I need to setup VPN access to my network, allowing a 3rd party to vpn in & maintain / configure a new system that is being developed. They would prefer to use MS VPN client opposed to the Cisco client.
I have a 2651, PIX 515 with a 3des licence, dmz interface, & Cisco Secure ACS 3 for windows software. I also intend to give users (16) OWA access to exchange & file lan access to VPN clients, but am apprehensive of just using MS Client. Is it secure? Can both be implemented? What is the best way to control LAN access to vpn clients?
The numerous known insecurities of the MS security implementations are well documented - as should be your remote access and business partner security policies. The bottom line is that if you want truly secure com links, use IPSec with either 3DES or AES. If your partner grumbles, ask them why they would want to use products that are known to have more holes than swiss cheese.
You definitely want to use IPSec and the Cisco client. In addition to the numerous PPTP (MS) issues known, using the Cisco client will functionally provide better security. Pushing out split-tunneling and firewall policies to the VPN client, you can protect your network from the end host in addition to protecting the end host while he is connected to you.
1. Enable split tunneling. It will tell the clients what should be sent over the tunnel and what shouldn't. Only include in the split tunnel lists what you want clients to connect to.
2. Create filters on the VPN concentrator for the VPN group that only allows access to what you would like. Create the rules/filters under "Policy Management" and them apply them to the group on the "General" tab using the "Filters" drop down box.
I recommend using both. This means all internal networks should be defined in the split-tunnel and go across the VPN session. Use the filters to deny what you don't want at the concentrator. This will prevent your VPN clients from sending traffic meant for the internal network out to the Internet instead. You don't want any traffic like meant for internal networks inadvertently going out to the Internet in clear-text.
For best security, send firewall polices out to the VPN client that don't allow the client to talk to anything except your network. This will ensure that they are only connected when they want to accomlish something on your network, and also ensures that a compromised host is not used remotely as a backdoor to your network.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...