I am in the process of configuring an ISA 2006 L2TP/IPSec VPN to allow remote access for approximately 60 laptops.
What is an effective way to manage the 60 machine certificates using a W2K3 STD CA? When I request and install a certificate for a laptop I am logged in as an Administrator and the resulting certificate is called "Administrator". In the 'CA MMC Issued Certificates' there is no easy way to distinguish which certificate belongs to which laptop. I would like to be able to easily revoke a certificate in the event that a laptop is stolen.
I currently plan on using MSCHAPV2 for authentication but am also considering EAP-TLS, but that requires managing another 60 certificates. Would both scenarios be considered 2 Factor Authentication?
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
I would move to an Enterprise CA and use autoenrollment to provide user and computer certificates. Its just too painful otherwise
MSCHAPV2 is ok, but two factor is always better. If you follow the above approach, it will be relatively easy to provision user certs that can be used for EAP-TLS.
Another option is using the RSA SecurID EAP client, this adds SecurID authentication to the VPN authentication process and is relatively seamless to the end user.
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:
ORIGINAL: Boedus
VPN on ISA is very poor. IPSec is obsolete if you ask me. In most cases. Have a look a Microsoft IAG/UAG Server.
Interesting, Microsoft's latest remote access technology DirectAccess is primarily based on IPsec as it forms part of the IPv6 framework. It includes a fallback to SSL, yes, but this is secondary.
Looking at UAG (or even TMG with SSTP) is a good suggestion, but I'm not sure IPsec is obsolete just yet
MSCHAPV2 is ok, but two factor is always better. If you follow the above approach, it will be relatively easy to provision user certs that can be used for EAP-TLS.
Would using MSCHAPV2 be considered 2 factor authentication? A user name and password combined together with a certificate for IPSec?
Thanks for your help.
< Message edited by reddae -- 15.Oct.2009 10:48:04 AM >
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:
ORIGINAL: reddae
quote:
ORIGINAL: Jason Jones
MSCHAPV2 is ok, but two factor is always better. If you follow the above approach, it will be relatively easy to provision user certs that can be used for EAP-TLS.
Would using MSCHAPV2 be considered 2 factor authentication? A user name and password combined together with a certificate for IPSec?
Thanks for your help.
No, not really. You need an extra layer of user authentication like a user certificate or some form of one time passord...
< Message edited by Jason Jones -- 15.Oct.2009 11:22:44 AM >
VPN on ISA is very poor. IPSec is obsolete if you ask me. In most cases. Have a look a Microsoft IAG/UAG Server.
Interesting, Microsoft's latest remote access technology DirectAccess is primarily based on IPsec as it forms part of the IPv6 framework. It includes a fallback to SSL, yes, but this is secondary.
Looking at UAG (or even TMG with SSTP) is a good suggestion, but I'm not sure IPsec is obsolete just yet
Cheers
JJ
It is in the sense most of the time employees should not need remote access to files. This is just a security concept, where people should be able to do most of their daily tasks using web based applications, no need to carry files over on laptops etc...
That's why IAG is so right and IPSEC is not enabled per defaut. Everybody should have one.
As an admin, I find SSTP to be a perfect solution.
But for users, traditional VPN solutions aren't that good -- yes, we can create rules that limit VPN users to what they need, but that does get complicated, and for much of content, we don't have very good application layer inspection with ISA/TMG.
However, with IAG/UAG, we can promote least priviledge and have two factor authentication *and* DirectAccess. Now you might say -- DA isn't a least priv solution, and that's true. But then, with traditional VPNs we wanted to deliver a beat down with least priv because the hosts were typically unmanaged and untrusted, even if we tried to use something like VPN quarantine.
With DA, the hosts are completely managed hosts, just like those on the corpnet. So, it's like extending the corpnet to the Internet. I used to think the threat profile of an external user was greater, even if well managed, because that host has left the private network -- but the fact is that almost everyone is using laptops that they user at work and at home and on the road -- so that old division in threat profiles doesn't seem to be valid anymore.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 General] >> General >> ISA 2006 VPN Design Questions 
ISA 2006 VPN Design Questions - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread