VPN & Firewall

exactiv

My company is about to put a VPN in place. I'm gonna be the one setting it up and I've never had any dealings with any kind of VPN. Can anyone send me in the right direction? We are running Windows Server 2003. Is there some piece of magic software that we can just install and it'll all just work

Also, our current firewall is one of those home wireless network gateway things with a firewall built in. Would it be worth our while upgrading that as we're at it?

Thanks. Ex.

happydude13

I think you need a more comprehensive specification before you go off
installing a VPN.

Depending on what the intended use is,
how secure your office LAN needs to remain,
etc there are many options,

As for the firewall, using a home-use router does not seem the most
secure thing in the world, having wireless capability in it reduces the
security even more.

If you opt for an IPSec based VPN solution you may well find that
your current firewall does not allow more than one connection at a time.

eof

exactiv

Well, the intended use is to make our files available to people operating outside of our main office. People working from home, site staff etc.

As for the security, we just want our files to be available to our own staff and no one else. And of course, we want no nasty people doing anything evil to our server.

The server currently operates as a Domain Controller, DHCP Server, Print Server, File Server & DNS Server.

We've been talking about the firewall upgrade for a while. If we opt for an IPSec based VPN, will we need to get one of those expensive VPN firewalls? Dlink VPN Firewall

Is a software firewall a better/alternative/cheaper option?

Jaden

www.ipcop.org

Standalone Firewall with VPN.

Download ISO, burn, install on old PC with 2 Network cards. Off you go. It is that easy.....

celt2005

The FW on Server 2003 is NSA standard, only difference between Checkpoint/Netscreen and MS would be scalability / functionality, so FW on server is sufficent.


What is VPN being setup to accomplish, IPSec VPN is bandwidth intensive, SSL VPN are also option, but you need to quantify needs.

Capt'n Midnight

celt2005 wrote:

The FW on Server 2003 is NSA standard,

http://niap.nist.gov/cc-scheme/st/ST_VID4025.html

The product, when configured as specified in either the Windows Server 2003 Security Configuration Guide (version 1.0) or Windows XP Security Configuration Guide (version 1.0), satisfies all of the security functional requirements stated in the Windows 2003/XP Security Target (Version 1.0) and is conformant to the CAPP.

Fine but that doesn't mean it's more secure than Windows XP Pro SP2 ....
http://www.microsoft.com/technet/security/prodtech/windowsserver2003/ccc/cccwp.mspx - M$ PR
http://niap.nist.gov/cc-scheme/vpl/vpl_type.html = Overall list
http://niap.nist.gov/cc-scheme/st/ST_VID4002.html - windows 2000 SP3 (not 4 ! :eek: )

http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx - XP security config guide - so you too can have NSA approval

BTW:
The prior approval rating of C2 has been claimed for windows workstation NT 3.5 back in '95 ( as long as you don't connect it to a network or use the floppy )

To tweak NT4 to C2 http://www.marcorsyscom.usmc.mil/sites/ia/references/software/winnt/WinNT%2040%20C2%20Configuration%20Checklist.htm

Step 4: Windows NT 4.0 Initial Configuration

Install Windows NT
Reboot Windows NT and log on as Administrator
Install printer and tape drivers
Verify video drivers
Install Service Pack 6a
Install C2 Update
Remove the NetBIOS Interface service
Disable unnecessary devices
Disable unnecessary services
Remove OS/2 and POSIX subsystems
Disable DirectDraw

Step 5: Windows NT 4.0 Security Configuration

Disable Guest account
Secure base objects
Enable NetBT to open TCP and UDP ports exclusively
Secure additional base named objects
Protect kernel object attributes
Protect files and directories
Protect the registry
Restrict access to public Local Security Authority (LSA) information
Restrict null session access over named pipes
Restrict untrusted users' ability to plant Trojan horse programs
Allow only Administrators to create new shares
Disable caching of logon information
Restrict printer driver installation to Administrators and Power Users only
Set the paging file to be cleared at system shutdown
Restrict floppy drive and CD-ROM drive access to the interactive user only
Modify user rights membership
Set auditing (if enabled) for base objects and for backup and restore
Disable blank passwords
Restrict system shutdown to logged-on users only
Set security log behavior
Restart the computer
Update the system Emergency Repair Disk

now look at http://www.windowsitpro.com/Article/ArticleID/18167/18167.html


Compare to.
http://www-3.ibm.com/security/standards/st_evaluations.shtml

RS/6000 running AIX
...
* AIX 4.3 with Bull's EST 2.0.1 received a common criteria B1 rating

celt2005

Apologies for lack of detail in last e-mail, and I agree that XPSP2 is a better option.


Maybe the NW in question could be segmented , and only specific systems be VPNed.

exactiv

Ok. here's a description of our network:

1x Windows Server 2003

8x Windows 2000 clients connected to server via wired lan

1x DSL line running into a wireless network gateway with firewall

DSL >>> WIRELESS GATEWAY >>> SWITCH >>> SERVER & CLIENTS

we want our employees working from outside of the office to be able to access the files located on the server across the internet from, for example, home.

From what Celt2005 says I don't need a hardware firewall, is that the case? Surely my client machines would still need protection?

happydude13

Well the first thing I would suggest be to put the server in a
DMZ, if the remote users only need access to it and not to
other PCs on the office LAN.

WizZard

For a small setup like this you are better off going with a free, proven solution such as IPCop, as mentioned above. It only takes a tiny system to run (my office uses a P3-450 machine for it). I also use an OpenVPN addon to it so that our remote-workers can use OpenVPN (with a Windows GUI) to connect.

It's quite secure and very satisfactory so far - with built-in Snort IDS and some nice traffic/system graphs for management.
Some Linux experience would be beneficial in setting it up, but it's fairly easy to use.

You can also segment wireless users, which is very useful.

exactiv

I've no experience with Linux at all. But I think I'll give it a shot anyway

After I get all this sorted, is there a way to test the network security? Like to check if it's exposed to any kinds of attack?

NutJob

For easy VPN and i mean easy

http://hamachi.cc


iv said all you need