VPN Question...

Discussion in 'Networking & Security' started by CanonicalAbstract, Jul 30, 2008.

  1. CanonicalAbstract

    CanonicalAbstract Special Attention Whore

    Messages:
    7,695
    Joined:
    Mar 17, 2003
    I hope this is the correct forum for this type of question...

    Anyways, a friend of mine is starting a side business. I have some work to do in it, and my friend would like to set up a VPN so I can access whatever I need to from home.

    Anyways, my friend would like to know what (if any) VPN software would be good for a Vista Ultimate machine. He is requesting something that is not related to Win VPN, something that can accept 2-5 users logging in, as well as the use of RSA tokens.

    He is currently working on some other things related to the business, and he requested me to get the info on some VPN software for some of the tasks we need to do.

    Anyone have any good ideas on where to go with this?

    Thanks!
     
  2. XOR != OR

    XOR != OR [H]ardForum Junkie

    Messages:
    11,549
    Joined:
    Jun 17, 2003
    It's the RSA token requirement that's going to hurt you. Normally, I'd ask what the current infrastructure is and go from there, but given the RSA bit, I'm inclined to say go Cisco. Easier to find people to support it, it's probably the most common solution out there.

    Now ask how much it is. Go on, you know you want to.

    Good question. You can start with a cheesy 5505 ( not sure if you need the plus license for this ). The real costs, however, is in the RSA appliance to do the token auth. It's often a stand alone device that the cisco device can chat with to verify RSA tokens ( auth and revokation ). Last time I got a quote, it was around 3 grand for the appliance itself, and around 40 bucks each for the "keys" ( one time password generators ). Then there's the fun of configuring the asa to talk to it. FUN!
     
  3. Rabidfox

    Rabidfox Limp Gawd

    Messages:
    282
    Joined:
    Oct 6, 2005
    if by cheesy you mean SOHO/remote spoke/small business, then sure.

    You can terminate a VPN tunnel on a lot of devices (plent of them are free) OTP(one time pass) tokens are the hangup, as previously mentioned. No way arund that other than taking a step down. I suggest disabling aggressive mode ISAKMP and using based user authentication. That's as secure as you have to be, IMO.
     
  4. XOR != OR

    XOR != OR [H]ardForum Junkie

    Messages:
    11,549
    Joined:
    Jun 17, 2003
    Ya, cheesy.
     
  5. Captain Colonoscopy

    Captain Colonoscopy 2[H]4U

    Messages:
    3,861
    Joined:
    Feb 19, 2004
    Is there any particular need for RSA tokens or was this something your friend read on the internets and thought was kewl so he wants it?

    As was mentioned earlier, an ASA5505 would do you just fine. You can setup the remote access VPN with a very secure PSK and then require user authentication either with RADIUS, LDAP, NTauth or a local user database. That is usually more than sufficient for most companies. The software used with this would be the Cisco VPN client that comes with the ASA5505. You can get a 10-user license model for about $500. The next level license is a 50 user and then unlimited users with an appropriate increase in cost.
     
  6. CanonicalAbstract

    CanonicalAbstract Special Attention Whore

    Messages:
    7,695
    Joined:
    Mar 17, 2003
    It's a security scheme that my friend would like to do for his business. He actually did some extensive research onto other security measures, and went with this one.

    I sent him a link to this thread, so he can keep updated on everything as well.
     
  7. MorfiusX

    MorfiusX 2[H]4U

    Messages:
    3,007
    Joined:
    Feb 13, 2004
    A 64 character PSK is virtually un-crackable when you pair it with SHA1, AES256, and DH Group 5. The ASA5505 will do this without breaking a sweat. If you want to go to extremes, use DH Group 7 on the ASA. Make sure to use main mode (not aggressive mode) and perfect forward secrecy (PFS).

    If you do have a breach, it won't be due to decryption of the packets, it will be from a rouge employee handing out the PSK and their credentials. That's kinda what RSA is designed to address. A standard VPN tunnel more than enough secure to handle 90%+ of the security needs of businesses.