0

I found a link but it didn't answered on my questions.
(http://www.k2esec.com/secure-communications/network-security-protocols-ipsec-vs-tlsssl-vs-ssh-part-ii).

I want to create secure connection for rdp users which are connect from whole the world. Just now they are connecting via rdp gateway using tlsv1 encryption and kerberos auth. But in last news about vulnerabilities i don't want continue to use it. But I want to create l2tp/ipsec connection to network and then via ipsec allow connections to rdp.

Is this way more secure? Would you approve this decision if you was on my place? Whether it will affect the performance of the connection?

P.S. I just need your advice.

Thanks in advance.

Alex Rezistorman
  • 101

1 Answers1

1

You might want to look at this answer as it bears on your question; in short, IPSec is overkill for single-port communication requirements and can be difficult for dynamic client environments. SSH forwarding or sufficiently correct TLS is better for your use case.

That being said, I assume you're talking about Microsoft RDP, which has it's own innate encryption abilities. While it requires some care to securely implement, it is possible to have a reasonably secure installation of it. You should carefully consider whether you can achieve your goals with the native capabilities rather than bolting on outer layers; such hybrid solutions often have a hidden security cost due to their complexity.

Community
  • 1
gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • But why a lot of users use vpn (openvpn & ipsec) connections for protecting their information? – Alex Rezistorman Jan 17 '15 at 16:08
  • I'm sorry, but that's a remarkably broad statement. Lots of people are using various encryption mechanisms to protect sundry information across the Internet... yes. What application are you trying to protect? Does it support encryption? Are you protecting multiple applications? These details drive what will be the appropriate solution for you. – gowenfawr Jan 18 '15 at 03:36
  • Look at this vulnerability (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6321) and don't forget about Heartbleed and POODLE. I assume that in future we will get new problems. So I want to protect connection via rdp to terminal session and in future don't use tls. – Alex Rezistorman Jan 19 '15 at 15:31
  • That was patched last November. Apply patches. You'll need to do that whatever software you end up using. If you're wondering which encryption method won't be vulnerable to bugs and design flaws, the answer is none. – gowenfawr Jan 19 '15 at 16:01