by adrian
21. June 2008 00:47
We have installed ISA 2006 as our network firewall, Web Proxy and VPN server.
We have as VPN options PPTP, L2TP/IPsec for remote access plus IPsec tunnel mode for site-to-site VPN.
PPTP is not a real choice these days due to security flaws. And it does not provide per-packet data integrity(proof that the data was not modified in transit), per-packet data origin authentication(proof that the data was sent by the legitimate source) or protection against replay attacks. PPTP provides only per-packet data confidentiality. This is stated on Microsoft's site too.
With L2TP/IPsec we might experience connection problems through some NAT devices or some network admins might block IPsec.
So we are thinking about a SSL VPN option. IAG can do that, but right now we might not have the resources to invest in IAG.
Fortunetely we have OpenVPN which according to its site:
“OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls.”
OpenVPN has Diffie-Hellman key agreement, RSA authentication, HMAC-SHA1 integrity checks(for data origin authentication and data integrity per-packet, the usage of HMAC is to first encrypt a packet, then HMAC the resulting ciphertext), explicit IV, replay attacks protection(by using a variant of the sliding-window algorithm, same algorithm used by IPsec, where each packet is tagged with a unique, incrementing sequence). Please reffer to this presentation. And the symmetric encryption algorithm can be even AES-256-CBC. Plus the " --tls-auth" which when used will enable OpenVPN to(see OpenVPN's Man Page).
Read more...
Subscribe