Found some info on the MS VPN plans and it looks like MS is offering the L2TP/IPSec VPN client in 9x/NT. Currently in beta...
www.microsoft.com/VPN If this goes in automatically with 98/NT patches or service packs, the client sw issue disappears. The PPP/L2TP over IPSec doesn't bother me because it allows for internal and external access to be identical. As long as IPSec is the security mechanism. In short, I think it is now very possible to provide simple internal and external access to a secure data center. The one remaining question is around single sign-on. Given that users are securely authenticated into the data center and maybe even authorized to access specific servers/services, is it possible to tie in application level auth? Eric --- Ben Nagy <[EMAIL PROTECTED]> wrote: > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf > Of Eric E. Bomarsi > > Sent: Friday, March 08, 2002 12:03 PM > > To: Ben Nagy; 'Firewall-List' > > Subject: RE: User AAA into a Secure Data Center > > > > > > Thanks Ben: > > > > Being an IPSec fan, I like this approach. When I > last > > looked at this, it was slow and the deployment was > > difficult because it typically required client SW > > and deployment of client certs. > > The client SW is the big issue, yes. Windows 2000 > makes things simple > with the IPSec folded in, although it uses a > hybridised Kerberos thing > for the station-level auth. For unix-style Oses I'm > sure you can knock > up a transparent solution fairly easily, but for > 95/98/NT/ME etc you'll > probably be looking at client-side software. I have > no idea what MacOS > is doing, but I suspect that OS9 would need a > software client. I don't > grok Novell at all, really, but its days as a > desktop OS are long gone. > > That's the major sticking point, IMO. > > > The 100Mbps crypto > > NICs from Intel and 3Com are cheap, the OS's have > > native IPSec in the stack and it's easy to config, > > > and the IPSec RA group is proposing solutions for > IP > > client config and an alternative to client certs > which > > would use legacy auth. > > I'm still not sure about the RA type scenario for > local LAN access. Call > me crazy, but I think that the L2TP over IPSec is > the most elegant > solution - you can use any authentication that you'd > use with PPP (ie > anything), and L2TP is standard and well understood. > IKE isn't really > made to accommodate user-auth, and I kind of agree > with the WG that it > should ideally stay that way. Having said that, I > suspect that there > will be an Xauth type hook in IKEv2 somewhere. > > > > > > I've been > > > advocating internal IPSec for years. > > > > Has anyone deployed it? Any issues? Successes? > > Sadly not. I've had proof-of-concept networks with > Win2K and Cisco > (random "other IPSec implementation") interop and > I've had the Windows > CA working for cert enrollment for non-windows > devices. What I haven't > done in the lab is a convincing POC for user-based > auth onto a third > party VPN gateway using only native IPSec software > with a cert-based or > RADIUS based auth backend. Doing that with the > client software is > trivial, but I don't think it would be "good" for > most internal LANs. > I'm sure someone else has done it, though... > > In real life, all the networks that would look at > the idea seriously > were underwhelmed by the recommendation to ditch all > their crappy 98 PCs > and go to 2000, or install software on each client. > Given that having > 95/98 PCs on the network pretty much blows away the > station level > security, it therefore made no sense to beef up the > network layers. > > Your issue here is a little different, though. You > only need IPSec for > those users who must have access to some Special > Thing. It would be much > easier to write a business case for Special Thing > Users than the whole > LAN. > > > > > > As we all know, Microsoft is now favouring IPSec > > > throughout the LAN, > > > > Do you have any pointers to MS info describing > this? > > Not specifically, sorry, but building it into the OS > and having the > security policy to use it as one of the template > options is a fairly > strong hint, I think. > > > Thanks, > > Eric Bomarsi > > Cheers, > > -- > Ben Nagy > Network Security Specialist > Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 > __________________________________________________ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
