software VPN into hardware VPN?

[alister]

We currently have 5 sites using hardware VPN equipment (Nortel & Lucent). We have some remote users that need to be able to attach to our VPN via the Internet because they do not have permanent locations for us to drop lines to.

For the most part, our company is 95% Windows 2000 including the servers and workstations. We have a handful of Windows 98 machines. The VPN hardware translates our private 10 dot network between the sites over the net. Our firewall is also configured for many-internal to one-external IP, FYI.

The problem I have is I was trying to use the built-in PPTP/VPN solution in Windows 2000 Server for my remote travelling users. This require port 1723/ip and port 47/udp. 1723 is not a big deal, but our VPN equipment basically reformats anything coming in port 47 for it's own use so software PPTP dies after authentication from an outside PPTP session.

My question is if anyone knows of any other software VPN solution that I can use to get around this. I desperately need to get remote users in and can open up ports on our firewall if needed. The software needs to be able to support NAT'ing. Thank you -very- much!

krowlan@berkelapg.com

 

[Shadow07]

The VPN hardware you have, do you have any other offices that are using a VPN connection? If not, have you tried editing the policy your hardware VPN device so that it will not translate port 47 to something else? If not, what are your remote client OS's?

 

[dukenukem]

The outside software users need to connect to the extanet switch, they will not e able to tunnel through. It should be able to support PPTP. Another option is a seperate gateway.

 

[alister]

Shadow07: Not sure exactly what you are getting to, but all my offices have a PVC pipe on their frac T1 for our regular hardware VPN. I still think this mod can be done on the box itself via a policy like you suggested, but my contacts can't offer anything helpful at the moment.

Dukenukem: Can you give me any more specific info? Someone I talked to mentioned using a linux box with a public IP on my network running nothing but PPTP authentication to pass it to the Windoze box, but I'm not very fimiliar with linux. It seems like a lot of extra work and hardware for something I don't know if I can pull off. I just figured there might be some type of software solution that bypasses the GRE packet problems I'm having now.

Ugh.

 

[Dark]

Alister: it's not port 47, it's protocol 47 (GRE nothing to do with udp) that u need to let through so if u were blocking it previously...don't know if that's ur specific problem. Besides if your familiar with win2k and security is a big concern, screw Microsoft pptp and go with L2TP, you'll have to configure your win2k server to issue certificates and procedure is kind of more complicated than pptp but it's also more (a lot more) secure than MS crap.

 

[Shadow07]

I mainly wanted to know what is the Nortel/Lucent VPN device translating port 47 (and it is port 47 which is the GRE protocol in the TCP stack) to. Port 47 is used to initiate/create/destroy the PPTP session. The actual traffic of PPTP is on TCP 1723. I have setup and installed numerous Windows 2000 VPN servers and they have run great. Like Dark said, you will benifite from the extran security of L2TP and IPSec, but you do have to install a certificate service. But, you also need to be aware that only Windows 2000 clients have native built-in support for L2Tp and IPSec. If you want yout 9x boxes to VPN with L2TP, you will need to get a third-party VPN client.

 

[fivepesos]

depending upon what os your remote users are running, PPPTP should be your last choice. PPPTP is very unsecure and properietry to windows crap.

if your remote users run L2TP you could use either Windows 2000 (several hundred $ for a legal copy that needs a fast machine to run), a Cisco lowend router (like a 1600 which costs about $1000), or linux on a decent pentium grade machine or better (very cheap).

if you have another global ip address to use, you can run any of these solutions to allow remote users to VPN into your network. i recommend this cause then u don't have to bother with point forwarding with your current setup. this new vpn box would easily allow remote users to connect to your internal network and therefore across your vpn network (if i understand how your setup functions).

how to go about doing this: id recommend the cisco, cause im a ccna and it's most industry accepted solution. buy a cheap lowend one that supports vpn, i think 1600 can, search microsofts knowledgebase for how to prepare the win2k clients, and follow that. i think you need a more recent IOS but im not certain.

win2k would do it to if it had a global ip address, but this assumes you trust Microsoft to release a product that %90 of the script kiddies in the world cant break. VPNing between windows is mindnumbingly simple. dont do this, cause it opens a giant backdoor into your network (cause that windows box will run for about an hour before somebody cracks it).

linux will work if you find a vpn protocol the remote users can run and linux supports.

you should be able to do port forwarding to an internal machine that will be your VPN server. what firewall are u running?

 

[fivepesos]

after rereading your post, just figure out what port your protocol uses and do port forwarding on your firewall to your internal vpn server.

 

[fivepesos]

double post

 

[Shadow07]

Hey, fivepesos. You might want to re-think your statements about Windows 2K. Windows NT 4 I would believe it, but not Win2K. First thing is first. I would try using another global IP address if one were available. Second, if not, I would setup a Windows 2K VPN server on the outside, install Certificate Services and Internet Authenticaion Services (this will install a RADIUS server). This will allow you to accept PPTP and L2TP/IPSec VPN traffic.

And, about PPTP. PPTP was developed by Microsoft, CISCO, INTEL, and I believe either AT&T or Lucent. It is not properietry to Microsoft OS's. PPTP also has a max encryption scheme of 128bit, where as L2TP/IPSec use PKI encryption.

BTW, don't say things like "cause that windows box will run for about an hour before somebody cracks it" unless you have had that experience. I can say that I have setup and installed numerous Windows 2000 servers that have been used for VPN with much success and no one has hacked into them.

 

[fivepesos]

shadow, yeah i agree with you on PPTP, i did a little reading on VPNing today.

id probably agree with you on running windows2000 except that windows IS very susceptable to common script kiddies DOS dDOS and whatever else you wanna throw at it.

to say that windows is secure is just plain ignorant. im making a few assumptions about your credentials. 1) you have ZERO unix experience, 2) you have an MCSE and want to use it, and 3) assume that because %80 of the IT industry runs windows its great.

unless u have a good packet filtering firewall in front of a windows box you are succeptable to several exploits.
1)jolt a comman script kiddie exploit compile this under linux and test your "secure" windows box. ive seen a 12 year old kid run this code. but true most uncromised upstream providers filter fragmented packets, however, where do u think your attacks come from? disgruntled underpaid ISP employees.
2)no such thing as SYN cookies or SYN rate limites under windows (correct me if im wrong). this is a very COMMON and OLD denial of service.
3)ACK, FIN, XMAS im assuming is the same.
4)several major vulnerabilities for IIS in the "wild", check securityfocus.com
5)windows VPN is a close source program and hence rater UNTESTED compared to a linux or unix solution.
6)remember, just cause MSoft hasnt released a security update doesnt mean the security exploits arent there
7) NETBIOS, SMB

as far as what this thread was started for. after further reading today, windows 2000 clients can very easily VPN using L2TP into most newer cisco IOS (their OS for their routers). microsofts knowledgebase is very helpful for this.

btw shadow, i thought your article on VMWare on 8wire was rather interesting but i don't think you put a lot of time into testing it under linux. you can email me and ill help you correct YOUR vid card problem running VMWare on YOUR linux system. its a fairly common problem that i suspect YOU didnt research thoroughly.

 

[Shadow07]

Yeah, thanks for the personal attacks. And your right. You know nothing about me or what my experience is. Yes any Windows machine can be attacked by almost any type of DoS or DDoS attack. So can Linux or even Unix.

Also, I never said that a Windows box is completely secure. I only said that I have had numerous people try to hack into a Windows 2000 box with no luck of them getting any info. I do not claim to be a complete expert, but I do know what I am talking about.

As far as the article, I spoke with the engineers with VMware and they told me that the problem actually lies with the version of Red Hat Linux I was running.

BTW, leave your personal attacks with emails, not with posts. Nobody likes a troll around. I would use my own advice, but you have limited your account here to not accept personal emails or messages. Either back off or provide some actual creative thought. And, how else would I test VMware under Linux? All I can test is the reliability and also the performance.

 

[fivepesos]

thread related post.

linux and most unix are very well protected from major denial of services. linux offers features to rate limit packet types from single and multiple sources. Hence it would be very secure as a vpn solution. Unlike what many MCSEs think of linux, it is more secure and nearly immune to many types of DOS if the admin takes time to secure his box.

if you decide to run windows as your vpn solution, remember, just cause you "protect" yourself from a few "packet kiddies" doesnt mean your secure from any experienced attack. for example, my HOME linux box records about 12 scans on my ip per day and has logged to a line printer every login to my linux box (privileged and unprivileged), i also make regular backups of critical system logs to maintain system integrity. ive logged hundreds of kids taking a shot at me but none of them were any good at what they were trying to do. the only breakin i have ever had was a specific target of me by my friend, a very motivated and experience unix guy, and that was cause i was less than a week behind application updates.

windows, because its a close source OS, requires signifigant time between patches for exploits. so you are ALWAYS running an out of date insecure machine. however, this is not always a problem, you could run windows internally or in less critical solutions.

if u choose windows as your vpn "solution", make sure you use some form of intrusion detection system or packet filtering firewall. shadow is right, windows will do what you want it to do, but it is unnaceptable in high risk environments.

even microsoft ran hotmail on sun's solaris until the press started reporting on that. they deployed windows2000 in their load balancing pool. than look what happened a few weeks ago, microsoft.com, msn.com, hotmail.com lost their DNS entry (supposedly). MSoft cited "router problems" but you could still go to the ip address of their site? read between the lines and you'll know that they got their windows DNS nailed. lesson from this? dont run mission critical applications on windows (DNS is one of these).

if youre vpn solution is in a lowrisk environment (typical low profile companies), you could probably run windows with little risk. if you are in a high risk environment at least protect yourself by implementing packet filtering and traffic analyzation.

port forwarding to any machine, cisco, linux, or windows would work. cisco and unix would be most secure. if u already have cisco equipment youre in luck, many cisco platforms support L2TP which is the ideal vpn package.

if u have a cisco machine already exposed to the internet you could easily adapt it to run vpn. cisco's site is very helpful as well as microsofts knowledgebase.

 

[Shadow07]

many types of DOS if the admin takes time to secure his box

The same with a Windows 2000 machine. All it takes is an understanding of Windows and what you need to be worried about. The main issue is MS SMB/NETBIOS issues.

Listen, I am not biased towards a complete Microsoft solution. What I'm saying is that you need to rethink what you are saying about Windows 2000. Windows 2000 security API is more reliable than the days of NT 4. From what I have experienced with Windows 2000, it is almost hard as a rock. I've seen people try to break it and nothin. So don't sit there and preach to me that Windows sucks for anything less than a basic file server.

 

[Dark]

Fivepesos: can u provide a link for the 1600 being able to cope with win2k L2tp? anything will do, cisco or MS Knowledge base.

Shadow: If u set an access list on a cisco router, u can use name instead of port for known stuff like ip deny tcp x y port ftp instead of port 21. But regarding GRE the syntaxe is ip deny gre x y whatever. Now i know there is the correct answer and the cisco answer but It seems GRE is a protocol and not a port.
Besides here is the definition of GRE right from cisco dear CCNA
Generic Routing Encapsulation. Tunneling protocol developed by Cisco that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. By connecting multiprotocol subnetworks in a single-protocol backbone environment, IP tunneling using GRE allows network expansion across a single-protocol backbone environment.

 

[Shadow07]

No, GRE is a port and a protocol. It uses TCP port 47. As far as the 1600 providing support for L2TP, it would pass the traffic, not be able to authenticate traffic unless you purchased the VPN option with that model.

Just search on MS and Cisco for GRE. I'll look in my bookmarks for links to GRE and related material.

Sorry about the smak above. If fivepaseos would've allowed private messaging, I would've emailed him my thoughts of what he was suggesting.


Just my 2 cents.

BTW, and just because I list my certifications does not mean that I do not know what I am talking about. Read me article on certs here.

 

[Dark]

Shadow: that's what I thought about the 1600. Since I set up a 1605 lately for one of my client and i'm planning on implementing the vpn using win2k server behind the router. Regarding the GRE, I can't agree with u , since this one was developped by Cisco and TCP/IP stack wasn't. it doesn't seem right to call it a protocol of the tcp stack. Besides on all the VPN troubleshooting I saw (mainly www.experts-exchange.com) people are always asked to check if the port 1723 is open and IF THEIR ISP is not blocking protocol 47. Never seen anyone referencing to it as a port 47. But hey I could be wrong

 

[TheViper6]

Are you trying to push PPTP through NAT?? PPTP and NAT do not play well, especially on Cisco routers, if you have a Cisco router running NAT, you have to get the NEWEST IOS.

 

[fivepesos]

dark:
ms knowledgebase

ive been playing with VPN on a 2600 with ISO 12.0 (T) 4 or something similar but im assuming its uniform across platforms. though i dont realy know.

www.cisco.com and search their site for specific platform material. you however, require a fairly recent IOS that supports vpn. that costs more $.

shadow (or anyone wanting to test security on windows), compile that source i linked u. run it against any windows 2000 with a DEFAULT ip stack. agreed you could be running an aftermarket ip stack, but i dont think anyone makes one for windows (its possible, im to tired to research). remember, that little exploit is laughable compared to newer stuff. thats been around since windows 200 beta.

as far as i know, windows DOES not ship with functionality to limit rates on DOS specific methods (SYN, ACK, FIN, whatever). Linux and UNIX do. id like to be pointed to how to enable this with a DEFAULT windows install. its technically possible, but, its not widely used, therefore MOST windows deployments are MORE succeptable to DOS than linux or unix.

i dont think their is any security problems with windows vpn server, but unless you have a packetfiltering box in FRONT of your windows machine, you are still open to many attacks against the windows ip stack. i know windows is SUPPOSED to be able to deny traffic based on ports but most DOS use variable port ranges with varied attacks. linux can track and limit the number and type of packets from both spoofed and "real" ip addresses. its called SYN cookies for linux people, and their are implementations for other common DOS. i would love to be directed to how to enable this level of DOS protection under windows. im not antiwindows, im anticrappysoftware. im assuming this could be done by an aftermarket software package, but i have never seen, read, deployed, or used such product.

hence, until windows offers features that match the DOS survivability of linux or unix, i would not trust windows running globally visible services, such as VPN.

viper: the ms knowledgebase link at the top of post says it can be done with an older IOS, and i think anything 12.0 or better will definitely support VPN on many platforms.

alister: i hope you look seriously at VPN on a cisco platform. the odds are you have a cisco box at your office and with some new software would work well for you. i would STRONGLY discourage you from running window since it is more succeptable to DOS than linux or unix. the cost to implement linux is GENERALLY, but not always, comparable to windows. if you have some linux/unix experience loads of people in your local/city LUG (linux user group) will help you out.

shadow: please try and look objectively at linux as a solution in the future. if you allow your bias to cloud your judgement, than YOUR network gets cracked which is a weak in link in someone else's trusts, which eventually leads back to MY NETWORK. luckily, i dont trust anyone else's security.

Castles in the air - they are so easy to take refuge in. And so easy to build, too.

sorry for the crappy post, im realy tired.

//edited for some stupid gramar and word errors, sorry im tired

 

[Shadow07]

Believe you me, I am not saying the Windows platform is completely bullet proof. I am saying that it is more secure than you think. Yes, Linux and Unix are more secure when it comes to the TCP/IP stack. No arguement here. I am not trying to put any biased oppinion here, but rather another angle on your blatent attacks on Windows that it just plain sucks.

GRE is a port in the TCP/IP stack. I know that I have seen this in my material here, and when I find it will let you know. GRE was developed by Cisco, but it is required for any type of PPTP connection. Microsoft's PPTP client within Windows creates the VPN session by first creating a GRE tunnel. Once the tunnel has been created, the client is then authenticated. The PPTP tunnel is then finally created.

FIVEPASEOS: I do see Linux as a solution. I work with both, Windows and Linux (mainly RedHat and Slackware distros). However, Linux is still far off from being the home OS. IN the network, maybe used as a workstation for the IT Pro, but not as a workstation for the average user.

 

[spidey07]

to avoid any confusion GRE is L3 IP protocol 47. Not the port number which is in L4 TCP.

 

[fivepesos]

along the lines of what i side initially, windows is not bulletproof. therefore, it should not be used in situations requiring bulletproof security.

whether windows could be used in EACH admin's network, is a decision based on their evaluation of their security threat. i don't work in a high threat environment, therefore, i allow myself to run windows in a PDC role instead of relying on more secure solutions, like SAMBA on linux or whatever.

id like to find some statistics on vpn server usage, but i dont have any. i do have stats on web servers, windows based http servers have idled at about %24 of the market share since 1997. apache (almost entirely on linux and unix) has grown from about %40 to over %65 of market share, and OTHER is currently around %15 (but a large portion of these others are ran on linux).

netcraft survey

this gives you a clue as to how huge the linux/unix marketshare is. these are associates of ours who choose linux/unix for it's robustness and security in environments where security is critical.

but does your vpn server require signifigant security? thats up to each individual admin.

 

[Dark]

Allelulia...Spidey has spoken

 

[spidey07]

The reason I'm bringing up the fact that it is layer 3 IP protocol 47 is that you have to specfically configure your firewall to permit this.

I normally recommend running VPN servers/concentrators in a parallel confuration to a firewall as this offers the most secure and easy configuration. Say you have a public IP ethernet - firewall is one node on this net and VPN server would be another. So you really have two paths into your private network...one is through the firewall and the other is through the VPN concentrator. I think this sort of confiruration will solve all of your problems.

I really don't like running VPN through a firewall. It is actually less secure than running it in parallel.

spidey

ps - and for god's sake don't put a 2000 box on the public internet. you will be hacked.

 

[Dark]

But spidey, if you're running a nat and have your win2k behind the nat, you only need to forward port 1723 to ur win2k server (in case u using pptp) right?no need to set anything on the cisco router regarding GRE? You still would consider that as putting the 2k box on the public net?