Vpn in hardware firewall

[ar_tlk]

Hello,
I have centos 5.3 server having squid proxy server havin 2 lan card one connected to local lan and other to isp line, i have bsnl broad band modem, here i manager ACl for internet user, now some user want to access lan from home for work, for that what should i do or i think i need to purchase hardware firewall and configure vpn in it, if yes then what is requirement for same and then what about my proxy server, how user will manager pls guide

AMar

 

[bill001g]

It depends on how much money you have to spend. You could buy a cheap router that supports VPN but this requires a client be installed on the user PC. They are mostly based on IPSEC which tends to be tricky to get configured to run though the users and your router because of NAT issues.

The other option are the VPN appliances from say cisco or juniper. Both these work well but are extremely expensive...you can easily pay $10,000 just for the software license without the hardware.

Since you are running squid I am going to assume you have a linux based OS running n your server. You should be able to run OPENVPN on it. Although you can run this with IPSEC or PPTP vpn I would use SSL/TLS. Although a little harder to setup on the server side it requires no client be installed on the users side and since it runs over the HTTPS port it will pass though just about any proxy or firewall. The added benefit is its free

 

[ar_tlk]

Hi Thanks for reply

if i use r PPTP vpn I then how security is maintained as local lan expose to public network ? what about hardware firewalls like cyberoam , if i configure vpn in hardware firewalls

 

[ar_tlk]

Hi Thanks for reply

if i use r PPTP vpn I then how security is maintained as local lan expose to public network ? what about hardware firewalls like cyberoam , if i configure vpn in hardware firewalls

 

[bill001g]

There are some issues with PPTP security mostly that it uses mschap and DNS query can be seen sometimes.

It does not just expose your local network to the public. All the data in encrypted and you must authenticate. The MSCHAP exposure is very overblown. It is like saying that nobody should use WPA/WPA2 with preshared keys. Just like MSCHAP you can brute force crack the passwords....just use good passwords so it takes years to crack them.

Your main issue with PPTP is that it uses ip protocol 47 (ie GRE). If you have a NAT router in the path it must understand and support this. The normal port forwarding does not solve this since TCP is protocol 6 and UDP is protocol 17.