Re: Terminal Services over VPN

[Tomasz Barbaszewski <tomekb () aba krakow pl>]

In-Reply-To: <3F3BE632.8010108 () cmhsweb org>

> Received: (qmail 16249 invoked from network); 14 Aug 2003 22:09:57 -0000
> Received: from outgoing3.securityfocus.com (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 14 Aug 2003 22:09:57 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id E2371A3544; Thu, 14 Aug 2003 16:08:19 -0600 (MDT)
> Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <security-basics.list-id.securityfocus.com>
> List-Post: <mailto:security-basics () securityfocus com>
> List-Help: <mailto:security-basics-help () securityfocus com>
> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com>
> Delivered-To: mailing list security-basics () securityfocus com
> Delivered-To: moderator for security-basics () securityfocus com
> Received: (qmail 24935 invoked from network); 14 Aug 2003 13:38:39 -0000
> Message-ID: <3F3BE632.8010108 () cmhsweb org>
> Date: Thu, 14 Aug 2003 15:42:42 -0400
> From: "David Y. Ng" <dng () cmhsweb org>
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) 
Gecko/20030624 Netscape/7.1 (ax)
> X-Accept-Language: en-us, en
> MIME-Version: 1.0
> To: security-basics () securityfocus com
> Subject: Terminal Services over VPN
> Content-Type: text/plain; charset=us-ascii; format=flowed
> Content-Transfer-Encoding: 7bit
We are using IPSec in order to protect RDP transmissions.
There is one trick - the best way is to do it in additional device.
Personally we prepared LINUX+Free S/Wan box, which act as IPSec Gate
between Thin Clients (equiped with IPSec) and MS Server. 
Result is very good. Server is working as usuall (w/o any changes), but
all transmissions RDP Client to the IPSec Gate Box (it is standing on the
server) are encrypted (even AES is possible).
Solution is VERY FAST. We had testing over 100 simultaneous connections.
You can use also CISCO, but it offer ~900 kpbs (w/o hardware acc.), but 
with Embedded Linux/Free S/Wan box you can reach easily 15-50 Mbps (I mean
of course encrypted traffic).
Similar idea is published as a SINA project in Germany (www.bsi.bund.de).

Best regards 

Tomasz
> Has anyone used Terminal Services over Microsoft's VPN
> server? I need to run some program off the server and when I
> used just the VPN, it was terribly slow. The solution on paper
> is to run the program off Terminal Services and just let it
> pass through the VPN which could be faster, supposedly.
>
> Any experiences with this? Is Terminal Services in itself
> secure? I read there's some form of encryption also but
> is it comparable to VPN in a way?
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
>

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------