DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Vigor 2860 most secure teleworking method and PCI compliance

  • dansw
  • Topic Author
  • User
  • User
More
22 Feb 2018 16:01 #1 by dansw
Vigor 2860 most secure teleworking method and PCI compliance was created by dansw
Hi,

I am the only one who occasionally uses SSL VPN to dial into our LAN to do admin type things. I have to turn it off when not using it as it fails PCI scans when the SSL VPN service is running, it does not want to see self-signed certificates. Although I've lived with it I have been asked about the possibility of giving remote access to our LAN or a workstation on our LAN to a potential teleworker. I have two questions:

1. What is the recognised/best way of using a 2860 for teleworking securely for non IT type people -is it SSL VPN like I am using? I worry about 'opening up' our LAN to non IT related personnel both from a usability and security point of view e.g. what damage could they accidentally do if their laptop was trojaned or stolen etc

2. A couple of years ago I had dialog with Draytek over the PCI failures and the options I had were to use PPTP as an alternative (never got round to trying that) or get a signed cert, however, the signed certs don't work on IP addresses but hostnames which our router does not have. How is everyone getting round this?

Thanks

Dan

Please Log in or Create an account to join the conversation.

  • mbames
  • User
  • User
More
27 Feb 2018 10:47 #2 by mbames
Replied by mbames on topic Re: Vigor 2860 most secure teleworking method and PCI compli
My home IP dynamic, but I have a self-rolled dynamic DNS solution, so I have "myhouse.mydomain.org.uk" refreshing its DNS entries every 15 minutes when the service running at home detects a change.

Therefore you could so something similar and have the cert name made out for "myhouse.mydomain.org.uk"....

Please Log in or Create an account to join the conversation.

More
28 Feb 2018 12:02 #3 by admin3
Replied by admin3 on topic Re: Vigor 2860 most secure teleworking method and PCI compli
If there's not a signed / trusted certificate on the router, failing a PCI scan is to be expected unfortunately, though you could give the router a domain/subdomain and get a certificate for it that's signed by a trusted certificate authority.


  • I do think that the DrayTek SSL VPN is about the most convenient & secure teleworking method available on routers such as the Vigor 2862 at the moment, but there is the certificate requirement where PCI compliance is required

  • L2TP over IPsec protocol is also very secure - it's a bit more complex to set up but most operating systems have built in L2TP over IPsec clients

  • On the Vigor 3900 & Vigor 2960, IPsec over Xauth is available, which is also quite secure and most VPN clients support that type of IPsec VPN

  • PPTP is no longer considered secure, the encryption of it has known weaknesses

Forum Administrator

Please Log in or Create an account to join the conversation.