VPN Security????

[ToBeMe]

Sorry about that if anybody noticed.........hit the darn "enter" key.........🙁

Anyway, here's my question..........

A friend of mine who's a CPA has asked me about setting up a VPN for his sattelite (sp?) location to his main office. He's on a T1 Wirless connection and has a server already in place and his own domain. He's currently on NT but we planned on switching to 2K Server or XP Server as he is not open to a Linux solution.......🙁

Not a big deal right? I told him we'd just setup the VPN and he could have the access quickly between the two locations. I've only setup a few VPN's, but, IMHO it's not a big deal implementing this although this is my first time with a wireless T1 connecton. Anyone knowing of anything different I need to be aware of, plese LMK!😉

OK, now the potential problem........over Thanksgiving he was talking with some other people whom raised a concern of security concerning the VPN and the T1 connection as it concerns the sensitive data which would be transfered. I personally believe that with firewall protection we would be fine..........does anyone whom is familiar with VPN use in sensitive situations have any insight into this? He's now afraid he could compromise clients information, but, I still believe taking all precautionary measures this is still the most efficient way to connect the two locations..........anyone have any input here or any ideas as to what measures could be taken to provide further security????

 

[me19562]

Do he have already a firewall?

 

[Garion]

By using his NT server to terminate a VPN, you are putting that server directly on the Internet. Definitely not the best thing to do. You'll probably be OK, but it's a risk.

Your best bet is to convince him to spend a bit of cash and pick up a couple of firewalls that have VPN capability. Cisco jus came out with a new PIX that's less than $1K, and SonicWall makes some great stuff. This has two benefits - You get hardcore Internet security and provide his network a very solid level of protection AND you get industrial-strength VPN capabilities that don't rely on or expose the NT server in any way.

You would, of course, need to pick up TWO firewalls - One to build each end of the tunnel.

Soo. Can you do it with the NT server? Sure. Should you? Nope.

- G

 

[Santa]

Granted there are exploits for NT Servers being hunted for each day I wouldn't see that huge of an exposure if all you are doing on that paticular server is VPN. You only need to pass the VPN ports through to the server and that is the only type of data that the server will receive.

Granted there is always the VPN hackers but with all VPN solutions you are selecting it and putting some trust behind your rules that you have created to filter out hackers.

I would highly recommend you do research on each of the solutions you come up with whether it be Checkpont, Cisco, Microsoft, ect.. There are positive and negative features to each and every one of the competetive VPN solutions and you should find out what options and features you can live with and without.

 

[ToBeMe]

<< Do he have already a firewall? >>


He's using a software firewall right now, but, I had already told him we would need to invest in a Hdwre Firewall and 2K or XP Server.

 

[ToBeMe]

<< By using his NT server to terminate a VPN, you are putting that server directly on the Internet. Definitely not the best thing to do. You'll probably be OK, but it's a risk.

Your best bet is to convince him to spend a bit of cash and pick up a couple of firewalls that have VPN capability. Cisco jus came out with a new PIX that's less than $1K, and SonicWall makes some great stuff. This has two benefits - You get hardcore Internet security and provide his network a very solid level of protection AND you get industrial-strength VPN capabilities that don't rely on or expose the NT server in any way.

You would, of course, need to pick up TWO firewalls - One to build each end of the tunnel.

Soo. Can you do it with the NT server? Sure. Should you? Nope.

- G >>


Considering the T1 and the sensitive data involved, in your opinion would the Cisco's be the best solution? He's set up with a Gateway & Switch at each end already of course, but, will there be any conflicts considering the multiple Hdware.? Like I said, it's not the VPN that ever concerned me, but, Wireless is VERY new to the area and this will be my first time dealing with wireless T1............😉

 

[ToBeMe]

<< Granted there are exploits for NT Servers being hunted for each day I wouldn't see that huge of an exposure if all you are doing on that paticular server is VPN. You only need to pass the VPN ports through to the server and that is the only type of data that the server will receive.

Granted there is always the VPN hackers but with all VPN solutions you are selecting it and putting some trust behind your rules that you have created to filter out hackers.

I would highly recommend you do research on each of the solutions you come up with whether it be Checkpont, Cisco, Microsoft, ect.. There are positive and negative features to each and every one of the competetive VPN solutions and you should find out what options and features you can live with and without. >>


I've researched the heck out of it......thing is, I'm having to use the DSL solution writings because there seems to be very little wireless/T1 material out there concerning VPN.

I'd like to convince him to go Cisco.......but, being a CPA, he has some $$$$$$ and like it or not, the guy has a pretty good chunk of MS Stock and he made that clear when I suggested Linux for his server..........😉 I really wasn't that concerned about the VPN and "sensitive data" issue as I have a few VPN's locally for companies and they have not had any problems, but, they are all on dial-up and whomever my friend talked to told him the wireless connection would compromise his data over a VPN no matter what, and that he should not implement it!🙁 Tell me, maybe I'm being dumb, but what other feasable way is there to set-up access between the two offices some 30 miles apart????😉

 

[vi edit]

Is the "wireless" part of the T1 basically two dishes pointing at each other from across town?

 

[ToBeMe]

<< Is the "wireless" part of the T1 basically two dishes pointing at each other from across town? >>


Well, yes, and no.........the dish he pulls signal from is actually within 50' of him, but, the signal is beamed about 40 miles to a dish which supplies the T1. I've GOT to study up on this Wireless more I suppose, you see, I service a "rural" area and DSL seems to be a pipe dream at this point, but, businesses have Wireless available to them from our Dial-Up ISP the same 40 miles away.

Will this connection cause me any unforseen trouble in your opinion? Like I said, every VPN I've setup before has been through Dial Up and that was fairly elementary, but this is new territory for me so........😉

 

[Garion]

When you look at VPN, pretty much all the "real" (ie, non-server) solutions use 3DES and have about the same level of security. There's no real difference there.

I'd agree that there is little risk with a MS VPN - behind a hardware firewall that can restrict access to specific ports. Otherwise, it's iffy, especially if you're using that same server as a gateway for outbound browsing for users inside the network.

Depending on the size of the remote office, it might even be cheaper to put in a VPN via hardware firewalls - No need to buy another server and less administration (nightly backups, troubleshooting) at the remote site. Just depends if you can squeeze enough bandwidth out of your line. Assume you'd want 56K per person. (No, it doesn't sound like much, but it's rare when more than a few people actually transfer things at once)

- G

 

[vi edit]

Is the security problem that you are concerned about somebody pulling up in a van with a laptop and the ability to intercept the signal between the ISP and inbound dish?

 

[ToBeMe]

<< Is the security problem that you are concerned about somebody pulling up in a van with a laptop and the ability to intercept the signal between the ISP and inbound dish? >>


LOL........Ya' know, the "security problem" is an issue which he wasn't concerned about......until talking with someone over Thanksgiving! I was basicly going to add Hardware Firewall in the same server and use the one in place for everything, but, the post above actually gave me an idea..........the guy is a CPA so $$$$ isn't really an object......he already stated that.........now I'm thinking how about a second server exclusively for the VPN!😉

Back to the security though.......whomever Randy, (the CPA) talked to got him worried that someone could easily intercept the signal/hack his systems and obtain all his clients personal data...........Whoever this guy was made it sound like this happens all the time on high bandwidth connections so now Randy is paranoid that he could be liable...........

 

[Santa]

The wireless problem was big in the news because of the 802.11b WEP hacks that made wireless through that encryption a joke.

When you run VPN over wireless though it is not the same kind of animal.

VPN over wireless is as good as VPN over cable modem/DSL/Internet T-1 If it wasn't then VPN wouldn't be popular. It basically encrypts the data so that it can be sent over public switchs where it might get intercepted. The reason it is good is that the data is hard to decrypt so you should tell your friend that he is as safe as his solution for VPN.

 

[ToBeMe]

Well Santa.....I did,, and I must be at least a good talker!😉 LOL! We're going to go with it and we're building a new server for just this VPN. I also convinced him to go with either Cisco or Citrix (citrix is his idea.....never used them....any good???) and he want's to go with XP Server AND update all of his systems (11 in main office and 7 in branch location) to Win XP! I was actually pushing 2K but he doesn't want to "buy an O/S that's already a generation old".......LOL!😉

He was also bound up by an old Hub, so we're going with a 16 port switch.

Doing some checking on the wireless as I speak and Santa, you seem to be correct, it's no worse than DSL/Cable and the setup seems just about as simple.

Now.....just have to hope I remember everything and order everything I need.....................