[CVALE] Non Linux Simple VPN Questions

Fri Apr 18 14:08:41 PDT 2008

Full disclosure: I work for a Cisco partner, but I'm pro-linux.

1. I would recommend an Cisco ASA5510 w/additional SSL licenses.  The
ASA is the combination two former Cisco product lines, the Cisco PIX and
Cisco Concentrator, plus many more add-on features (like IDS).  With SSL
licensing, this allows the user to point their web browser at the VPN IP
(or better, DNS hostname, like https://vpn.yourcompany.com) and
automatically download and install the client software, and works around
many firewall/NAT issues since it just looks like https traffic.  SSL
Licensing and is an added cost (it comes with a 2 session license so you
can check it out).
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e39.html

Of course, you can do all of this with different Linux/FLOSS vpn
solutions, but if you already knew that and how to support it, you
wouldn't be asking us here.  Cisco even uses the FLOSS OpenSSL toolkit (
http://www.openssl.org/ ) with the ASA.

2. I agree with Pete - this doesn't make sense to block internet access,
especially since that same PC on the VPN may come into the office the
next day.  Get the PC secured, and have critical resources on the
internal network secured and behind firewalls.  I still have customers
who do this, which blocks my local network access to local work
resources.  [Side note: My solution as a work-around to this lockdown is
to run the customer VPNs in a VM session so my real desktop isn't locked
down, and I can have multiple VM sessions to multiple customers each
with their own VPN client at the same time, - but this isn't a solution
for the average user.]

3. VPN is well-suited for this.  It just depends on your needs.  If you
want high-security and have a corporate-issued laptop that has corporate
controlled updates/software, I'd go this route.

Another option I've seen folks use is Secured Terminal Services (RDP) or
Citrix.  It just depends on how you are accessing the network and if
your PC needs direct access to internal resources, or just to a virtual
session on a PC that has access to these resources.  With RDP/Citrix you
don't care so much of the remote PC is secured since it only has access
to a virtual desktop and that virtual desktop is what you have secured.
 This is good for situations when a user is using their home PC which
you don't maintain and have no idea what is doing.  Of course, with
keyloggers and such, it could still bite you.  Using an external (RSA
keyfob, etc.) auth would help if you just want to secure sign-on access.

Of course, I have seen clients that don't even load software on their
PCs other than automating MS Updates, AntiVirus, and their Citrix
client.  They have large Citrix server farms and just give out the
cheapest desktop PC they have.  If a PC ever dies, they just swap in a
new one.  But again, it depends on your apps and what you're doing - for
a email/office suite user, this works just fine.  For someone doing
graphics or CAD work, it wouldn't work.

For straight ACT! access, an RDP/Citrix server would work just fine and
keep things easily secured (all on the host server).  It sounds like you
want file access as well, so I'd go with a good VPN solution like the
ASA 5510 + SSL licenses.  You don't have to do SSL, but it makes it so
easy since you don't have to give the end-users any software first.

Jason Roysdon

Terry wrote:
> Greetings !
> 
> I have a few simple, common knowledge, off the top of your head, questions.  Just something to but 
> the mailing list to some use.  Sorry they don't involve Linux so feel free to skip to the next email.
> 
> A business friend asked me to configure ACT! on a server with VPN so their employees could access 
> the ACT! information.  This is a MS Windows environment on the client and server side.  I don't know 
> yet what's MS O/S is running on the server.  I won't see the server for a couple of more weeks.
> 
> Several years ago I supported a network where CISCO VPN client software was used.  I remember it not 
> permitting the client to access other Internet sites once the VPN was in use.
> 
> My friend's employees will need to access the ACT! server securely AND ALSO access other sites on 
> the Internet.
> 
> A few basic questions on this...
> 
> 1.  What are the common and working VPN software candidates I should consider.  Years ago I saw both 
> CISCO and NORTEL software in use on MS Windows PCs.  What's everyone using these days on MS O/S.
> 
> 2.  Should a VPN client permit the user to access the general Internet while a VPN connection is 
> established or does this undo the whole point of using VPN in the first place?  My guess is that 
> this is configurable in the VPN client software.
> 
> 3.  Because of the need of the employees to establish the VPN connection and also access other 
> internet sites should I be looking at other network security mechanisms other than VPN?  The 
> employees will also be storing and sharing files on the server.
> 
> Note that the bandwidth to the server site is adequate but we would NOT want to route ALL internet 
> traffic from remote employees through the server site and then to the Internet site the employee 
> needs to access.
> 
> All I know about ACT! so far is how to spell it so if any ACT! experts out there happen to know it 
> supports it's own secure access methods please speak up.  In the meantime I'll be reading up on it.
> 
> If you want to respond directly to me and not bore the rest of the group with this simple stuff my 
> email address is:  terry at zinnianet.net
> 
> Thanks.
> 
> Terry
> 