How to secure the office environment

[ng12345]

We have an interesting office setup, and are trying to figure out ways to make it more secure, and was wondering if the AT community could give some suggestions.

Currently:

3 offices
1 server @ main office running Win 2k Server
other 2 offices connect to the main office through Terminal Services

in terms of computers - there are about 10 computers at the main office, and 10 at the other 2 offices combined -- so 10 connect over LAN, and the other 10 connect as TS clients. the 20 computers run either win xp pro or win 2k pro

the software we run uses SQL server

the computers all use business grade dsl w/dynamic ips, forcing the main office to use one of those dynamic ip alias programs like dynalias.

we consulted the person who currently services our network, and he gave us an outrageous estimate (imho) of around $15k to buy a new server, sonicwall firewalls, and create a vpn between two of the three sites. in addition the new server would be placed at one of the other offices, and would hold a duplicate copy of the main server data. this would allow for people to work locally at the 2nd office, and changes would be replicated back and forth.

from my understanding of what i found online, rdp protocol is encryptable and secure when encrypted. our experience with terminal services has shown that we do not really need a local server for performance needs... mainly in case the internet connection breaks (which has happened 2 or 3 times in the past year).

data being transmitted between offices is sensitive and needs to be protected.

is there a necessity for vpn in order to be secure?
is there a necessity for a sonicwall firewall (we currently have a zyxel router/firewall that came iwth the dsl service)?
my main qualm with the sonicwall solution is that there is an inherent subscription charge and other licensing fees associated with it that need to be renewed yearly ... so it is not a one-time cost, but rather a recurring fixed cost.
what are some other good practices/suggestions to increase security?


all suggestions welcome and thanks in advance.

 

[nweaver]

the big questions....

is your data/uptime/security worth 15K?
Is your current solution "enterprise grade" (don't know about zonet stuff)
what are your tolerances for downtime/what is your current DRP (Disaster recovery plan)?


remember, that 15K is a LOT more then just Hardware, it's proper setup, secured (and hopfully), and maintined.

 

[ng12345]

i dont know what enterprise grade means

currently there is no disaster recovery plan ... the times where the connection did break, remote offices could not function. backups are made on site in case there is hardware or software failure at the main office, but if there is an issue with the dsl connection, we are out of luck. but as i said, in the past this has happened quite infrequently

the security is worth 15k if that's what it takes to be considered secure ... however, if simple levels of security, such as our current hardware firewall, encrypted rdp connections, local antivirus, and smart browsing can provide comparable levels of security, then no it is not worth 15k.

i realize secure is a vague term, and there are different grades of what people consider secure. Our offices have no internet presence other than an open port at the main office to accept incoming rdp connections. I don't think we would be big targets for outside attacks, however, we need to ensure that data transmitted between one site and an other is secure and encrypted.

and also the 15k est is only for hardware and setup ... not for maintainence
... from what i remember the estimate includes:
1 server
2 sonicwall firewalls w/vpn support
1 iomega jaz drive for backup purposes
and all necessary licenses

 

[skyking]

From the sounds of it, you can stand the infrequent downtime, the relatively lower performance of terminal services (when compared to a local server).
What you must have is an offsite backup of the database, and a backup server. Using a jaz drive and relying on the human factor to follow through is not a good option, IMO.
I'd recommend the second server as offsite backup, and suggest stepping up to static IP's for the two server nodes. Automate the backup system as much as possible.
Most any ISP will get you a static IP for little or no more money.

 

[Boscoh]

I figured it up with Cisco gear instead of Sonicwall, and a pretty nice server.

All of these prices are ballpark list prices before the discount you'd see from a reseller

Cisco ASA 5510 Firewall/VPN device for the main office - $3500
2x Cisco PIX 506e Firewall/VPN device for remote offices - $3000 ($1500 each)
Dell PowerEdge 2800 (2.8ghz Xeon, 2x 146gig SCSI in RAID 1, Windows Server 2003 with 15 CAL's) - $3,500

So that comes out to $10k total. I factored in a lot of play with the Cisco pricing. You might see Cisco pricing as low as $2400 for the ASA and $800/ea for the 506e's. The support contracts for the Cisco gear would probably cost you several hundred dollars a year for Next Business Day replacement, and higher for 4 hour replacement.


It sounds to me like he might have factored in labor to his cost. That might be a 20-30 hour job, depending on the location of the offices and any problems, etc. If thats the case, then it's a reasonable cost as 20-30 hours can easily add 2-4k to a project if he's charging typical consulting prices. I personally would stay away from Sonicwalls, but he supports 'em then it's best to stick with what he knows.

The thing you need to understand about RDP is that unless you're restricting your RDP connections to come from only a certain address, or you only allow them to come from VPN clients, then anyone with a port scanner can scan your network, see your RDP port open, and sit there and brute force their way into your system all day long. You'll likely never know unless an account gets locked out from bad password attempts, or someone manages to get in. It doesn't sound like you have a full-time security guru sitting there watching logs.

With a VPN, you dont need that port open from the outside, because VPN traffic is treated as being local to the LAN. You can apply permissions to this traffic though, so you can only allow VPN connections to use RDP and nothing else. That's what you should do, because if one of the remote offices gets a virus (or the central office gets one) that uses the network to spread, it'll also spread over an unfiltered VPN connection. I'd probably recommend the VPN solution in your case.

Whether you need another server is something only you can answer. If you answer yes, you'll need a VPN connection to secure the replication traffic. You'll probably also need a bigger connection if you're dealing with replicating large amounts of data.

You might also want to look into small business antivirus packages that can be managed from the server at your central office. Small business packages are usually substantially cheaper than buying the licenses individually, and allow a lot more control if they come with a management tool.


I'd also suggest you get a static IP for your central office. It's not needed for the remote offices, but you really want your clients pointing to a true static IP and not having to rely on a 3rd party service to be working in order for them to connect. It should not cost you a whole lot to get a static IP. I don't know if Sonicwall VPN appliances can connect using a hostname. I know Cisco PIX/ASA devices have to have an IP, so the central office always has to have a static IP, but the remote offices can be dynamic because they're the ones initiating the connections (usually). You might want to ask your consultant (unless someone here can answer this) if Sonicwalls need an IP or can use a host name for VPN connections.

 

[ng12345]

Thank you very much for the quick replies.

Is there a managed antivirus suite that you would recommend? I think we tried the one from norton, and all the computers seemed to be slowed down by it.

We did try a static IP before, when we had earthlink business, but the ip would change whenever there were any connection issues (which were often). we have verizon now... so maybe they have some better options.

Originally posted by: skyking
From the sounds of it, you can stand the infrequent downtime, the relatively lower performance of terminal services (when compared to a local server).
What you must have is an offsite backup of the database, and a backup server. Using a jaz drive and relying on the human factor to follow through is not a good option, IMO.
I'd recommend the second server as offsite backup, and suggest stepping up to static IP's for the two server nodes. Automate the backup system as much as possible.
Most any ISP will get you a static IP for little or no more money.

After thinking about it, I think we actually do have remote backup as it is (the person managing the network backs up to one of his servers). There is a local backup onto a networked computer (LAN), and also a backup on his server.

My main concern with replicating servers (as our consultant is suggesting) is that we would in fact need larger bandwidth with little added benefit-- would having a replicating server fulfill the same purpose as a remote/offsite backup?

The thing you need to understand about RDP is that unless you're restricting your RDP connections to come from only a certain address, or you only allow them to come from VPN clients, then anyone with a port scanner can scan your network, see your RDP port open, and sit there and brute force their way into your system all day long. You'll likely never know unless an account gets locked out from bad password attempts, or someone manages to get in. It doesn't sound like you have a full-time security guru sitting there watching logs.

With a VPN, you dont need that port open from the outside, because VPN traffic is treated as being local to the LAN. You can apply permissions to this traffic though, so you can only allow VPN connections to use RDP and nothing else. That's what you should do, because if one of the remote offices gets a virus (or the central office gets one) that uses the network to spread, it'll also spread over an unfiltered VPN connection. I'd probably recommend the VPN solution in your case.

Whether you need another server is something only you can answer. If you answer yes, you'll need a VPN connection to secure the replication traffic. You'll probably also need a bigger connection if you're dealing with replicating large amounts of data.

Thanks for this explanation. The one thing we noted, is that when we tried a VPN (before switching to RDP) is that the data connection was extremely slow, but this could be attributed to limited bandwidth. If we do RDP over VPN will the speeds be comparable or faster than doing it as we do now?

Cisco ASA 5510 Firewall/VPN device for the main office - $3500
2x Cisco PIX 506e Firewall/VPN device for remote offices - $3000 ($1500 each)
Dell PowerEdge 2800 (2.8ghz Xeon, 2x 146gig SCSI in RAID 1, Windows Server 2003 with 15 CAL's) - $3,500

Our consultant suggested a dual opteron system. i don't want to start any amd/intel wars here, but are there specific tasks than an amd server chip would be better than an intel one? From what i found online, there aren't any "major" manufacturers that are building amd servers.

 

[Boscoh]

Originally posted by: ng12345
Thank you very much for the quick replies.

Is there a managed antivirus suite that you would recommend? I think we tried the one from norton, and all the computers seemed to be slowed down by it.

Yes.

NOD32 - This is the best package around, IMO. It's very compact, and catches almost everything.

Trend Micro - Either the Client/Server Suite or NeatSuite, depending on what your requirements are. There is a nice table at the link that shows the differences between the packages. The client for either of these packages does not take up much in the way of system resources, although it takes more than NOD32. PC Cillin does not allow you to centrally manage anything, and it takes up a lot of system resources.

We did try a static IP before, when we had earthlink business, but the ip would change whenever there were any connection issues (which were often). we have verizon now... so maybe they have some better options.

If it is a true static IP, it will never change. Your IP must not have really been a static one, or you were told a lie, or Earthlink Business just plain sucked.

My main concern with replicating servers (as our consultant is suggesting) is that we would in fact need larger bandwidth with little added benefit-- would having a replicating server fulfill the same purpose as a remote/offsite backup?

Ideally, you'd have a backup server, and you'd have an offsite backup tape. If it's got to be one or the other, the remote backup server is just as valid as tape backup, provided that you have checks to ensure that the replication is always 100% successful. Similiarly, if you're using tape you need to make sure that the tapes are readable by your tape drive before you send them off for storage. I've heard so many times of people who've sent their tapes off to be stored and didn't check them, then a disaster came and when they went to restore the tapes they wouldn't work. Tapes can get corrupted during the writing or verification process - so you need to check 'em.

Thanks for this explanation. The one thing we noted, is that when we tried a VPN (before switching to RDP) is that the data connection was extremely slow, but this could be attributed to limited bandwidth. If we do RDP over VPN will the speeds be comparable or faster than doing it as we do now?

RDP actually takes up very little bandwidth. You can reduce the bandwidth it takes even more by turning off themes, and some other effects. You can get RDP down to the bandwidth equivelent of a 28.8kbps dial up modem, I believe.

The encryption overhead of VPN is going to reduce your throughput somewhat, but not a lot. Figure about 10-15% overhead.

Our consultant suggested a dual opteron system. i don't want to start any amd/intel wars here, but are there specific tasks than an amd server chip would be better than an intel one? From what i found online, there aren't any "major" manufacturers that are building amd servers.

I'm not extremely well-versed on this area, but the last time I checked AMD brought better floating-point mathematics and lower cost to the table. That's pretty much all I know about that.

However, from what you've told us a dual operton system is way overkill for 20 RDP sessions. Where I worked, we had 20 Citrix sessions running on a 2.4Ghz Xeon with 3gb of RAM. You'll need a lot of RAM on that system, but you shouldn't need dual CPU's.

As far as manufacturers, I've heard Dell is thinking about it. IMB, Sun, and HP all make Opteron-based servers.

 

[RebateMonger]

As you have noted, there is a drastic difference between the way the VPN and Terminal Services works. They have (mostly) different strengths and weaknesses. VPNs are great for file transfer, but a poor way to access remote databases. TS works great for accessing large remote databases, but is slow for file transfer. Having both allows you to chose the most appropriate for each need.

Running Terminal Server sessions on a Domain Controller isn't really a great idea. Somebody crashing the DC takes down your network, plus, soft "crashes" can allow users access to your Active Directory data.

===================================================
Consider this:
Add an SBS 2003 Server, Premium Edition, as your primary Server at your main site. Use the included ISA 2004 as your Firewall and VPN Server. The SBS Server will be the gateway for your main site and all Internet transmissions will pass through it and its firewall.

Use your Windows 2000 Server as a Terminal Server at your main site. Make it a Member Server in the SBS Domain, but NOT a DC. The Windows 2000 Server will be attached to the internal network card of the SBS Server.

Add a Windows 2003 Server, Standard Edition, to a secondary site. Join it to the SBS Domain and make it a DC. Purchase ISA 2004 and install it. Additionally, move your existing SQL 2000 license to this Windows 2003 Server, to serve as a backup SQL Server.

Create a Site-To-Site VPN between the main SBS Server and the remote 2003 Server. Use the file synch method of your choice to keep a backup of your SQL database (and other critical data) on the remote Server.

Workers at the two remote sites can work as follows:

1) SBS Remote Web Workplace will give everyone full access into the SBS Server and the Windows 2000 Terminal Server. Everyone will have full access to the Exchange 2003 Server built into SBS, via Outlook, Outlook RPC over HTTPS, and Outlook Web Access.

2) Everyone will also have full access to the SBS CompanyWeb (SharePoint), which gives easily-configurable shared workspaces, calendars and shared file management.

3) Workers at the remote Server 2003 site can use the Site-to-Site VPN to access the main network if they wish, also.

4) Workers at the third site can use individual VPN client connections to the SBS Site or the Remote Server 2003 site to access data, if necessary, or they can use Terminal Services to the main site.

5) In case of disaster at the main site, you have a fully functional SQL Server and data backups accessible at the second (Windows 2003 Server) site.

With ISA Server 2004, you don't really need a fancy hardware firewall, so you can avoid that expense at the two ISA sites. You can install a low-end PIX or something similar at the third site for $1000 or so.

Security:
A) You have moved Terminal Services to a Member Server, which is considered a good security practice. Having Terminal Services on a separate Server will help balance the load and will keep TS crashes from taking down your main SBS Server.
B) You have moved the (more vulnerable) Windows 2000 Server to an internally-accessible-only location.
C) All of your connections to the main site, either through VPN or through SBS's Remote Web Workplace, are automatically fully encrypted and no additional security is necessary.
D) You have an Enterprise-class Firewall (ISA) at two sites. You can take advantage of ISA to easily set up your VPNs and to serve as a Proxy Server to monitor and control ALL employee Internet access.
E) You have secure, centralized Exchange email system, with full backups. All email transmission between sites is fully encrypted. Users can securely access their (fully synchronized) email from home, office, SmartPhone, PDA, etc.

Rough hardware/software costs:
Server with SBS 2003 Server, Premium Edition, installed (ISA, SQL, and Exchange included). With RAID 1 drives: Around $3500
15 additional CALS for SBS 2003: $1200
Windows 2003 Server, Standard Edition. (RAID 1 is optional since it's not a primary server): Around $3000
User CALS for new Windows 2003 Server: None Needed. (The SBS CALS take care of it)
ISA 2004 for secondary server: $1500
Your current Server 2000 CALs and any Server 2000 TS CALs should remain valid.

Exchange-aware Antivirus/AntiSpam software is around $50 per client per year.

You'll only need to make backups of the SBS Server. I'd recommend NOT using a Jazz drive. The choice of backup will depend on how much data you have. If you have lots of data and not much money, I'd go with multiple external USB or SATA drives and keep them moving between the main and the second remote site. I'd recommend at least four drives. Keep two at the main site and two offsite (probably at the second site). Probably get a fifth drive and keep it at the owner's home, with monthly backups aboard.

You can also use a tape drive to back up the SBS Server. The cost would be between $900 and $3000, depending on how much data you have. Tapes cost between $20 and $100 apiece, depending on the drive chosen.

Total hardware/software costs:
SBS Server with CALS: $4700
Server 2003 with CALS: $3000
ISA Server 2004 for secondary server: $1500
Hardware Firewall for 3rd site: $1000
Five USB $250GB hard drives: $750
----------------------------------------
Total: Around $11.5K

Installation and configuration would probably be around $3K-$5K.

If you really don't feel a need for a backup SQL and data server at the second site, you can dump it and use client VPN connection and SBS Remote Web Workplace Access to the SBS and Windows 2000 Terminal Server and save $4500. But you may want another low-end PIX hardware firewall at $1000, so the net savings is $3500, plus another $1000 reduction in configuration costs.

 

[nweaver]

please don't consider a secondary/replicated server to be a "backup"


if someone deletes a record, and nobody notices till after the replication, then it's still gone

if someone deletes a record, you restore those bits from your tape/backup

 

[RebateMonger]

Originally posted by: nweaver
please don't consider a secondary/replicated server to be a "backup"

Yeah, it's not. It'd have to be part of a cluster to be an instantaneous "backup". The value of a secondary/replicated server would depend on the rate of change of data, the value of individual data records, and the cost-per-hour of having no SQL Server available in case of disaster at the main site.

I normally discourage the acquistion of secondary servers solely for "backup". I think it's better to invest in a reliable "main" server, a strong backup policy, and a tested disaster recovery method.

 

[skisteven1]

Newbie here, trying to learn.

Is there a reason that for a network this small you would need a dedicated VPN hardware box? What about a software solution?

 

[kevnich2]

RebateMonger, just so you know, if you have SBS 2003, it will not let anything else be a DC. If you plan on having any other backup servers, you cannot have Windows SBS in your network. It wants to the one and only DC. SBS is nice because it includes alot for Small businesses but it sucks in this aspect because if that server goes down, down goes your network also.


Edit: Nevermind, I just found an article that discusses having another server as a BDC as long as the SBS server is the first and PDC. Sorry about that.

 

[RebateMonger]

Originally posted by: kevnich2
Edit: Nevermind, I just found an article that discusses having another server as a BDC as long as the SBS server is the first and PDC. Sorry about that.

Thanks for following up. It's a common misconception. SBS can, indeed, include other Domain Controllers, other Exchange Servers, and other SQL Servers in its Domain. You can definitely have remote DCs. The main Domain limitations are:
1) 75 Users or less
2) No child Domains
3) No trust relationships with other Domains
4) The SBS Server must assume all five FSMO roles

 

[ng12345]

thank you rebatemonger and boscoh for your detailed plans and everyone else for your replies.

would there be any merit to a software vpn solution?

i will post what we end up doing.

 

[RebateMonger]

Originally posted by: ng12345
thank you rebatemonger and boscoh for your detailed plans and everyone else for your replies.

would there be any merit to a software vpn solution?

i will post what we end up doing.

No problem. You certainly might not need a DC at your smaller sites. It's a convenience, but not a necessity. Just be sure to have good backups of your data server and know exactly how you'll rebuild it or restore data in case of malware, hacking, theft, fire, flood, and user error.

And, regarding Security:
The WORST Security holes that most small businesses have are -
1) Easy-to-break passwords - (Require LONG pass phrases, 15 characters or longer)
2) Spyware/Trojans - (Don't allow users to be Local Adminstrators on their PCs)
3) "Human Engineering" (Scams. Do periodic User security training)
4) Angry employees

Hackers intercepting and cracking VPN or RDP connections would be way down on the list.

 

[ng12345]

Originally posted by: RebateMonger
No problem. You certainly might not need a DC at your smaller sites. It's a convenience, but not a necessity. Just be sure to have good backups of your data server and know exactly how you'll rebuild it or restore data in case of malware, hacking, theft, fire, flood, and user error.

And, regarding Security:
The WORST Security holes that most small businesses have are -
1) Easy-to-break passwords - (Require LONG pass phrases, 15 characters or longer)
2) Spyware/Trojans - (Don't allow users to be Local Adminstrators on their PCs)
3) "Human Engineering" (Scams. Do periodic User security training)
4) Angry employees

Hackers intercepting and cracking VPN or RDP connections would be way down on the list.

That is what I was trying to convey to the office, but they are of the impression that they will be hacked. I am of the opinion that most hacking/security breaches if any will be a result of user error (downloading virus), or social engineering.

I suggested using the Microsoft Shared Computer Toolkit to prevent any permanent user induced changes to the operating system or applications ... any thoughts on this?

 

[Boscoh]

Originally posted by: ng12345


would there be any merit to a software vpn solution?

By software, I assume you mean a client installed on each PC? There's certainly merit to that. The only problem is that each client is going to take up (typically) a lot of resources on the host computer. The processing overhead is not as much as it used to be because of newer generation CPU's, but it's still there. Then you also have the throughput overhead I talked about earlier as well.

The benefit to having software clients is that the client can be configured to use the user's domain login and password, and also to automagically create "access lists" that grant permissions to the user at the network level based on what their permissions are at the Active Directory level. This requires some extra software though, although I believe ISA includes everything you need to do this. I might be wrong on that though.

Originally posted by: RebateMonger

Hackers intercepting and cracking VPN or RDP connections would be way down on the list.

Intercepting and breaking their way into an already-established VPN (provided you're using an appropriate encryption scheme. 56-bit single DES is not appropriate) or RDP session - yes. However, if you have RDP open to the public, it is incredibly easy (read: a 10 year old script kiddie can do this in his sleep) to simply port scan your network then connect to your RDP session and start brute forcing passwords. That goes back up to number 1 in your list.

Also, I'd add to your list that one of the biggest risks that all businesses face is improperly secured VPN tunnels. A VPN tunnel is an extension of your local network. If someone at a remote office downloads a self-propagating worm, it'll use the VPN tunnel to spread everywhere else. Similarly, if someone's computer gets compromised via a backdoor program ("hacked") and an attacker makes their way in, they'll have unrestricted access to potentially your entire company-wide network. You must lock down VPN tunnels.

 

[Boscoh]

Originally posted by: skisteven1
Newbie here, trying to learn.

Is there a reason that for a network this small you would need a dedicated VPN hardware box? What about a software solution?

VPN hardware offloads the whole VPN process from the local client systems. VPN hardware has the ability to create one VPN tunnel that can provide VPN access to every computer on the LAN. It creates a true "LAN-to-LAN" extension of your network.

Software allows you to automatically create network access rules based on the user's rights when they log in. Software is also usually a better choice for mobile systems, where VPN hardware is often a better choice for remote offices with many computers needing access to a VPN tunnel.

 

[RebateMonger]

Both software and hardware VPNs have their place. Both can do client/server and site-to-site VPNs. Both can do both PPTP and L2TP protocols.

I mostly use software VPNs, using Windows Server and the free Microsoft VPN client. If you use ISA 2004, you really can't use a hardware-based VPN box in the conventional manner, anyway. And ISA has those nice VPN Wizards, for both client and site-to-site setups.

Microsoft claims that a single ISA Server can handle hundreds or thousands of simulaneous VPN connections, even with CPUs as slow as 500MHz, so the encryption isn't a horrible load on modern CPUs.

It's really a philosphy thing. Some people want to use hardware to perform VPN, firewall, antivirus, antispam, etc. Others want to use software to do the same thing. There are valid arguments for both philosophies.