General discussion

  • Creator
    Topic
  • #2082173

    Ed Bott’s Microsoft Challenge–March 23,

    Locked

    by ebott ·

    I’m trying to figure out how to give a fleet of mobile users access to my small corporate network, and I need your help. Should I set up remote access via dial-up lines? Or is a VPN the safe, sane, cost-effective way to go? Are other options worth exploring? I’m prepared to spend whatever it takes?I just want to make sure my network is safe from intruders. I’ve got 1,000 TechPoints to spread around to those with the best advice.

All Comments

  • Author
    Replies
    • #3901713

      Ed Bott’s Microsoft Challenge–March 23,

      by Anonymous ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      I would go the VPN route using PPTP over the internet. That way anywhere your people are they should be ablet to access the web without long distance charges and can get to your network. You will need to make sure and use a firewall for security purposes but with a good one you can be pretty comfortable about being secure.

    • #3901712

      Ed Bott’s Microsoft Challenge–March 23,

      by mjones ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      How many in a ‘fleet’?
      How often do they need access? For how long?
      Does your small corp network have a nice inet connection?
      Where are you?
      What equipment, if any, do you have now?

      These questions and more need to be answered before you can start developing a good strategy.
      For example, my office is located in the boonies, where comm lines cost FOUR times the amount of our other office, however, our 10mb inet connection is half the price of our other offices’ 768kb frame.
      We went with vpn, even though we only have half a dozen remote users, for several reasons.
      1. 50% of our users have access to high speed networks when remote. Why throttle them with a dialup connection?
      2. It didn’t really cost us anything. We started with NTand PPTP, which was ok, then we procured new firewalls, which just happened to have an IPSec vpn option, which is *MUCH* easier and faster to work with.

      We still maintain two lines into the network for redundancy, one at each site.

      As a side note, our 120 person c

    • #3901711

      Ed Bott’s Microsoft Challenge–March 23,

      by mahdeekus ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      Cost appears to not be a factor and security appears to be your main concern. RAS with NT authentication is a far more secure option that VPN. RAS will be easier to administer in terms of individual user access via permissions and groups. If you have no desire for your mobile users to incur telephonic costs, you can setup toll-free RAS access.

    • #3901706

      Ed Bott’s Microsoft Challenge–March 23,

      by leo.valmores ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      I would go for RAS via dial-up lines. RAS could offer secure NT authentication and you can use CallBack feature so users wont have to pay toll fees. On the server side, it is easier to install and administer; besides the fact that you have also monitoring features. The bottom line is that you will have lesser headaches for remote users who are “touchy” and “expirementers” on their Setups for RAS rather than on VPN setups which is far more complicated.

    • #3901705

      Ed Bott’s Microsoft Challenge–March 23,

      by csheltcomp ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      If cost is the primary concern, just use vpn. VPN is still very secure for most users. WIN2K has the best vpn that is possible.Setup is easy and as long as you have a ststic ip to vpn into, the setup is very easy. This will also eliminate the use ofa second dialup if they already have internet access through an isp. Plus the connection is as fast as the isp connection. If you only have 28.8 modems in the dial up pool, but a 56k on the laptop, then vpn is the best way to go. You can also set upvery decent security policies through vpn.

    • #3901700

      Ed Bott’s Microsoft Challenge–March 23,

      by hasse mcse/brainbench ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      Hi!

      Since cost is not an concern I would go with both RAS and VPN.

      That way I get best from both worlds I get fast connection through VPN when the mobile users are with a client that has good connection, but if their client has a bad connection or no connection at all they will also still be able to dial-in to our network.

      I think VPN is safe enough and dial-up is even more safe so this way we get it all.

      /Hasse

    • #3901699

      Ed Bott’s Microsoft Challenge–March 23,

      by pete.zerger ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      I would say VPN using Windows 2000 Advanced Server. You can use PPTP for your downlevel clients, and leverage the enhanced security of L2TP / IPSec as you bring Windows 2K Pro clients on line.

      If you have users in branch offices with high speed lines, you can also utilize the advanced routing capabilities of RRAS on the W2K platform to create a tunnel between locations.

      BUT: If you have clients trying to run apps
      over 56K or slower dial-up lines, the
      increased overhead required by VPN makes
      running apps even more difficult.

    • #3901693

      Ed Bott’s Microsoft Challenge–March 23,

      by jhamm99 ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      It depends on your goals, but I would install Citrix server Winframe. Install the apps that you want your mobile users to connect to. In the future you don’t have to update the applications on the users machine, just the server. I would setup a web server with SSL and post your ICA files to the web server. Split the web server and citrix server with a firewall. As far as connection, supernet a high speed DSL line, use modems, or setup a contract with an ISP. Depends on the size of your network. If you have more questions on config info email me.

    • #3901665

      Ed Bott’s Microsoft Challenge–March 23,

      by martin.kiaer ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      Both RAS and VPN have their justification depending on what kind of mobile users your company have. If the Internet is chosen as the strategic catalyst for all external communication and the users have easy access to the Internet, then yes, VPN certianly is the way to go. On top of this you can add IPSEC, Firewall authentication and/or Hard-token solutions depending on how safe/cumbersome you want your VPN solution to be. But a Dial-In RAS solution certianly has its justification, especially topeople who’s dependant on communication based on celluar phones. There’s no need to add an extra overhead, by establishing a connection to an ISP, and then use VPN (if the ISP even supports VPN?). Add dial-back and/or A-number verification for extrasecurity, centralized control and better TCO. If a RAS solution is to be used, consider adding an Access Server like Cisco’s AS-5200/5300 box for maximized flexibility when defining access for RAS users.

      The point being, both options are the way to go, depending on t

    • #3901660

      Ed Bott’s Microsoft Challenge–March 23,

      by msullivan ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      Since your primary concern is security, lets start off with the premise that security and networking are diametrically opposed. The most secure systems are locked in a room without network access and have multiple layers of security that must be passed before gaining physical access. On the other hand, I will assume that you don’t want a fleet of jet lag weary road warriors storming your door because your secure solution is too cumbersome for them to use.

      There are two problems you face with portable computers. Data security is important, but you cannot forget physical security. So let’s try to spend your unlimited budget where it makes the most sense. First off, you want a secure connection. RAS with required encryption and someform of encrypted authentication (MS-CHAP v2) addresses this issue. If your fleet of mobile users have cellular modems, you could implement a mandatory call back. (please don’t let the user select the call back number when they dial in) This will reduce the risk of Au

    • #3901658

      Ed Bott’s Microsoft Challenge–March 23,

      by msullivan ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      …the rest of the story

      This will reduce the risk of AutoDial attacks breaking into your network. Next you need to make sure that those flying corporate datacenters are secure. Win2K Pro will do a very nice job of this if you take the time to lock it down appropriately. Start with Encrypted file systems for your most sensitive portable data. Off-line files and distributed databases (I.E. merge replication in SQL 7.0) can dramatically reduce the number of times your users need to dial in.

      Secure ID cards and Shiva are a solution I have seen in many corporate environments. But at those same corporations I’ve also seen VP’s write their PIN on the back of their Secure ID card and throw the card in the same case as the portable. The lesson here is that users will find a way to circumvent any security that is bothersome to them. So you have to try and make it transparent to them. I think smart card logins, all though more secure in the right hands, will fall under this category in the hands of t

    • #3901653

      Ed Bott’s Microsoft Challenge–March 23,

      by ajking ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      VPN vs. RAS? No contest – VPN is the road warrior’s dream. It is also the Admin’s and the accountant’s dream and here’s why:
      With RAS, you not only have to maintain the RAS server/services and maintain a small ISP of modem racks; pay for the monthly on digital lines and an 800 number so that users don’t rack up hotel phone bills. Remember – to get 56K dial-up, your company must have a digital connection to the phone co.
      With VPN, users make local calls to the ISP (get a big one, like AT&T), get on the VPN, through your firewall with something like RSA ACE/SecurID, and are cruising at a steady speed greater than 33.6. You can make your VPN connection as big as you want and it can grow – start with a fractional T1 with a fully capable T1 CSU/DSU and then as you need more space on the pipe, you call up the provider and get more.
      VPN will allow the remote access to grow as your company grows and will be far easier on the pocket book – no questions about it.

    • #3901649

      Ed Bott’s Microsoft Challenge–March 23,

      by raimund ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      From my point as a user in South Africa, our net access isn’t always fast… at all… so whether the user is dialling an ISP from a hotel or connecting through another network, his net access will always be slow (sometimes worse than a 28.8 modem) even over a 56k modem(which usually run at about 50k in SA)
      By dialling directly to the server through RAS, you’re getting the top speed available (ie about 50k) every time… security is also greater, especially if your users implement proper passwords (as opposed to their username being their p/w) you can even use callback if you know the number where they are… If cost is not a problem, there’s no thought necessary in my books. I’d definitely go with RAS.

    • #3901648

      Ed Bott’s Microsoft Challenge–March 23,

      by mikemoore ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      “I just want to make sure my network is safe from intruders.” You don’t want much, do you? You are opening your network to outside access, so any solution must rely on encryption and strong authentication. Since you say mobile, not remote, users VPNis probably your best bet. Provide your users accounts on a large ISP, configure IPSec and L2TP, expire certs frequently, enforce strong passwords, and monitor your connections. Also develop contingencies for lost pc’s or comprimised passwords and make sure your users know exactly what their responsibilites are; and kick butts when you need to.

    • #3901647

      Ed Bott’s Microsoft Challenge–March 23,

      by prescott.small ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      Bottom line: What is your budget. Supportting direct dial up through long distance service or through a 3rd party like CompuServe is prohibitively expensive. Users never remember to hang up thier dial-up connection often staying dialed in all daylong. Some even go home at the end of the day racking up $5.00/hr 1-800 access. If they can have local dial-up through a $10 to $20 / month ISP and use VPN and PPTP you can save 10’s of 1000’s of $$$$$$$. We have users that rack up more in 33.6 dial than it cost for an MCI frame relay dedicated circuit. Money is the deciding factor.

    • #3901639

      Ed Bott’s Microsoft Challenge–March 23,

      by kderby2000 ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      Win NT’s built-in VPN solution is perfect for what you’re trying to do. Direct client support for it is _very_ easy to set up in Win 9x and NT/2000 clients; it’s basically 2-3 clicks and your users will be connected. Additionally, the MS solution blends directly in with your NT’s DHCP & WINS systems, so its real easy to get everything running securly.

      !!! BUT !!!, when you specifically mention mobile users, I get a little concerned. First off, if you’re doing anything with roaming profiles, be aware that speed becomes a serious issue, as the VPN tunnelling slows things down a bit (due to all the security overhead). Also, Outlook 2000/98 running not just over dial-up but particularly over VPN are -very- slow when connecting as an Exchange client (POP3 connections are fine). So, be sure your users are utilizing .ost file(s).

      As a side note, if you’re also intending on having your users store files at a central, internal server for road access, Win 2000 implements a “mirroring”-like function for f

    • #3901635

      Ed Bott’s Microsoft Challenge–March 23,

      by aadbon ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      Well the Intel in out of a box pptp seems to be the best solution in case users are travelling for long distances. and most of the applications are web enabled or can be integrated with the web.It is good quite workable for a small netwrok and easy for implementation. After takeover of shiva corp currently they have a special scheme going on. The only problem is that if the internet connection is not avaiable (dialup to the mobile user) this solution goes for a toss. Since you do not care for cost, you could consider going for a private network using modems(use cell phones or land lines) and an RAS however you will have to make an expensive long distance call to get into the network. But no application needn’t be changed.

    • #3901634

      Ed Bott’s Microsoft Challenge–March 23,

      by zpjohnstone ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      If security is your primary concern, and cost is not an issue, then your best best would be to install a cisco pix firewall and terminate L2TP tunnel there and have remote users connect with cisco’s VPN client software. Then install Cisco Secure on your PDC to authenticate remote users. This solution gives you the familiar GUI interface for day-to-day management and a hardware based firewall solution which beats any software based firewall solution hands down- With software based firewalls, notonly do you have the OS to run exploits against, but you also have raptor or checkpoint -1 or whatever you would use- and that’s not even taking into consideration the required downtime on your access server for patching and upgrading (and everybodywho has administered raptor knows how often you have to patch it).
      And did I mention that the fastest software based firewall is twice as slow making routing decision, rule set enforcement, etc and so on.
      But that’s just how I would do it.

    • #3901628

      Ed Bott’s Microsoft Challenge–March 23,

      by ken_mclane ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      I currently am using Citrix for a similar setup, and am using a low end DSL connection as the connection to the server. Performance is fine even running Visual FoxPro apps with a 56k dial up on the other end. However, Win2K has a built in rdp protocol that will handle most tasks that Citrix now does. Although it does not support client other than MS, it will enable your users to work, and even print remotely.

      Of course, security issues need to be addressed, but a good firewall can take care of that. We also use a separate server for app and data, the Terminal server has nothing of importance on it, and users logging in from the internet must be authenticated by a Novell Server.

    • #3901620

      Ed Bott’s Microsoft Challenge–March 23,

      by fido ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      For realistic and reliable performance, and tight security I would suggest using at least one Citrix Metaframe server (possibly more in a server farm depending on the number of users and the resource demands of the applications they are running). Iwould also install the SecureICA add-on with either 128bit or 64bit encryption to secure and encrypt your connections (the decision on 64bit versus 128bit would depend on whether you had international roaming users). This solution would permit you to setup a standard ISDN/Frame/Whatever internet connection to your head office, with a DMZ (demilitarized zone) containing the Citrix server so that it is exposed to your external users. Then just give your users standard PSTN dialup internet accounts. This system has the advantage of being able to be accessed worldwide via any ISP and with a very thin client and a minimal amount of configuration.
      The user would only have to carry around two floppy disks with a preconfigured client on themto load onto a PC wh

    • #3901617

      Ed Bott’s Microsoft Challenge–March 23,

      by allan ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      Since these are mobile users, I’d skip right to Windows 2000 Terminal Server using IpSec security.
      It would provide a secure enviroment and give the users a great means of computing
      even over a dial-up connection.

    • #3901615

      Ed Bott’s Microsoft Challenge–March 23,

      by tony hogan ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      Depends on what access your remote users need. Another option may be Terminal Services if bandwidth / end user needs is an issue.

      VPN’s w/ PPTP
      Pros:cost effective; fairly secure.
      Cons:security of end user machines – i.e. if I hack the remote,I’m into you server!; who pays for end user ISP connections; also is this public internet or private WAN VPN – costs????

      RAS
      Pros:security, local control
      Cons:speed, multiple support modes [ISDN, Dialup];limited if nonexistent support for DSL and Cable modems

      Terminal Services
      Pros:minimized connections;performance gains [if required]
      Cons:setup cost and support, will also demand connectivity [RAS or VPN] as well but may offer better end user productivity as connections are localized to the terminal server with “screen i/o” connections only

      Overall, it’s a mixed bag that requires some [yuck!] ROI analysis re: user needs, # of users, etc.

      -tony

    • #3901601

      Ed Bott’s Microsoft Challenge–March 23,

      by nichomach ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      Given that you wish to make your network securely available, I would go with remote access, simply because there are fewer intervening points for intruders to get at.
      1. They’d have to know your dialup lines
      2. They’d have to get past encrypted authentication
      However, I would be loath to rely on NT’s RAS service, which has a slight falling-over tendency, and can leave the RAS services in a hung state which only a reboot can cure. I would offload those dialup duties onto a dedicated RAS server, such as those from Shiva or Multitech.In the final analysis, if something goes wrong on your RAS box, you can flick the power switch without disturbing your LAN users.
      VPNs look more cost effective, but you’re adding another point of attack toyour network as in:
      user > telco > ISP > internet > telco > network versus
      user > telco > network
      That’s my two penn’orth anyway.

    • #3901594

      Ed Bott’s Microsoft Challenge–March 23,

      by xwindowsjunkie ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      My suggestion, especially since security is the concern, use dialup networking with RAS, put WinNT on all laptops, VPN and PPTP, and 1-800 incoming access. Setup Microsoft encryption, VPN and PPTP on on the RAS and the remote clients. As an added fillip, if 1-800 incoming is too expensive at the server, setup an server application (using the third-party authentication hook) that allows the mobile user to specify a dialback number after authentication so that most of the long distance service charges are at the server end and not out in the mobile world. That will allow a major discount on the server long distance bill. The alternative, a 1-800 ISP account has costs also. Remember that you have to figure in the cost of all those mobile users accessing the corporate ISP accounts. The major cost in this system is going to be the communications and long distance cost, not the computer hardware.

      With practically all of the secure networking protocols hacked open, PPTP/VPN over dialupaccess to an 1-800 I

    • #3901582

      Ed Bott’s Microsoft Challenge–March 23,

      by mcomeau ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      If money is truly no object, then you don’t need to worry about connection speed. Some other points :
      1.) VPN encrypting/decrypting places too much overhead on the remote clients.
      REBUTTAL: you aren’t thinking about the full range of VPN options…if cost is no object, do your encryption in hardware! Get each user their own remote VPN box (which are very small and portable), which does the IPSec stuff in ASIC.

      2.) VPN is not as secure as RAS.
      REBUTTAL: Not as secure??? Who can crack 168 bit encryption with 2 minute key regeneration? You can also put a firewall in-line with the VPN head end for increased security…

      3.) You have to worry about your people at remote locations messing around with their config.
      REBUTTAL: somevendors have taken steps to lock part or all of the settings in the client configuration software. Another solution is to ship out preconfig’d hardware (cost is no object, remember?) without giving the users the necessary password info or client config software needed

    • #3901481

      Ed Bott’s Microsoft Challenge–March 23,

      by dapowers ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      Money not being an issue I would probably put in something like a Timestep VPN gate outside the firewall and have a 1-800 number for the users to dial into(user convenience, company tracking). A software component on the pc creates a VPN to connectto the gate using PKI infrastructure. For home users give them a single user hardware gate for their DSL or cable modem. Then use router port routing to push VPN data to the gate and deny everything else. Using something like a cisco as5300 as a ras server you could also lock down the dial up ports and routing. Sounds reasonable…

      Bill sends…

    • #3901473

      Ed Bott’s Microsoft Challenge–March 23,

      by gary_it ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      VPN is definitely the way to go. I wouldn’t trust dial up access at all. Anyone can run hack utilities on the ras pool. VPN is the safest and only way to go…in my opinion. That and maybe secure cards to special people (if money isn’t an object). With all of the hacking going around lately I wouldn’t take any chances.

    • #3896299

      Ed Bott’s Microsoft Challenge–March 23,

      by ggreynolds ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      This is a Multi-Tier question and has mutiple answers based on several questions Which need to be asked.
      Are your users going to be using Win2K laptops or NT workstations or Win9x or is it a combo of the above?
      Are your users going to be running large programs locally or ar they going to be Xfering large amounts of data when they access yor network?
      Based on the security being the primary concern, but flexability for your mobile user being the next biggest concern.
      I would suggest Win2K Professional on your mobile users workstations and use EFS for encrypting sensitive data. on the mobile workstation.
      I would then use L2TP or PPTP to encrypt incomming connection to your Win2K Network, I would say it is definately a requirment to havea good Firewall to prevent unauthorized incomming ip traffic. I would also place a this in a DMZ so there is no direct access into your internal network. On this server residing on you DMZ I would basically only allow it to know about what services that your mobile user

    • #3896812

      Ed Bott’s Microsoft Challenge–March 23,

      by rzorz ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      Since money isn’t an issue, go with Terminal Server or Citrix. At least in our case, our SQL-based app wouldn’t work over a dialup. Although I didn’t use VPN, I’ve heard from other users that the connection is the equivalent of a 9600 baud connection. So again, for our SQL app, that would’ve been unacceptable. You can connect thru the internet, so access for the road warriors is easy. And setting up the client was as simple as handing them a diskette and some simple instructions.

    • #3741356

      Ed Bott’s Microsoft Challenge–March 23,

      by ebott ·

      In reply to Ed Bott’s Microsoft Challenge–March 23,

      This question was auto closed due to inactivity

Viewing 29 reply threads