10-06-2004 08:07 AM - edited 02-21-2020 01:23 PM
which is more secure or less secure, lan-to-lan between UNTRUSTED networks, or a remote VPN access connection between the same UNTRUSTED networks. My belief is thay since the lan-to-lan is generally thought of as static or semi-permanent, it is inherently less secure than a temporary remote access connection. Is this true?
10-08-2004 07:18 AM
Difficult to answer your question, that might be the reason why nobody answered yet.
Might be a security risk? I am joking !!
I think one of the major diffrence is that a Remote Access VPN is easyer to Audit (monitor) because usually each users has to Authenticate their VPN and so it is easyer to trace a user.
I depends a lot if we talk about remote, teleworkers or not. Anyway for the Site2Site and Remote VPNs you have to configure your access-list correctly to restrict access.
sincerely
Patrick
10-10-2004 10:01 PM
I think it boils down to the initial key exchange. The remote access connections use Aggressive Mode and alot of the Keying Data is sent before the tunnel is fully built (encrypted). The true LAN2LAN tunnels are not subjected to that. On the flip side it's still very secure. No one has (cross my fingers) hacked into any of our EzVPN links or Mobile Users PC's yet. Either way once the tunnel is up, it's up and all the data is encrypted, until a re-keying takes place.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_security_notice09186a008016b57f.html
The only other "remote access" issues after that is some people don't like using split tunneling because they would prefer that all Internet bound traffic be re-reouted out of their central location (for network security (i.e., Content Filtering) and Desktop Security (Antivirus, Spyware) reasons. Some people don't like split tunneling because they feel that the desktop can be used as an avenue for attack into the internal network
Hacker > Remote Access PC > VPN Tunnel > Internal Net
Do I use Remote Access and Lan2Lans? Yes....and an IDS :^) If I had a choice, all of our VPN links would be Lan2Lans but the reality is money talks and Comcast Cable and Verizon DSL Internet Access via DHCP is alot cheaper than static IPs
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide