IT Employment

General discussion


Is a VPN the right choice for me?

I have been asked to completely redevelop an organization?s computer infrastructure. They are set up in two small offices, in two separate towns. I have heard that a VPN is the right way to go; however, I am not familiar with the technology because I usually set up end-user home networks. I need a lot of help in this area. I can go in any direction with this project, costs at a minimum. All I am starting with is that all computers in the network will be running windows 2kpro. My first question: Does this situation require a VPN? My second question: If it does require a VPN, what software-wise do I need to do, and what external hardware should I purchase to set this up (I also want each office, of no more than 20 users, to be connecting to the internet via a cable or DSL connection)?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Two routes

by Oz_Media In reply to Is a VPN the right choice ...

A software based VPN will be more cost intensive as it will require additional servers, NOS and security hardware/software installed. ie. Novell network with Border Manager. This is not going to be cost effective for a smaller company.

If your needs are basic file sharing and not running apps over the VPN, I would recommend the newer Linksys routers with built in VPN technology. I just set up a small two office dental organization with a similar system, the routers cost $150 Canadian for BOTH! They offer tsandard encryption and the older IPSEC if needed for compatibility. Users just have desktops attached to the routers at each end for a workgroup type of network. It is simply, it is VERY inexpensive, it requires minimal hardwaer, security is fine for a smaller organization and file transfers sharing is excellent. Now they don't recommend using an application server across it but the company I worked with are running real world accounting software across it without problems. The dentists themselves have laptops with wireless built-in and just turn up at the office and login, either end.

VERY easy, safe and secure and it works for less than $200.00.

Collapse -

Thanks so much! Few More questions

by RAGEDBULL In reply to Two routes

First off, I want to check that this is the router your talking about:

Now, I will still be setting up a VPN with one of these routers at each end? Do I need to have a server, or can I just connect all the computer directly to this router, if so will this allow them to share files as if they were not over the internet but on the same lan? What software issues do i need to address when setting this up on win2kpro machines? The two offices will both have cable modems attached to these routers. Finally, will it be possible to remote access into the network- this is not neccesary, but would be nice to do. Thanks for all your help!

Collapse -

Are you kidding me?

by cpuboy456 In reply to Thanks so much! Few More ...

If you are going to use linksys routers to set up this VPN be prepared to do alot of maintanece on this network.

Also you are doing this for a DR.s office, correct. If this is the case you need to look into hippa regulations. Doctors offices have been shutdown before because of hippa violations Linksys does not provide enough security to be hippa compliant.

If you want to keep listening to this other fellow thats cool, but if you want to know how to do a simple site to site VPN I am your guy. Just let me know

Collapse -

Do you have posters

by Oz_Media In reply to Are you kidding me?

I bet you have posters of your self all over your room don't you?

This isn't a discussion forum, it is a Q&A forum. The poster had several VERY simple questions and has received simlpe answer and solutions.

For some unknown reason you feel that your opinion deserves more merit than others shared here.

Perhaps instead of TRYING to be the all knowledgable one (there are none of those here), you could simply add your thought and a few examples to reinforce your recommendations without getting weepy about it.

Better still, you want to make a point, post a new discussion topic, we'll see how well it stands up to criticisms from others.

Ad for configuration of the LinkSYS VPN routers, piece of cake, "clickety-click BABA trick". Not exasctly a configuration nightmare, perhaps a few minutes of non-REM sleep.

Collapse -

OOOOOOOPS!!! It IS A discussion.

by Oz_Media In reply to Do you have posters

Damn,they HAVE to straighten out these ongoing Discussion vs Q&A issues.

But anyhow, not the place for such comments.

Collapse -

Well thank you Oz Media

by cpuboy456 In reply to Do you have posters

I was not trying to be the all knowing IT guru. I was simply trying to make a point to the original poster that the solution you recommended would not be best for the situation he is in. I personally do not think that your solution was the best solution. The original poster did not seem to have alot of experience with VPN's so I simply gave him another alternative because in the long run your recommendation would have failed. Please don't take my posts personally, I have a right to my opinon and you have a right to yours.

This right here is why techrepublic is so good.

Collapse -

That's right

by Oz_Media In reply to Well thank you Oz Media

You post was not worded so eloquently though.

SUBJECT: "Are you kidding?"

Body: "If you want to keep listening to this other fellow thats cool, but if you want to know how to do a simple site to site VPN I am your guy. Just let me know "

this isn't voicing YOUR input, this is denying another solution and stating that in a PRIVATE email you will offer better advice, we have a forum for posting advice, why not share your wisdom with the rest of the class? Is it because it may be downplayed or proven wrong?

Collapse -

OZ come on

by cpuboy456 In reply to That's right

The only reason I suggested to use a "private email address" was so we could discuss his situation without postings.

this isn't voicing YOUR input, this is denying another solution and stating that in a PRIVATE email you will offer better advice,

As for you OZ I think you are a little upset. I do apologize if I made you feel insignificant. Thats not what I was trying to do

Collapse -


by Oz_Media In reply to That's right

Nobody makes me feel insignificant in any way, never have and never will, it's just not in the cards for me.

The use of this forum is specifically for those who want advice and for others to share and learn from everyone's advice.

Discussing it privately may help resolve the issue but is to nobody's benefit here. This would defeat the entire puropse of a technical discussion and turn it into a private tutorial.

The major advantage to posting here is to receive feedback from others, others may learn from your input, that's what an IT discussion is all about, sharing and learning.

To say it would save posting here doesn't make sense, that's exactly why this forum is built, not so we can discuss weather and ppolitics, that's a sideline and this topic s what is meant to be here.

I welcome your input but keep it online so it is at least useful to others.

Collapse -

Pre-Shared Key's and why they are bad

by LordInfidel In reply to Two routes

While I'll give companies such as Linksys kudos for trying to make it easy to set-up and make vpn connections.

It is that same "easy ness" that makes it insecure.

Pre-Shared Keys (PSK) even ones using 3DES are not 100% secure. Most people will opt to use DES and a weak key. This defeats the whole purpose of the IPSec connection.

Now before anyone goes saying, "Well how do you break that and hack in", they should visit (s) <the gods of IPSec> site and look at their IPSec communities area, more importantly

I personally beleive in setting up a linux box with freeswan using X509 certs that are self-signed.

Basically I create a linux box that is not connected to the net and make it my CA. Then I generate all of my x509 certs from it. By having my root CA offline, I can be guranteed that no one can compromise my root CA.

I also use 2048 bit's for the encryption instead of the standard 1024. Then each side of the vpn gateway gets a DER cert of the CA so they each know about it, and then a copies of each other certs. Each side only needs to know their own secret password for it's own key file. And since they both trust the CA, authentication works flawlessly.

No matter how hard you try, no man in the middle attack will ever be achieved unless you somehow manage to compromise the Root CA.

PSK BAD!!!!!!! Use RSA signatures if you really have to, just stay away from PSK's.

Related Discussions

Related Forums