and they work just fine for VPN access.
 
You must log in or register to reply here.
Back
Top