Comments on: SSL VPN or IPsec VPN? Which is Best? http://blogs.windowsecurity.com/shinder/2008/04/27/ssl-vpn-or-ipsec-vpn-which-is-best/ Dr. Tom Shinder's Security Space will cover all topics related to security on Microsoft networks. We will focus on Microsoft's security products and technologies, such as NTFS, access controls, permissions, network security, IPSec, EFS, BitLocker, System Hardening, Service Hardening, ISA Server, IAG, Forefront Security products, and more! This blog will focus on how the Microsoft admin can take a defender's approach to network security, rather than the more typical hacker's view - in this way we can dedicate our time to our core competency - defending our networks against attack. Fri, 29 Aug 2008 02:20:59 +0000 http://wordpress.org/?v=MU by: tshinder http://blogs.windowsecurity.com/shinder/2008/04/27/ssl-vpn-or-ipsec-vpn-which-is-best/#comment-1830 Wed, 30 Jul 2008 13:29:59 +0000 http://blogs.windowsecurity.com/shinder/2008/04/27/ssl-vpn-or-ipsec-vpn-which-is-best/#comment-1830 Hi Mark, Is this a site to site VPN configuration? Tom Hi Mark,

Is this a site to site VPN configuration?

Tom

]]> by: Mark Williams http://blogs.windowsecurity.com/shinder/2008/04/27/ssl-vpn-or-ipsec-vpn-which-is-best/#comment-1827 Wed, 30 Jul 2008 09:44:39 +0000 http://blogs.windowsecurity.com/shinder/2008/04/27/ssl-vpn-or-ipsec-vpn-which-is-best/#comment-1827 Dr. Shinder Could you pleasae help me with an ISA issue... I hope I can be clear on this question: We have setup a VPN in isa endpoint connection to a hospital. Both endpoints are setup and succesfully connected. My propblem is the hosptial wants us to present do this: The IP address of the terminal server you will connect to is 10.107.9.57 (This will be configured in your tunnel as the remote network) You will need to present yourself as 172.19.36.X/24 To accomplish this you may natively assign these IP's to end devices. Another, more complicated way, is to NAT all devices to the IP range above. We cannot change our network to a 172 configuration, we have servers and printers and 60 computers. How do I make ISA present our 10.1.1.1 network look like it is 172 before it hits the tunnel? I have succesfully setup the tunnel except natting this 172 number. It is setup right now but I cannot ping his 10.107.9.57 server or TS into it yet... All help Dr. Shinder Could you pleasae help me with an ISA issue…

I hope I can be clear on this question:
We have setup a VPN in isa endpoint connection to a hospital.
Both endpoints are setup and succesfully connected. My propblem is the hosptial wants us to present do this: The IP address of the terminal server you will connect to is 10.107.9.57 (This will be configured in your tunnel as the remote network)
You will need to present yourself as 172.19.36.X/24 To accomplish this you may natively assign these IP’s to end devices. Another, more complicated way, is to NAT all devices to the IP range above.

We cannot change our network to a 172 configuration, we have servers and printers and 60 computers. How do I make ISA present our 10.1.1.1 network look like it is 172 before it hits the tunnel?
I have succesfully setup the tunnel except natting this 172 number. It is setup right now but I cannot ping his 10.107.9.57 server or TS into it yet… All help

]]> by: mohamad http://blogs.windowsecurity.com/shinder/2008/04/27/ssl-vpn-or-ipsec-vpn-which-is-best/#comment-511 Sun, 27 Apr 2008 17:33:09 +0000 http://blogs.windowsecurity.com/shinder/2008/04/27/ssl-vpn-or-ipsec-vpn-which-is-best/#comment-511 Thanks for this nice article, I read from other resources , that the SSL Vpns are better than Ipsec Vpns due to : That Ipsec Vpns makes use of the Kernells space of the Operating system, while SSL Vpns makes use of the user space of the operating system ...while running. there might be other diffrences between them to let us re think which one is : more secure , less complexity , simpler configuration , less time to prccess the job . More over nither of the above systems thougth a bout a new System for Key exchange other than what is now in use. For example : To create anew exchange Symmetric key system , that does not send the key on public Internet, but : The Server will Pick up a Symm Key from a prepared set of Keys stored as a Basen , and sends just an index for the Client Which has also the same set of Keys and selects the same key locally by using the index send by the server . So the Man in the middle and other complexities will dissappear. I implimented the Idea in VB6 Code in asimple way to generate keys randomly chosen as peaces and appended to form keys. We also can generate symm Kes and store them in a matrix or on a Cd and can select one randomly by the server , then use the key for intended purposes , the client ca find out my key by sending him an indekx to let him pick the same key on a CD containing the same sets of key as in the server side. Thanks Thanks for this nice article,

I read from other resources , that the SSL Vpns are better than Ipsec Vpns due to :
That Ipsec Vpns makes use of the Kernells space of the Operating system, while
SSL Vpns makes use of the user space of the operating system …while running.
there might be other diffrences between them to let us re think which one is :
more secure , less complexity , simpler configuration , less time to prccess the
job .

More over nither of the above systems thougth a bout a new System for Key
exchange other than what is now in use.
For example : To create anew exchange Symmetric key system , that does
not send the key on public Internet, but : The Server will Pick up a Symm Key
from a prepared set of Keys stored as a Basen , and sends just an index for the
Client Which has also the same set of Keys and selects the same key locally by using
the index send by the server .
So the Man in the middle and other complexities will dissappear.

I implimented the Idea in VB6 Code in asimple way to generate keys randomly
chosen as peaces and appended to form keys.
We also can generate symm Kes and store them in a matrix or on a Cd
and can select one randomly by the server , then use the key for intended purposes
, the client ca find out my key by sending him an indekx to let him pick the same key
on a CD containing the same sets of key as in the server side.

Thanks

]]>