Also, Global VPN use UDP, but the SSL VPN it seems that I need to open port on WAN 4433 or 443, is that correct? or its not necessary to have port opened on WAN for SSL VPN?
Yes but when i check if I have ports opened on https://www.zoomeye.org/ don't see UDP there for global vpn, however when I setup SSL VPN I can see that there is 443 open.
@anxion security-wise I would rate anyone higher than the other, GVC might have better performance but might not work with internet-connections/routers your users might connect with.
Does your port scan just looks for TCP by any chance? GVC needs UDP 500/4500.
I can't speak to the relative security of either version, but I have read that SSL tends to be somewhat slower then GVC. We've been using GVC for about two years now with great success. Only recently, when one of our execs was onboard a cruise ship, was he unable to connect and we had to scramble to set up a GoToMyPC account for him. I believe GVC uses ipsec, and while he had no problems connecting from all the various hotels he stayed in, apparently the ship blocked ipsec traffic. GoToMyPC uses encrypted http, so it wasn't blocked.
@anxion yeah, the Portal might pull more attraction and if you check the latest history of vulnerabilities they were mostly related to authentication via http/s, so keeping this portal closed is a good approach, which I share.
Answers
@anxion if you wanna use SSL-VPN the port has to be open for listening to your clients, same goes for GVC.
If you don't like to open any ports, you should consider using something like ZTN, but this might fit only for larger environments.
--Michael@BWC
hi BWC,
Yes but when i check if I have ports opened on https://www.zoomeye.org/ don't see UDP there for global vpn, however when I setup SSL VPN I can see that there is 443 open.
Hmm i am missing something ?
Another question is, which is more secure?
thanks
@anxion security-wise I would rate anyone higher than the other, GVC might have better performance but might not work with internet-connections/routers your users might connect with.
Does your port scan just looks for TCP by any chance? GVC needs UDP 500/4500.
--Michael@BWC
I can't speak to the relative security of either version, but I have read that SSL tends to be somewhat slower then GVC. We've been using GVC for about two years now with great success. Only recently, when one of our execs was onboard a cruise ship, was he unable to connect and we had to scramble to set up a GoToMyPC account for him. I believe GVC uses ipsec, and while he had no problems connecting from all the various hotels he stayed in, apparently the ship blocked ipsec traffic. GoToMyPC uses encrypted http, so it wasn't blocked.
Russ
Hi Michael,
Probably you are right its scans TCP,
However, somehow I see Global VPN more secure, rather then SSL VPN where you need to have portal available on public all the time,
Maybe i am wrong?
@anxion yeah, the Portal might pull more attraction and if you check the latest history of vulnerabilities they were mostly related to authentication via http/s, so keeping this portal closed is a good approach, which I share.
--Michael@BWC
hi Michael,
Could you please send me more information about ZTN ? I cannot find anything about it
thanks
An
@anxion to stay SNWL-centric you can check here:
--Michael@BWC
hi Micheal,
I have run Nmap scan, and still did not find UDP port opened, how the GVC works ?
@anxion it's IPsec, did you enabled it? It's only available on your WAN interface, nmap from LAN will not find you anything.
run this from the internet to your SNWL.
nmap -sU <WAN IP>
--Michael@BWC
Hi Micheal,
ok, u have done UDP scan to my WAN, yes i got 500 isakmp, only
@anxion did you asked nmap to scan for 4500 as well?
nmap -sU -p 500,4500 <WAN IP>
--Michael@BWC
ok I still believe that the GVC is more secure,
The hacker would have to do Enumeration on IPsec?
Yes and I got only 500.
Then my best guess is that you have no tick at " Enable NAT Traversal" in the Advanced Settings at VPN?
--Michael@BWC
Hi Micheal,
yes dont have that, Do i need to have this on?
thanks
An
If your SNWL is behind a router which does NAT you might need it, check over here for details:
--Michael@BWC
I believe its secure if the IKE and IPSEC are configure to use AES256/SHA256, but I could be wrong ?
AES256 and SHA256 is fine, pick PFS Group 14 as well and you should be good to go.
--Michael@BWC
I have Group 14 but do not see PFS, only can choose ESP
ahh thank you
Thanks for your help!