Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SSL VPN or Global VPN

anxionanxion Newbie ✭

Hi Guys,


Which of the following VPNs is more secure?

Also, Global VPN use UDP, but the SSL VPN it seems that I need to open port on WAN 4433 or 443, is that correct? or its not necessary to have port opened on WAN for SSL VPN?


thanks

An

Category: SSL VPN
Reply

Best Answer

  • CORRECT ANSWER
    BWCBWC Cybersecurity Overlord ✭✭✭
    edited January 12 Accepted Answer

    Doon't mind the Exchange setting, this screenshot is from a Site-2-Site connection.

    --Michael@BWC

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @anxion if you wanna use SSL-VPN the port has to be open for listening to your clients, same goes for GVC.

    If you don't like to open any ports, you should consider using something like ZTN, but this might fit only for larger environments.

    --Michael@BWC

  • anxionanxion Newbie ✭

    hi BWC,

    Yes but when i check if I have ports opened on https://www.zoomeye.org/ don't see UDP there for global vpn, however when I setup SSL VPN I can see that there is 443 open.

    Hmm i am missing something ?

    Another question is, which is more secure?


    thanks

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @anxion security-wise I would rate anyone higher than the other, GVC might have better performance but might not work with internet-connections/routers your users might connect with.

    Does your port scan just looks for TCP by any chance? GVC needs UDP 500/4500.

    --Michael@BWC

  • RussFRussF Newbie ✭

    I can't speak to the relative security of either version, but I have read that SSL tends to be somewhat slower then GVC. We've been using GVC for about two years now with great success. Only recently, when one of our execs was onboard a cruise ship, was he unable to connect and we had to scramble to set up a GoToMyPC account for him. I believe GVC uses ipsec, and while he had no problems connecting from all the various hotels he stayed in, apparently the ship blocked ipsec traffic. GoToMyPC uses encrypted http, so it wasn't blocked.

    Russ

  • anxionanxion Newbie ✭

    Hi Michael,


    Probably you are right its scans TCP,

    However, somehow I see Global VPN more secure, rather then SSL VPN where you need to have portal available on public all the time,


    Maybe i am wrong?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @anxion yeah, the Portal might pull more attraction and if you check the latest history of vulnerabilities they were mostly related to authentication via http/s, so keeping this portal closed is a good approach, which I share.

    --Michael@BWC

  • anxionanxion Newbie ✭

    hi Michael,


    Could you please send me more information about ZTN ? I cannot find anything about it


    thanks

    An

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @anxion to stay SNWL-centric you can check here:

    --Michael@BWC

  • anxionanxion Newbie ✭

    hi Micheal,


    I have run Nmap scan, and still did not find UDP port opened, how the GVC works ?

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited January 12

    @anxion it's IPsec, did you enabled it? It's only available on your WAN interface, nmap from LAN will not find you anything.

    run this from the internet to your SNWL.

     nmap -sU <WAN IP>

    UPDATE: it shows the open ports from LANN, too!
    
    PORT     STATE         SERVICE
    500/udp  open|filtered isakmp
    4500/udp open|filtered nat-t-ike
    

    --Michael@BWC

  • anxionanxion Newbie ✭

    Hi Micheal,


    ok, u have done UDP scan to my WAN, yes i got 500 isakmp, only

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @anxion did you asked nmap to scan for 4500 as well?

    nmap -sU -p 500,4500 <WAN IP>

    --Michael@BWC

  • anxionanxion Newbie ✭

    ok I still believe that the GVC is more secure,


    The hacker would have to do Enumeration on IPsec?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Then my best guess is that you have no tick at " Enable NAT Traversal" in the Advanced Settings at VPN?

    --Michael@BWC

  • anxionanxion Newbie ✭

    Hi Micheal,


    yes dont have that, Do i need to have this on?


    thanks

    An

  • BWCBWC Cybersecurity Overlord ✭✭✭

    If your SNWL is behind a router which does NAT you might need it, check over here for details:

    --Michael@BWC

  • anxionanxion Newbie ✭

    I believe its secure if the IKE and IPSEC are configure to use AES256/SHA256, but I could be wrong ?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    AES256 and SHA256 is fine, pick PFS Group 14 as well and you should be good to go.

    --Michael@BWC

  • anxionanxion Newbie ✭
    edited January 12
  • anxionanxion Newbie ✭

    ahh thank you

  • anxionanxion Newbie ✭

    Thanks for your help!

Sign In or Register to comment.