By "fairly bad from a crypto point of view," I presume you refer to Schneier
and Mudge's analysis of MSCHAPv2. If I recall correctly, their report
concludes that Microsoft fixed the problems with the original version, but
that the protocol remains fundamentally insecure because it relies on the
strength of the password chosen by the user. They note that they "...cannot
recommend MSCHAP2 as a secure solution at this time" (a paraphrase) because
distributed brute-force attacks against passwords are becoming more
feasible.
>From our small-business perspective, I don't see this as a problem. First,
we choose the passwords; our users do not. Second, we know our friends and
our enemies and we feel confident that nobody wants to break into our
network so bad that they will mount a distributed attack against it. (Small,
uninteresting companies often have that luxury; large or highly visible
companies do not.) It seems reasonable to hope that such an attack is beyond
the motivation of random hackers seeking targets of opportunity. In short, I
feel safe will MSCHAPv2 after reading the Schneier/Mudge report. With that
assumption in place, do you still feel the internal network is the best
place for the VPN server?
--Eric
-----Original Message-----
From: Ben Nagy [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 31, 2000 4:50 PM
To: 'Robinson, Eric'; '[EMAIL PROTECTED]'
Subject: RE: Where Should the VPN Server Go?
> -----Original Message-----
> From: Robinson, Eric [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 1 June 2000 12:39 AM
> To: '[EMAIL PROTECTED]'
> Subject: Where Should the VPN Server Go?
>
>
> Greetings! This is my first post to the firewalls mailing list.
>
> I am about to install two Windows NT or Windows 2000 VPN servers for
> site-site communications and road-warrior access.
>
> What is the conventional wisdom for the placement of these
> servers? Should
> they each go:
>
> (1) Outside their respective firewalls?
>
> (2) In the DMZ at each location?
>
> (3) On the internal network at each location?
>
> Each approach seems to have its own advantages and disadvantages.
>
> --Eric
>
>
First up - Windows NT only allows PPTP as a VPN option. Windows 2000
supports PPTP but also allows IPSec - however IPSec requires client-side
support only found native in Win2K Professional at this time (although free
IPSec clients are available). IPSec is more secure than PPTP, which is
fairly bad from a crypto point of view.
I don't know if it's "conventional wisdom" but my suggestion is:
If it's a VPN Remote Access server, stick it in or at the edge of your
internal network. RAS users will want access to everything in the internal
network anyway, so if you put this box in the DMZ you need to give it pretty
much full access to the internal network anyway. I realise this sounds dumb,
but it's analagous to the way dial-in remote access servers are used now.
You MUST bear in mind that this (like normal dial-in) is a low security
posture. You really want to think about how strong your authentication
mechanism is, because that's all that's between you and calamity. Think
about using the CA services in Win2K to provide a resonably strong
authentication method. Even better, if you're using a CA for some other
business strategy reason, think about also rolling out user certificates to
all RAS/VPN users.
If it's a site-to-site VPN, _please_ use IPSec if any sensitive traffic
traverses the link. Put the IPSec boxes at the border of the DMZ and the
internal network and make sure that you don't perform NAT at the edge router
(in other words, NAT (if you use NAT) on or before the VPN box).
Note that you may be able to perform both of these functions on the same
box.
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
