The numerous known insecurities of the MS security implementations are well documented - as should be your remote access and business partner security policies. The bottom line is that if you want truly secure com links, use IPSec with either 3DES or AES. If your partner grumbles, ask them why they would want to use products that are known to have more holes than swiss cheese.

Best of luck.

You definitely want to use IPSec and the Cisco client. In addition to the numerous PPTP (MS) issues known, using the Cisco client will functionally provide better security. Pushing out split-tunneling and firewall policies to the VPN client, you can protect your network from the end host in addition to protecting the end host while he is connected to you.

1. Enable split tunneling. It will tell the clients what should be sent over the tunnel and what shouldn't. Only include in the split tunnel lists what you want clients to connect to.

2. Create filters on the VPN concentrator for the VPN group that only allows access to what you would like. Create the rules/filters under "Policy Management" and them apply them to the group on the "General" tab using the "Filters" drop down box.

I recommend using both. This means all internal networks should be defined in the split-tunnel and go across the VPN session. Use the filters to deny what you don't want at the concentrator. This will prevent your VPN clients from sending traffic meant for the internal network out to the Internet instead. You don't want any traffic like meant for internal networks inadvertently going out to the Internet in clear-text.

For best security, send firewall polices out to the VPN client that don't allow the client to talk to anything except your network. This will ensure that they are only connected when they want to accomlish something on your network, and also ensures that a compromised host is not used remotely as a backdoor to your network.

-Shannon