Re: VPN suggestions requested

From: Wolfgang Pawlinetz (wolfgang.pawlinetz_at_space.at)
Date: 06/06/03 

Date: Fri, 06 Jun 2003 05:13:47 GMT

Richard wrote:
>
> I have a small LAN (5 users) at the office running W2K advanced server and
> connecting to the Internet through a cheap basic broadband router.

I would strongly suggest to implement a security policy. This does not
necessarily mean you have to pop in a firewall, but IMO you should
investigate the threats and the risks, write them down, assess them and
then implement some measures against selected threats. This _could_ mean
a small firewall between your W2K Server and the internet, but could
also mean only to secure the W2K server (which is a PIA).

> I have a user who would like to connect to the network from home to work on
> Sage Accounting software. This is a live sytem in use all the time so it is
> not practical to move the data files back and forth.

Ughhh.

> The potential tele-commuter will have a standard PC with either W2K or XP
> Pro installed but is unable to get ADSL in her area so will be connecting to
> the Internet through ISDN.

In this case I would really reconsider that system approach. A 64 kBit
or even a 128 kBit (Channel bundeling) is most likely not able to
deliver the bandwidth necessary to run database associated traffic
across it in online mode.

I admit, that I don't know the traffic the SAGE System produces, but if
it's not a dedicated, well written SQL Client Server application you
might have quite a bit of datatransfer. Usually the simpler systems load
the data et al into the Client machine at startup of the program and
then update the data constantly. And they don't just update the
datadifference because they have to consider recordlocks and things.

If worst comes to worst you will have to share drives of the server over
the VPN Connection for the ISDN User and THAT really is going to be a
bottleneck.

BTDT and belive me it is yuck.

> From what I have read VPN is probably the best solution but I am very
> confused about the wide range of different approaches and technology. It
> seems that it might be possible with just the existing software using RRAS
> in W2K Server and the VPN client in XP if the router is configured
> correctly. I have also seen lots of different hardware/software solutions
> at widely different prices.

I have too little experience with the W2K RAS but I am notoriously
suspicious about securing a W2K Server properly once RAS has been
activated. All I've read and everything I tested shows Me that it is
very hard to close all the holes.

> I want to achieve a good balance between security and cost and preferable
> something that has flexibility for future expansion. I have average
> competence with LAN configuration but I am fairly new to routers etc. and
> have only a basic understanding of VPN.

I have made the best experience buying a reasonably sized hardware
firewall for the main office and a small firewall from the same
manufacturer for the branch office. I have also selected the main office
firewall based on it's ability to allow Software VPN conenctions.

Basically if I would start from scratch I would stick to one
manufacturer.

Another possibility is to use Linux as firewall oeprating system (many
appliances use it anyway) such as http://www.zelow.no/floppyfw/
 
> I'd be grateful for any advice or opinions.

HTH

Wolfgang