[Gllug] Suggestions for VPN solution

Mike Brodbelt mike at coruscant.demon.co.uk
Thu Feb 26 00:12:32 UTC 2004 

On Sun, 2004-02-22 at 19:53, Simon MORRIS wrote:

> A network with 2 servers and a firewall:
> 
> * Server 1: Debian Woody, Postfix, LDAP, FTP, Courier, Apache
> * Server 2: Mac OS X Server, File server
> * Firewall: IPCop firewall. Server 1 lives in a DMZ, Server 2 on the
> internal network
> 
> I'd like to implement a client VPN solution so laptop users (Mac OS X)
> can reach the file server (server 2) from any internet location.
> 
> I'm not sure that there is enough kit available to provide a solution.
> IPCop isn't able to provide VPN for mobile users in this way, I'm very
> paranoid about terminating VPN connections on the mail server, and the
> same for the internal file server.

What's your basis for paranoia regarding terminating connections on the
mailserver?

As I see it, you have beasically 2 options. You can either run VPN
software on the firewall box, or you can configure the firewall to allow
VPN traffic through to a box behind the firewall, running the VPN
software. Either way, your VPN connections will terminate on a machine
that has complete, unfirewalled access to your network. If someone can
expoit your VPN software you're screwed whichever box is termiating the
connections.

Now, if you have specific concern regarding the mailserver that's
reasonable, but only if you're also taking steps to secure the
mailserver against other internal hosts.

> There is also the problem of allowing access from the mailserver to the
> file server if I allowed connections into there

That's a reason against using the mailserver, but again, if someone has
already got onto your internal network, would it make a lot of
difference? Only you can answer that, but I'd suggest your efforts are
probably better spent making sure your VPN solution is a secure as
possible, so no-one unauthorised can get to your internal network. The
other approach is not to bother with a bastion firewall and secure every
machine individually, but the effort/reward curve on that solution tends
to make it non-viable.

> I'm asking you (a) If I *had* to provide a solution using this kit where
> should I allow VPN connections into and (b) if I had budget to buy
> another box which VPN solution would be easiest or most secure for OS X
> clients (preferably using the built in VPN client in Jaguar)

a) Personally, I don't think it matters much. You have a large problem
if anyone exploits your VPN software, whichever host it's on. If you
want to make the setup more secure in *real* terms, I'd be looking at
forcing one-time-passwords on your user or something similar. I'm quite
certain that the biggest threat to the security of my VPN setup comes
from allowing users on to it.... I generate passwords for them to
prevent them using trivially guessable/attackable ones, and they write
them down. OTP is really the only solution, though it's one the users
will hate. Whether you can make that stick is another matter - it's a
battle I've not got into (yet).

b) Jaguar's VPN client is PPTP based. If you want ease of use, use it.
If you want security, don't. PPTP has fundamental protocol level flaws -
it's inherently bad. IMO, using PPTP is a bigger concern than where you
terminate the connection. I would suggest you look at an IPSec based
solution instead. You basically have a choice between security and ease
of setup/use here. Reality may force you down the PPTP route, but don't
be under any delusions that it's a secure protocol if you choose that. 

> PS. Option c, which I'm seriously considering is to tell them their
> current network doesn't support VPN without some extra expenditure

If you want one "best" solution, I'd suggest another box, internet
facing, on the same network as your firewall. Run only your (IPSec
based) VPN software on it and then configure your firewall to allow
traffic through from that box only to the services you want VPN users to
be able to access. You can lock specific firewall rules for your VPN
clients to the MAC address and IP address for that box, and you can
still block access to internal services you don't want them to see.

It's not perfect, but if your network design is "armadillo" like, with a
hardened outer firewall, and a soft chewy centre, you have to accept
that allowing *any* external client access to the internal network
increases your level of risk. Only you can make the call as to what
tradeoff between usability and security is acceptable. I'm running VPN
setups that I know are less secure than I'd like them to be, because the
grief involved in increasing the security would have an unacceptable
impact on the users. It's a judgement call as to acceptable risk, at the
end of the day.

Mike.

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list