security

I am surprised by how difficult it is to find clear and practical information on configuring the world's most popular operating systems (Windows XP Pro as well as Windows 2000) to work with the world's most popular VPN concentrator (Cisco 3000 series formerly Altiga).

I plan to write a series of posts that discuss how to configure the Windows built in VPN client to work securely with a Cisco VPN concentrator. The obvious protocol is L2TP over IPSEC using digital certificates. Both Microsoft and Cisco lack any clear configuration guides so my hope is that this series of posts will help others trying to accomplish the same.

I have found that many companies choose to use the Cisco VPN client (the latest version is 4.8 currently) but I have found that this poses far too many issues to continue using. Namely:

• Lack of support for Windows integrated login APIs. (When you attempt to make a VPN connection you are prompted to provide an identity and a password[even though you already did that when you logged in]. Aside from the obviously redundant effort to re-enter the information, you also enable someone to login to Windows as one identity then connect remotely as another. The Microsoft client is seamless - your credentials are passed through to the VPN gateway.
• The painful process (especially in a large enterprises) of upgrading client software each time a new release is required. For the Cisco client this often involved three complete system reboots. The Microsoft client is patched as part of the Microsoft security patching process.
• The painful process (especially in a large enterprises) of configuring Cisco clients remotely either initially or as parameters change. Microsoft clients can be configured using GPO updates.
• Poor certificate handling. Cisco VPN client software will allow (perhaps encourage is a better description) users to choose any valid certificate regardless of the certificate's specified purpose.  An example of this is that the VPN client will allow you to use a certificate designated only for signing as a certificate for authentication and encryption. The Cisco interface doesn't help the user easily distinguish between certificate purposes. The Microsoft client only uses certificates that are designated for specific purposes. You will normally use two certificates. The first one is a machine certificate for initial client authentication then the second is a user certificate for authentication.

Your participation is welcome!