To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".
Which of the following VPNs is more secure?
Also, Global VPN use UDP, but the SSL VPN it seems that I need to open port on WAN 4433 or 443, is that correct? or its not necessary to have port opened on WAN for SSL VPN?
Doon't mind the Exchange setting, this screenshot is from a Site-2-Site connection.
@anxion if you wanna use SSL-VPN the port has to be open for listening to your clients, same goes for GVC.
If you don't like to open any ports, you should consider using something like ZTN, but this might fit only for larger environments.
Yes but when i check if I have ports opened on https://www.zoomeye.org/ don't see UDP there for global vpn, however when I setup SSL VPN I can see that there is 443 open.
Hmm i am missing something ?
Another question is, which is more secure?
@anxion security-wise I would rate anyone higher than the other, GVC might have better performance but might not work with internet-connections/routers your users might connect with.
Does your port scan just looks for TCP by any chance? GVC needs UDP 500/4500.
I can't speak to the relative security of either version, but I have read that SSL tends to be somewhat slower then GVC. We've been using GVC for about two years now with great success. Only recently, when one of our execs was onboard a cruise ship, was he unable to connect and we had to scramble to set up a GoToMyPC account for him. I believe GVC uses ipsec, and while he had no problems connecting from all the various hotels he stayed in, apparently the ship blocked ipsec traffic. GoToMyPC uses encrypted http, so it wasn't blocked.
Probably you are right its scans TCP,
However, somehow I see Global VPN more secure, rather then SSL VPN where you need to have portal available on public all the time,
Maybe i am wrong?
@anxion yeah, the Portal might pull more attraction and if you check the latest history of vulnerabilities they were mostly related to authentication via http/s, so keeping this portal closed is a good approach, which I share.
Could you please send me more information about ZTN ? I cannot find anything about it
@anxion to stay SNWL-centric you can check here:
I have run Nmap scan, and still did not find UDP port opened, how the GVC works ?
@anxion it's IPsec, did you enabled it? It's only available on your WAN interface, nmap from LAN will not find you anything.
run this from the internet to your SNWL.
nmap -sU <WAN IP>
UPDATE: it shows the open ports from LANN, too!
PORT STATE SERVICE
500/udp open|filtered isakmp
4500/udp open|filtered nat-t-ike
ok, u have done UDP scan to my WAN, yes i got 500 isakmp, only
@anxion did you asked nmap to scan for 4500 as well?
nmap -sU -p 500,4500 <WAN IP>
ok I still believe that the GVC is more secure,
The hacker would have to do Enumeration on IPsec?
Yes and I got only 500.
Then my best guess is that you have no tick at " Enable NAT Traversal" in the Advanced Settings at VPN?
yes dont have that, Do i need to have this on?
If your SNWL is behind a router which does NAT you might need it, check over here for details:
I believe its secure if the IKE and IPSEC are configure to use AES256/SHA256, but I could be wrong ?
AES256 and SHA256 is fine, pick PFS Group 14 as well and you should be good to go.
I have Group 14 but do not see PFS, only can choose ESP
ahh thank you
Thanks for your help!