Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

VPN & Firewall

  • 04-01-2006 10:02am
    #1
    Closed Accounts Posts: 546 ✭✭✭


    My company is about to put a VPN in place. I'm gonna be the one setting it up and I've never had any dealings with any kind of VPN. Can anyone send me in the right direction? We are running Windows Server 2003. Is there some piece of magic software that we can just install and it'll all just work ;)

    Also, our current firewall is one of those home wireless network gateway things with a firewall built in. Would it be worth our while upgrading that as we're at it?

    Thanks. Ex.


Comments

  • Registered Users, Registered Users 2 Posts: 173 ✭✭happydude13


    I think you need a more comprehensive specification before you go off
    installing a VPN.

    Depending on what the intended use is,
    how secure your office LAN needs to remain,
    etc there are many options,

    As for the firewall, using a home-use router does not seem the most
    secure thing in the world, having wireless capability in it reduces the
    security even more.

    If you opt for an IPSec based VPN solution you may well find that
    your current firewall does not allow more than one connection at a time.

    eof


  • Closed Accounts Posts: 546 ✭✭✭exactiv


    Well, the intended use is to make our files available to people operating outside of our main office. People working from home, site staff etc.

    As for the security, we just want our files to be available to our own staff and no one else. And of course, we want no nasty people doing anything evil to our server.

    The server currently operates as a Domain Controller, DHCP Server, Print Server, File Server & DNS Server.

    We've been talking about the firewall upgrade for a while. If we opt for an IPSec based VPN, will we need to get one of those expensive VPN firewalls? Dlink VPN Firewall

    Is a software firewall a better/alternative/cheaper option?


  • Registered Users, Registered Users 2 Posts: 2,393 ✭✭✭Jaden


    www.ipcop.org

    Standalone Firewall with VPN.

    Download ISO, burn, install on old PC with 2 Network cards. Off you go. It is that easy.....


  • Registered Users, Registered Users 2 Posts: 327 ✭✭celt2005


    The FW on Server 2003 is NSA standard, only difference between Checkpoint/Netscreen and MS would be scalability / functionality, so FW on server is sufficent.


    What is VPN being setup to accomplish, IPSec VPN is bandwidth intensive, SSL VPN are also option, but you need to quantify needs.


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,567 Mod ✭✭✭✭Capt'n Midnight


    celt2005 wrote:
    The FW on Server 2003 is NSA standard,
    http://niap.nist.gov/cc-scheme/st/ST_VID4025.html
    The product, when configured as specified in either the Windows Server 2003 Security Configuration Guide (version 1.0) or Windows XP Security Configuration Guide (version 1.0), satisfies all of the security functional requirements stated in the Windows 2003/XP Security Target (Version 1.0) and is conformant to the CAPP.
    Fine but that doesn't mean it's more secure than Windows XP Pro SP2 ....
    http://www.microsoft.com/technet/security/prodtech/windowsserver2003/ccc/cccwp.mspx - M$ PR
    http://niap.nist.gov/cc-scheme/vpl/vpl_type.html = Overall list
    http://niap.nist.gov/cc-scheme/st/ST_VID4002.html - windows 2000 SP3 (not 4 ! :eek: )

    http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx - XP security config guide - so you too can have NSA approval :p

    BTW:
    The prior approval rating of C2 has been claimed for windows workstation NT 3.5 back in '95 ( as long as you don't connect it to a network or use the floppy )

    To tweak NT4 to C2 http://www.marcorsyscom.usmc.mil/sites/ia/references/software/winnt/WinNT%2040%20C2%20Configuration%20Checklist.htm

    Step 4: Windows NT 4.0 Initial Configuration

    Install Windows NT
    Reboot Windows NT and log on as Administrator
    Install printer and tape drivers
    Verify video drivers
    Install Service Pack 6a
    Install C2 Update
    Remove the NetBIOS Interface service
    Disable unnecessary devices
    Disable unnecessary services
    Remove OS/2 and POSIX subsystems
    Disable DirectDraw

    Step 5: Windows NT 4.0 Security Configuration

    Disable Guest account
    Secure base objects
    Enable NetBT to open TCP and UDP ports exclusively
    Secure additional base named objects
    Protect kernel object attributes
    Protect files and directories
    Protect the registry
    Restrict access to public Local Security Authority (LSA) information
    Restrict null session access over named pipes
    Restrict untrusted users' ability to plant Trojan horse programs
    Allow only Administrators to create new shares
    Disable caching of logon information
    Restrict printer driver installation to Administrators and Power Users only
    Set the paging file to be cleared at system shutdown
    Restrict floppy drive and CD-ROM drive access to the interactive user only
    Modify user rights membership
    Set auditing (if enabled) for base objects and for backup and restore
    Disable blank passwords
    Restrict system shutdown to logged-on users only
    Set security log behavior
    Restart the computer
    Update the system Emergency Repair Disk

    now look at http://www.windowsitpro.com/Article/ArticleID/18167/18167.html


    Compare to.
    http://www-3.ibm.com/security/standards/st_evaluations.shtml
    RS/6000 running AIX
    ...
    * AIX 4.3 with Bull's EST 2.0.1 received a common criteria B1 rating


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 327 ✭✭celt2005


    Apologies for lack of detail in last e-mail, and I agree that XPSP2 is a better option.


    Maybe the NW in question could be segmented , and only specific systems be VPNed.


  • Closed Accounts Posts: 546 ✭✭✭exactiv


    Ok. here's a description of our network:

    1x Windows Server 2003

    8x Windows 2000 clients connected to server via wired lan

    1x DSL line running into a wireless network gateway with firewall

    DSL >>> WIRELESS GATEWAY >>> SWITCH >>> SERVER & CLIENTS

    we want our employees working from outside of the office to be able to access the files located on the server across the internet from, for example, home.

    From what Celt2005 says I don't need a hardware firewall, is that the case? Surely my client machines would still need protection?


  • Registered Users, Registered Users 2 Posts: 173 ✭✭happydude13


    Well the first thing I would suggest be to put the server in a
    DMZ, if the remote users only need access to it and not to
    other PCs on the office LAN.


  • Registered Users, Registered Users 2 Posts: 6,762 ✭✭✭WizZard


    For a small setup like this you are better off going with a free, proven solution such as IPCop, as mentioned above. It only takes a tiny system to run (my office uses a P3-450 machine for it). I also use an OpenVPN addon to it so that our remote-workers can use OpenVPN (with a Windows GUI) to connect.

    It's quite secure and very satisfactory so far - with built-in Snort IDS and some nice traffic/system graphs for management. ;)
    Some Linux experience would be beneficial in setting it up, but it's fairly easy to use.

    You can also segment wireless users, which is very useful.


  • Closed Accounts Posts: 546 ✭✭✭exactiv


    I've no experience with Linux at all. But I think I'll give it a shot anyway ;)

    After I get all this sorted, is there a way to test the network security? Like to check if it's exposed to any kinds of attack?


  • Advertisement
  • Closed Accounts Posts: 884 ✭✭✭NutJob


    For easy VPN and i mean easy

    http://hamachi.cc


    iv said all you need


Advertisement