General discussion

  • Creator
    Topic
  • #2285892

    Is a VPN the right choice for me?

    Locked

    by ragedbull ·

    I have been asked to completely redevelop an organization?s computer infrastructure. They are set up in two small offices, in two separate towns. I have heard that a VPN is the right way to go; however, I am not familiar with the technology because I usually set up end-user home networks. I need a lot of help in this area. I can go in any direction with this project, costs at a minimum. All I am starting with is that all computers in the network will be running windows 2kpro. My first question: Does this situation require a VPN? My second question: If it does require a VPN, what software-wise do I need to do, and what external hardware should I purchase to set this up (I also want each office, of no more than 20 users, to be connecting to the internet via a cable or DSL connection)?

All Comments

  • Author
    Replies
    • #3383339

      Two routes

      by oz_media ·

      In reply to Is a VPN the right choice for me?

      A software based VPN will be more cost intensive as it will require additional servers, NOS and security hardware/software installed. ie. Novell network with Border Manager. This is not going to be cost effective for a smaller company.

      If your needs are basic file sharing and not running apps over the VPN, I would recommend the newer Linksys routers with built in VPN technology. I just set up a small two office dental organization with a similar system, the routers cost $150 Canadian for BOTH! They offer tsandard encryption and the older IPSEC if needed for compatibility. Users just have desktops attached to the routers at each end for a workgroup type of network. It is simply, it is VERY inexpensive, it requires minimal hardwaer, security is fine for a smaller organization and file transfers sharing is excellent. Now they don’t recommend using an application server across it but the company I worked with are running real world accounting software across it without problems. The dentists themselves have laptops with wireless built-in and just turn up at the office and login, either end.

      VERY easy, safe and secure and it works for less than $200.00.

      • #3383320

        Thanks so much! Few More questions

        by ragedbull ·

        In reply to Two routes

        First off, I want to check that this is the router your talking about:

        http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=589

        Now, I will still be setting up a VPN with one of these routers at each end? Do I need to have a server, or can I just connect all the computer directly to this router, if so will this allow them to share files as if they were not over the internet but on the same lan? What software issues do i need to address when setting this up on win2kpro machines? The two offices will both have cable modems attached to these routers. Finally, will it be possible to remote access into the network- this is not neccesary, but would be nice to do. Thanks for all your help!

        • #3383238

          Are you kidding me?

          by cpuboy456 ·

          In reply to Thanks so much! Few More questions

          If you are going to use linksys routers to set up this VPN be prepared to do alot of maintanece on this network.

          Also you are doing this for a DR.s office, correct. If this is the case you need to look into hippa regulations. Doctors offices have been shutdown before because of hippa violations Linksys does not provide enough security to be hippa compliant.

          If you want to keep listening to this other fellow thats cool, but if you want to know how to do a simple site to site VPN I am your guy. Just let me know

        • #3383142

          Do you have posters

          by oz_media ·

          In reply to Are you kidding me?

          I bet you have posters of your self all over your room don’t you?

          This isn’t a discussion forum, it is a Q&A forum. The poster had several VERY simple questions and has received simlpe answer and solutions.

          For some unknown reason you feel that your opinion deserves more merit than others shared here.

          Perhaps instead of TRYING to be the all knowledgable one (there are none of those here), you could simply add your thought and a few examples to reinforce your recommendations without getting weepy about it.

          Better still, you want to make a point, post a new discussion topic, we’ll see how well it stands up to criticisms from others.

          Ad for configuration of the LinkSYS VPN routers, piece of cake, “clickety-click BABA trick”. Not exasctly a configuration nightmare, perhaps a few minutes of non-REM sleep.

        • #2674401

          OOOOOOOPS!!! It IS A discussion.

          by oz_media ·

          In reply to Do you have posters

          Damn,they HAVE to straighten out these ongoing Discussion vs Q&A issues.

          But anyhow, not the place for such comments.

        • #2674089

          Well thank you Oz Media

          by cpuboy456 ·

          In reply to Do you have posters

          I was not trying to be the all knowing IT guru. I was simply trying to make a point to the original poster that the solution you recommended would not be best for the situation he is in. I personally do not think that your solution was the best solution. The original poster did not seem to have alot of experience with VPN’s so I simply gave him another alternative because in the long run your recommendation would have failed. Please don’t take my posts personally, I have a right to my opinon and you have a right to yours.

          This right here is why techrepublic is so good.

        • #2684049

          That’s right

          by oz_media ·

          In reply to Well thank you Oz Media

          You post was not worded so eloquently though.

          SUBJECT: “Are you kidding?”

          Body: “If you want to keep listening to this other fellow thats cool, but if you want to know how to do a simple site to site VPN I am your guy. Just let me know ”

          this isn’t voicing YOUR input, this is denying another solution and stating that in a PRIVATE email you will offer better advice, we have a forum for posting advice, why not share your wisdom with the rest of the class? Is it because it may be downplayed or proven wrong?

        • #2729460

          OZ come on

          by cpuboy456 ·

          In reply to That’s right

          The only reason I suggested to use a “private email address” was so we could discuss his situation without postings.

          this isn’t voicing YOUR input, this is denying another solution and stating that in a PRIVATE email you will offer better advice,

          As for you OZ I think you are a little upset. I do apologize if I made you feel insignificant. Thats not what I was trying to do

        • #2729761

          misunderstood

          by oz_media ·

          In reply to That’s right

          Nobody makes me feel insignificant in any way, never have and never will, it’s just not in the cards for me.

          The use of this forum is specifically for those who want advice and for others to share and learn from everyone’s advice.

          Discussing it privately may help resolve the issue but is to nobody’s benefit here. This would defeat the entire puropse of a technical discussion and turn it into a private tutorial.

          The major advantage to posting here is to receive feedback from others, others may learn from your input, that’s what an IT discussion is all about, sharing and learning.

          To say it would save posting here doesn’t make sense, that’s exactly why this forum is built, not so we can discuss weather and ppolitics, that’s a sideline and this topic s what is meant to be here.

          I welcome your input but keep it online so it is at least useful to others.

      • #3383315

        Pre-Shared Key’s and why they are bad

        by lordinfidel ·

        In reply to Two routes

        While I’ll give companies such as Linksys kudos for trying to make it easy to set-up and make vpn connections.

        It is that same “easy ness” that makes it insecure.

        Pre-Shared Keys (PSK) even ones using 3DES are not 100% secure. Most people will opt to use DES and a weak key. This defeats the whole purpose of the IPSec connection.

        Now before anyone goes saying, “Well how do you break that and hack in”, they should visit freeswan.org (s) site and look at their IPSec communities area, more importantly http://ikecrack.sourceforge.net/

        I personally beleive in setting up a linux box with freeswan using X509 certs that are self-signed.

        Basically I create a linux box that is not connected to the net and make it my CA. Then I generate all of my x509 certs from it. By having my root CA offline, I can be guranteed that no one can compromise my root CA.

        I also use 2048 bit’s for the encryption instead of the standard 1024. Then each side of the vpn gateway gets a DER cert of the CA so they each know about it, and then a copies of each other certs. Each side only needs to know their own secret password for it’s own key file. And since they both trust the CA, authentication works flawlessly.

        No matter how hard you try, no man in the middle attack will ever be achieved unless you somehow manage to compromise the Root CA.

        PSK BAD!!!!!!! Use RSA signatures if you really have to, just stay away from PSK’s.

        • #3383309

          Good point

          by oz_media ·

          In reply to Pre-Shared Key’s and why they are bad

          You’re right but if this is a really small enterprise, I would think the risk of premeditated or targeted attacks is lower and usually workstation or server backups suffice to restore trojan damaged data.

          I do however usually use PKI written in Python on a 386 ot PII sometimes. I know basic python module scripting but a good friend runs a PKI scripting firm that deals in bank security so I luck out with saving the big bucks.

          On a side note, isn’t that the cool part? When you’ve made enough industry friends that everything is gratis and what comes around goes around? I see PC’s and servers changing hands and being passed on like baby clothes. Routers and switches are as easy as a phone call or email away and even places like TR where anything you need to know is at the tip of your fingers.

          You guys rule ! ya ya heh heh

        • #3383223

          you’d be surprised

          by lordinfidel ·

          In reply to Good point

          because of my position i’m often hired to do penetration testing.

          i was at my wifes office and noticed her logging in without a password. . I then went and connected to a port on the net that i should of have never been able to get to.

          I talked to the senior partners and told them that because my wife likes them, blah blah blah, I would do the anaylsis for free.

          needless to say I owned their network in about 3 days. And found some others had set up shop.

          The thing with crackers and script-kiddies, and even the stealthy hacker; it’s not always about the data. they will use a owned netwk as a sploit repository or trade the machines for better sploits.

    • #3383335

      Here is a suggestion

      by cpuboy456 ·

      In reply to Is a VPN the right choice for me?

      I have recently completed a 5 site VPN with almost your exact situation. I was also almost where you are with knowledge concerning implementing the right solution to the clients needs and wants- to differnet things. I would be willing to help you with suggestions. I fyou would like you can email me at jfrench@surferie.net

    • #3383149

      I think so …

      by dwdino ·

      In reply to Is a VPN the right choice for me?

      Unless you can get unbelievable rates on leased lines a VPN is your next alternative.

      Assuming broadband connections (SDSL 256Mb+), I would recommend Astaro. I currently have this setup running flawlessly.

      With Astaro, you supply the hardware. I have a Dell GX1 400 with 128MB ram and 3GB hard drive. I currently have 3 NICs in each system for the different zones I have setup.

      Back to your scenario … Astaro is a full function firewall, filter, IDS, router all in one hardened Linux distrobution. It is managed/configured through an elaborate web interface. You can download it for free with 30 day trial, and apply for a free license (reduced feature set) that will allow you to become familiar with it.

      In your situation I would set both networks to route all internetwork traffic accross the vpn and then allow ‘Web’ traffic to pass accross DSL/other.

      The other great benefit of this solution over Linksys is logging. Astaro can tell you everything that is coming, going, dropped, passed, whatever.

      Here are the links:

      http://www.astaro.com (main site)
      http://www.astaro.org (support)

      • #2674359

        Me Again

        by ragedbull ·

        In reply to I think so …

        I’m going to be perfectly honest, and explain my case completely. I am truly a novice in this area, with no degrees. I understand computers very well, and have set up numerous home networks and such, which are cake for me. I have never set up a “real network” before, nor do I really know how to set up the full Server client relationships.

        I will no procede to explain the best that I can, what I want to try to do.

        First off, situation. This is not medical, this is Charity Organization which have 2 offices in different towns, but close to each other. Inside each of the offices are 6 computers which are currently running various operating systems. They are not doing anything hardcore on these computers, mostly secretarial stuff like word and excel, maybe Peachtree Accounting is the most complicated software.

        Here is what i want to do:
        First I want to load win2kpro on all the users machines. A Cable modem is being purchased for each office from Comcast Cable. I want to first and foremost, connect all the computers to the internet- which is what they care about the most. Secondly, I want them to be able to share data and resources. Within each office, I want to set up printer sharing for 2 laser printers for all users in each office LAN. I think it would be benificial to have some way of file sharing between the two offices.

        Now here are my questions:
        Printer & File Sharing: Should I get a print server for the router in each office or can I get a computer that works as some form of a gateay where the 2 printers can be connected to it and I can also allow this to be a general storage facility by adding a hard drive. If the gateway option is the correct one, then what kinda specs should I get, should this have win2kpro or server (also if i install win2k server can i set it up for any user to log on anywhere and access his information stored on the gateway). This then leads me to ask if i need to set up a VPN so the two offices are sharing all the data, which might not even be neccesary.

        I think right now I have summed everything up a little better. Any help would be appreciated.

        • #2674357

          Well

          by oz_media ·

          In reply to Me Again

          With your simplisctic needs I would still recommend the Linksys route, it is CHEAP. Not THE most secure system around but you get basic firewall, Port Address Translation and they also double as a print server. However, with 6 conections PER office I would ecommend adding a second router at each to act as a print server.

          This is basic, easy as hell and cheap too. I know several simialr small home businesses and agencies that use it and it is doing exactly what they need.

          Now if you want to get all security concious and worried about attacks etc and basically turn yourself into a security expert, I would recommend going with files servers at each end, running a reliable and stable network operating system such as Novell or Linux can offer. MS is nothing but hell waiting to happen when it comes to server security and reliablility.
          You would then need 3-Com or Cisco routers at each end along with (in the case of Novell) Border Manager VPN software to secure it and provide the proper encryption.

          All in al your looking at a ballpark of $25,000 Canadian to add the server hardware, routers and software. Now add many hours getting it all installed and cabled, setup is pretty easy. You will also be needed onsite or remotely for the next six to eight months to ensure everything is running as they want it and be able to reconfigure clients and services. After that time, you can ask to be held on a biweekly visit basis to check up but all should run OK unattended.

          Or drop less than $250 but two routers with a print server and be done with it.

          You can get as technical as people would like you to or you could just keep it simple.

          The choise is yours.

        • #2674337

          Getting warmer …

          by dwdino ·

          In reply to Me Again

          This information helps quite a bit. One thing you learn in consulting is to figure out and define exactly what the user will be doing and what the user wants. After this is defined you place the systems under them to support these needs.

          So we have defined the following:

          1) Shared accounting system (Peachtree)
          2) High desire on internet connectivity
          3) Print sharing
          4) Possible file sharing

          So we need:

          1) Unified network (VPN) allowing all persons to use accounting system and printers
          2) Low cost due to company type
          3) System for file/print management

          A few more questions though:

          1) Are the laser printers network capable or must they be connected to a computer
          2) What will be stored on file server?
          a) Backup
          b) Redundency
          c) Time To Repair
          3) Does this group qualify as Not For Profit? If so, leverage this in any purchases as most vendors will give discounts for such.

          Being that this is a charity organization, one of your top priorities is cost. As OZ has mentioned, the Linksys solution is not bad. What you choose to implement must be stable, reliable, and have a low ongoing cost.

          Microsoft desktops (windows 2000) are good because most people are familiar with the interface. The other side of that coin, is the security model. In a peer-to-peer network each W2K computer holds its own security records. This will force you to add every user (name & password) to each machine which they will contact.

          Please understand that this project could easily tie you up for an extended stay. 🙂

        • #2674322

          Good point

          by oz_media ·

          In reply to Getting warmer …

          “Microsoft desktops (windows 2000) are good because most people are familiar with the interface. The other side of that coin, is the security model. In a peer-to-peer network each W2K computer holds its own security records. This will force you to add every user (name & password) to each machine which they will contact.”

          Another way is to image drives if using new PC’s or even upgrading all. Just build a couple of different images based on file access rights if needed. You can even build ONE at home, create an image and have everything preformatted by the time you are onsite.

          Without backing up I don’t know what network OS you are thinking of, especially if you’re going to ADD a new file server. If one of the PC’s is the files server, no need to worry. A simple peer to peer VPN, just like at home will do. Let the routers use the built in Port Address Translation and the built in encryption keys IF needed. I’ve done the EXACT same system utilizing a customized third party Real World Accounting package that is Unix based. It works fine, they have never ahd problems and it was fire and forget. Customer happy, cheap solution and I’m outta there.

        • #2674248

          USER Management

          by ragedbull ·

          In reply to Good point

          This summer i worked in an office where they used win2kpro on each desktop, they had a server which had storage space. You could log on as any user anywhere. I was pretty sure there was a way to manage users on the network without installing each user on every computer. I can’t set up some kind of client-server relationship, where one pc is the server for each office or both offices, and login is administered from this computer? Can’t I install win2k Server on a PC and have this function as the server for users, also use this pc for storage, and connect all the printers to this computer? I was thinking I would use a method similar to this to manage all sharing and users anywhere on the network. does this work?

        • #2674230

          Yes you can BUT

          by hal 9000 ·

          In reply to USER Management

          You’ll need to use a GIGABIT Network instead of the 10/100 T Base and SCSI Drives in the File Server just for the speed.

          But it will cost a lot more to do this way as well also a Dual Processor M’Board probably would not go astray either as a server that has a lot of work to do needs as much help as possible.

          If you like you can contact me through the “Peer Listings” as I perform this type of work every day and let me know exactly what is required, what you’re budget is and such like and I’ll offer as much help as possible given the fact that I’m half a world away.

          There is however another alternative and that is just don’t walk into this area as it is a real nightmare for the unwary as business systems are completely different to home systems I’ve seen supposedly professionals setup a simple peer to peer network that is connected to the Internet through a Hub that is connected to a cable modem and the only way to share a file was to e-mail it to the other party. While that system still remains that way mostly I did setup the network connections and install all the network cable plates which when I arrived where not there and only had RJ45 connectors hanging on wires out of the walls but the company baulked at any more money being spent on security so other than some very simple AV products on every unit there is no security involved within that company.

          Col

        • #2674224

          Lower Requirements

          by ragedbull ·

          In reply to Yes you can BUT

          I made the 20 computer assumption pre-visinting the offices- they have about 6-8 there after i visited. Purchasing win 2k and win server are not involved in the cost of my project. They will be readily available from some other source.

          This afternoon I read up on the whole Domain networking stuff.

          Speed is not an issue for these people: They are using slow systems under 500 Mhz, and work slowly at any rate. The speed restriction from a 10/100 network will be just fine. Also, is SCSI really necceasary, while I am aware it is faster-than again is not neccesary. If i give them a regular PC with 120 gig ATA harddrive, and add some extra ports in the back for a second printer, won’t this sufice? They will likely be storing minimal amounts of data on the server and the networks traffic will be mostly just web browsing.

          Then, if I have 2 PCs set up as servers in each location- how can I set up one continuous domain for both offices?

          Also, I believe since they do social work with medical records and such, I need the most secure network. Therefore, what routers do I need to purchase that will hold up 8 users (maybe 16 users if its not that more expensive for future expanability) and how do i set up the VPN with the server and such, they have not told me if they need to meet HIPPA regulations, but I believe they probably do.

          Do you set up the server as a member of the network, or do you have the cable modem connection go into the server through one lan, than out from the computer to the router, then do the rest of the network- how does the physically set up work.

          I am sorry I keep posting such incomplete information, but I am posting as I recieve more and more info.

        • #2674165

          I’m going from memory here as I couldn’t reply directly

          by hal 9000 ·

          In reply to Yes you can BUT

          But if there are any “Medical Records” being held there they must be covered by some relevant laws you’ll have to look into these before you even think about offering them any form of setup.

          The setup will then depend on what the “Laws” require.

          Don’t worry about not knowing all the details as you are new to this game and obviously haven’t been told everything that they need.

          Perhaps it would be a good idea to offer the work to someone else with the proviso that you are involved in the setup that way you could learn what is required but not leave you’re self libel in the event of any adverse action occurring.

          Col

        • #2674234

          You forgot that

          by hal 9000 ·

          In reply to Getting warmer …

          W2k Pro will only support up to 10 computers on a Peer to Peer network any thing bigger than that requires W2k Server which isn’t at all cheap so that is defeating the original purpose as well.

          As the guy originally said 20 users per site that would require a domain of some kind and the only real security needed is around the “Accounting Software” as the rest is really unimportant.

          Now accepting that there are no really secure systems and the best that can be hoped for is that by the time that the data is hacked it is no longer of any use you could expect to setup a small network fairly cheaply and by following the “KISS” principal {Keep It Simple Stupid} everything that you have recommended is workable and should suffice and not require much in the way of constant maintenance or user intervention as this will just not happen in this type of organization.

          But I’m a bit confused here as this guy originally said 20 users per site and then dropped it back to 6 users per site so I’m a bit in the dark here about exactly what would be required. But you always have to remember that right at this point in time Windows is far more “Hackable” than any Linux system but then again it is also far easier for most people to use so you have to balance what is usable against what is required to suit you’re/their needs.

          Just a word of warning here go with really good products when you supply the computers and not the cheap junk as a few $ spent in buying decent components in the first place will save you endless sleepless nights down the track, and what is really important here is used really good power supplies with any server that you build as currently I’m going to be wasting a very lot of my time in a court appearance against a large “Home” computer maker who supplied a business server where the cheap unbranded and underrated power supply failed and allowed mains voltage into the case and across the entire network.

          You certainly don’t need something like this to happen to anything that you build.

          Oh I’m ranting again ain’t I?

          Col

        • #2674176

          Correction

          by dwdino ·

          In reply to You forgot that

          Luck,

          You are close, W2K will support 10 CONCURRENT connections. With 12 PCs (est.), the likely hood of having 10 open sessions at one time on one pc is slim.

        • #2674164

          Well in a Dr Surgery

          by hal 9000 ·

          In reply to Correction

          Near here thay have a W2k Pro setup with 12 units conected and a lot of the time some of the doctors can not log on but that is only about 75% of the time.

    • #2674177

      Best guess…

      by dwdino ·

      In reply to Is a VPN the right choice for me?

      From the information supplied I will give my best guess as to a solution for your situation. There are still many open considerations, but here goes.

      1) File/print servers: Linux
      Install RH9 or Suse9 (both have served me well and are simple to use). Research and configure Samba for file sharing and printing. Connect dedicated laser printer to this server. I would recommend something like an HP TC2120. This is not an industrial workhorse so get what you need. Processor – not important. Storage – mirrored 80GB ATA should suffice (hardware is better, but software would suffice). Memory – 512MB should be plenty. NIC – any. I would also recommend an optical backup be it CDRW or DVDRW. Total system cost should be easily under $1000

      2) Communications – 10/100 in office and you specified Comcast for external.

      3) Router/VPN – I will stick with Astaro. Everything you need, room to grow, cheap, etc.

      4) Desktops – W2K is fine. Make sure to set Automatic Updates to on, notify or auto install is your choice.

      5) Place accounting software on seperate Samba share and allow only needed permissions.

      6) Create home space for all users (easy, already defined in smb.conf). Connect through simple logon scripts. Example:


      @echo
      off
      username1 = %username%
      echo Logging on $username1

      rem User home directory
      net use H: \\server1\home
      if error = 0 (lookup syntax)
      echo $username1 ‘s home drive connected

      rem User accounting access
      net use P: \\server1\accounting
      if error = 1
      echo $username1 does not have permission to access this file
      else
      echo $username1 connected to accounting

      echo $username1 login completed

      ————————————————-

      If need be you can copy this server to both sides of the VPN (office 1 and 2), the only downside you will have to work with is making sure that the accounting software supports synchonizaton of mutliple copies.

      Also, I would only make one printer on each side available to the other. That way if office 2 calls and says I will print out document1 for you, they know it will come out on printer1. Else if the printer “accidentally” gets changed, they will have to hunt down the document.

      Pricelist
      ———————–
      Server x1 $1000
      Red Hat 9 x1 $ 0
      Windows 2K x15 $1500 (can be done cheaper with upgrade disks)
      Astaro x2 $ 80 (may be free if allowed to use home license)
      Astaro HW x2 $ ? (donor PCs are great for this)
      ————————
      $2580

      • #2674163

        That’s pretty good

        by hal 9000 ·

        In reply to Best guess…

        Although I’d personally go with SUSE rather than Redhat as they are dropping their current line soon and going with a costly alternative so there will be no more support from Redhat and if this guy has never seen Linux/Unix previously he may have a few problems.

        But as I’m from AU this is where I draw the line as he did mention “Medical Records” so I’m not exactly sure what the Laws there require but I would imagine that they would be of a similar nature to what they are here so all these records will need to be heavily protected.

        I suggested the he farm out the work to another party with the proviso that he be allowed to help with the design and installation that way he could learn something but not be exposed if anything was to go wrong. Most of these places want the cheapest installation possible and are quite willing to leave the supplier libel for any invasion and loss of records. This way they get a cheap installation and no liability and I’m sure that this guy doesn’t need the hassle that will come about when there is a data intrusion into the system. But maybe the Laws are different over there where he is but I honestly wouldn’t be betting my future income on it!

        Col

    • #2674172

      More About Astaro

      by ragedbull ·

      In reply to Is a VPN the right choice for me?

      I want to know more about this, but am having trouble understanding it on their web site. First off, this is Linux software to be run on a linux box correct? Therefore my server is a Linux box, and with samba it can be the server for a windows network, allowing for user management across the VPN? This server will also be hosting printers and a HD for file sharing, and that too works through samba just fine between all the windows boxes? So therefore to use Samba i just buy it, install it on Red Hat open it up and it’ll be self explanatory? Then if this is my server managing everything, how does it relate to the network. Do I plug the cable modem connection directly into this linux box, then connect it to a router (as the internet source?) (and which router is the best and most secure and will meet Hipaa regulations), which has all the other computer connected to it? I need to understand the entire physical infastructure, can you please explain it in a manner like this: In office A, i have the cable modem connection going to a computer, then to a router, then to the other computers and office B connects through the internet (but is secure because of the VPN?) from its LAN router to the server in office A.

      I really do appreciate everyone’s help.

      • #2674162

        Have you ever used any Linux DIstro previously?

        by hal 9000 ·

        In reply to More About Astaro

        If not you are in for a very steep learning curve and everything you said was pretty well right except for the paying bit and everything being fairly seld explanatory. Remember everything Linux comes under a GPL and is downloadable for free if you want to or you can buy a copy but the main difference is that with the bought copy you get some form of support where as with the downloaded copy you’re on you’re own unless you count the Linus user forums that are around.

        Secondly I would not be thinking of using RedHat either as it is soon being changed from the current product to something far more expensive and all support for the current product is ending that will be within a few months from now I can’t remember exactly when but if you like I’ll dig back through all my Linux Newsletters and find out exactly when Redhat is ending. SUSE, Mandrake or any of the others will do the job as well but the main difference between Windows and Linux is that with Linux you get most of the software with the OS install disks and you certianly get Samba as it is a necessary part of any Linux installation.

        If you’ve never used Unix/Linux previously you will have problems as it is completely different to Windows so anything that you currently know about Windows will count for nothing with Linux. You could also go with Free BSB which is something similar to the Linux OS but without the current problems with SCO {which I personally think will amount to nothing but there are law suits being issued so it may prove a problem with some company people as they would want to avoid any legal action.}

        Otherwise as you have worded everything above that is pretty much the way that you would do something like this BUT the Medical Records are a problem that will have to be looked into to at the very least cover you’re arse to stop any form of legal action against you which I’m sure you can not afford.

        Col

        • #2674150

          RedHat info

          by lordinfidel ·

          In reply to Have you ever used any Linux DIstro previously?

          They are just going to stop devlopment on the Free distro and will not have it available for download.

          Instead they will only sell the Enterprise editions.

          RedHat is being spun into Fedora. Fedora are the ones who have typically been the biggest creators of RH rpms anyways.

          It’s not clear if kernel rpm pckgs will be available for RH 9/8. But then again, just upgrade from source.

      • #2674097

        VPN-Diagram

        by lordinfidel ·

        In reply to More About Astaro

        Here is a VPN Net-to-Net diagram for you.

        http://www.directionweb.com/how-to/VPN-Diagram.txt

        It is important to note that it is much easier having your fwl and vpn integrated, and having your vpn being the dfltgwy for the network hosts.

        If you have it as a seperate device, which in reality is really the most secure method, you really need to know routing so you can route thru the vpn tunnel to get to the other network.

        Get this book:
        Building Linux VPN’s from O’reilly

        Also visit:
        freeswan.org
        http://jixen.tripod.com/#Rw-routing-tips
        http://www.colettis.com.ar/~daniel/Documentos/Tech/FreeSWAN/x509/HTML/node6.html

        Installing and Configuring your own CA is extremely simple assuming that you have OpenSSH installed.

        Creating, Issuing and Signing certs is also very easy.

      • #2674084

        More …

        by dwdino ·

        In reply to More About Astaro

        Here goes.

        First, you do not want to put your file/print server on the same box as your firewall/gateway for security reasons. Can it be done, yes; best practice, no.

        Now, if you download Astaro, you receive an ISO. This ISO is burned to cd and is now ready to be installed. You go find and old PC (366 w/128MB ram and 3GB HD) of generic hardware. Install 2 NICs (minimum) of standard type for driver ease (i.e. 3com).

        Now place the Astaro CD into drive and boot. System will come up and prompt you for all necessary information: ip configuration, internal/external network, DHCP, etc. When config wizard completes, remove CD, reboot.

        Your firewall is now live, 100% locked down, so not usefull, but live.

        You now open a web browser and goto https://IPAddressOfFirewall and login. The elaborate web interface makes the configuration really easy.

        You build a couple of simple rules like “any internal to any external on port 80 allow” and “any internal to mail host on port 110 or 25 allow”. Now your customers can surf the net and get email.

        I can help will rules and configurations.

        Then we setup the VPN between the two systems…

        You can go here for a demonstration to get a feel of the interface.

        https://demo.astaro.com

    • #2674160

      Actually I just saw

      by hal 9000 ·

      In reply to Is a VPN the right choice for me?

      An add from TR for “Administers Guide to VPN” it might be worth you’re while to get a copy of this publication and read up on the topic before you go any further if you’re in America. Most of the TR publications are excellent and very helpful.

      Col

    • #2674085

      Novell Branch Office

      by jose mir ·

      In reply to Is a VPN the right choice for me?

      Some points in favor of Novell Branch Office:
      * Faster and more stable environment.
      * All your network resources could be administered from anywhere.
      * It will also simplify the back-up tasks.
      * Security is completely under control.
      * Novell is more virus and hacking proof than M$.
      * Learning to install and administer NetWare environments, and almost any other Novell product, is easier than many non-Novell technicians think.
      * The client will receive the solution he really needs instead of just the one that is ?easier for the technician to implement because limited knowledge about existing products?

      Regards,

      Jose.-

      • #2684048

        That would be my take too BUT…

        by oz_media ·

        In reply to Novell Branch Office

        Unless you have some pretty nice equipment, NWv.7 will be a hassle. It requires quite the server to run productively also has a relatively high cost itself. Now if choosing between a MS NOS and server or MW well its a nobraner as NW will wni hands down for the ability to run without a F/T admin onsite. This may not be a COST effective, although it IS a viable solution.

    • #2674069

      Back to Basics

      by techasf ·

      In reply to Is a VPN the right choice for me?

      At this point you must be drowning in advice, options, alternatives and information.

      Perhaps given the scope of what you are trying to do, the most important advice has been “get some professional help” if possible on a mentor basis. Before you do this you may want to spend some time at the offices of your customer and get a real understanding of how they do things at present, their volumes and future directions. One possible requirement not even noted is that as a charity organisation, a Web site is almost an absolute these days. Don’t even think about them hosting it – not initially anyway.

      There may be good reasons why you would rather not call in existing expertise. If so break the project down into a series of tasks so that your and the customer’s learning curve is doable and disasters and miscalculations more manageable.

      However, if involving a third party will not be a problem, put together an RFP and get some input. Decide on what role you want to play – overall project manager, actual implementation, whatever. This role can change as your expertise increases.

      This approach will most certainly polish you marble with the customer.

      This is the approach I followed with one of my major healthcare customers on the US east coast. He has 4 offices, each office needed to access the other offices patient records for cross scheduling etc and using the phone to do this was getting old – rapidly. He was not about to shell out $150,000 for a quote he received based upon a centralized Win2k server at one office with other servers at the other offices linked up through ISDN connections along with installation of new application software. He also did not relish the idea of the central site being down or its circuit being down leaving the other 3 offices at a standstill.

      This is about 4 years ago and availability made cable and/or DSL a non-starter. The peer to peer application software already installed allowed him to acess any from any so all that was needed was to set up reliable links. I got myself quickly educated on ISDN and FR, the latter winning hands down.

      I put out an RFP for the first 2 offices which were installed by a third party (now out of business) with significant support from the Verizon agent (still in business). I learned enough from the initial installation, from reading the manuals and seeing how the Motorola CSU’s and Intel routers had been configured to set up the next two myself with a large slice of Intel tech support.

      Early in 2003 I added a DSL link to the Internet at one office. There was no way to do this through the Intel routers; it was FR or zip so needed to find a DSL capable router. Up to that point I had been installing primarily Linksys DSL/Cable routers at the offices that needed Internet access at multiple computers on their networks but had run into odd problems with the hardware and larger problems with their support – not its quality, always very good, but turnaround time. I was used to a fairly short wait queue before getting access to a tech. What had started to happen was to be told we’ll call you back within 2 hours or so even though I’d identified myself as a consultant.

      I started shopping around and settled on Netgear. Their specs were good, they were winning awards and most importantly perhaps, I’d called Tech Support a number of times with questions at various times of the day and night and never had to wait more than a few minutes

      I wound up installing a Netgear FVS318 Cable/DSL VPN Firewall/Router and put in a few after that at other offices. I initially leaned very heavily on their Tech support.

      The DSL link was and stayed problematic – often slow and often died. Problem was distance from the CO – around 18000′, which is really pushing DSL.

      Late last year we revisited cable and DSL in view of an increasing need for high speed internet access at their other offices and with a view to replacing the FR links rather than just adding the costs of cable/DSL.

      Replacing the FR links would require a VPN mesh between all offices. I have both DSL and cable modem at my office so I was able to set up several FVS318’s in my office and resolve my VPN learning curve, performance and other issues before doing anything at the customer. A key issue was static vs dynamic IP addresses. More on this later. At under $120 US a router the customer was quite happy to blow this even if it didn’t work – the prospect of having a montlhy communications bill of around $620 instead of around $1500 was a great incentive.

      So far the story has a happy ending. The office with the slow Verizon DSL now has a somewhat faster and more stable COVAD DSL link and the other 3 have cable modems. The VPN mesh is in place and has been up now for a month with only two problems; both times with the COVAD DSL link and which required rebooting the Zyxel modem/router supplied by COVAD to which the actual DSL line is attached. I configured this as a bridge ie as a pass through to the FVS318. Zyxel support were most helpful in getting this done.

      Doctors and staff are very happy with the results. The FR circuits have been cancelled and a COVAD SDSL 768/768 line is going in March 8 to replace the nominal 1.5/384 DSL link. Its a dedicated line and COVAD guarantee 80% of bandwidth. This will put it on par with the cable connections at the other offices which are nominally 1.5/384 but usually run between 650 and 700. Why not cable at the DSL office: cost of installation would be close on $2000 US. Cable monthly is around $150, the SDSL $200. A 40 month breakeven on cable was unattractive – too much can change in this time frame.

      There are a total of 30 computers on the network. They are primarily Win98SE’s with a number of Win2k’s and WinXP’s. All servers are Win98SE. Why? There is no connection limit and at any point in time up to 30 computers could be logged into one office’s server. In practice this number is around 25. The application software itself reports who’s logged in and from which office.

      So as you can see, been there done that and lets see if I can pass on the stuff that will help put a smile on your customers face and a few $$$’s in your pocket.

      First of all from what you’ve now noted about your customer, VPN sounds like a requirement. In any case there is a minimal add on cost to the boxes you need for broadband access anyway.

      The following assumes that you will be installing a Netgear FVS318 at each office and very likely one at your own if you have broadband access – this for remote access and management. I have this in place myself but to date have just had to use it for status checks and looking at the logs of the customer’s FVS318’s. Its quite educational to see just how many times a router is being pinged by some unknown body with unknown intent. Except when doing some testing, all the routers are set to not respond to pings. What can’t be “seen” can’t be hacked.

      Your starting point is a visit to Netgear.com and download the ref manual for the FVS318. Chapter 6 will give you a pretty good grounding in VPN.

      Tech support everywhere are usually much more helpful if you demonstrate at least a basic knowledge of the subject and some awareness of their product line.

      I am assuming an existing LAN at each customer. If not, the FVS318 is a switch to boot and has 8 RJ45 ports.

      I’m also making no assumptions about your level of expertise other than you have set up some home networks but with no mention of internet connections.

      SHARED INTERNET ACCESS 101

      The cable for a cable connection plugs into the cable modem supplied by the cable co. It is connected by a patch cable to the internet port on the FVS318 and which makes internet access available at each of its 8 ports or for that matter to a hub connected to any one of these ports.

      Your cable modem will have an IP address assigned by your cable provider. The router will have two, the WAN IP address – same as above, which it can detect automatically along with the type of access and its own LAN address.

      At Office #1 this will be say 192.168.1.1 and Office #2 will be say 192.168.2.1.

      The computers at office #1 will have IP addresses starting at 192.168.1.2 and up, at Office #2 starting at 192.168.2.2 and up. Subnets will be 255.255.255.0 in all cases.

      The FVS comes with a default LAN IP of 192.168.0.1 so to configure it, connect a computer to it with say an IP of 192.168.0.2. You then access the router thru IE using http://192.168.0.1 let it detect and set up the connection to the Internet thru the cable modem.

      Reconfigure the router’s LAN IP to the office it belongs to and also reset the IP address of the computer used to configure the router back to its regular IP address. Remember to configure the router for remote management and tell it if you want alerts e-mailed to you. Most importantly, the first thing you want to do as soon as yopu have Internet access is to download the latest update to your routers software: check first with their tech support to avoid downloading a beta test version.

      Before you log out, set the password of the
      router to say a mix of 16 letters, numbers etc. This will block someone – internal or external from getting access to the router and screwing up your network.

      After a shutdown restart if indicated of the computer you can then select Internet Options from the Control Panel, select Connections then LAN settings, auto detect settings, no proxy server etc. and let the wizard set up your internet connection.

      Part of what should happen is that a gateway IP address – the router’s LAN address is setup and this same IP address will be set up as the DNS server. The router is taking responsibility for these functions rather than a computer on the network.

      Do the above at the other computers and you are done.

      ACCESSING REMOTE RESOURCES 101

      To keep things simple forget about domains and Windows ADS and the other baggage and just set up two workgroups, one for each office named GROUP1 and GROUP2

      You could let the router assign each computer’s IP address dynamically but in practice you will need to set fixed IP addresses for the computers that have the resources that you want computers at the other office to access.

      Assume you are at a computer and want to access the hard drive of a computer in another office. You can do this manually or call a script to do this. eg map K: to \\OFF2-3\CDRIVE where OFF2-3 is the Windows name for that computer and CDRIVE is the name you gave the share at that machine when you set up it drive C: as shared.

      For the OS to make sense of this, you must either have configured a computer as a WINS server or a lot more simply create a LMHOSTS file in the system root directory of the computer itself. There is an LMHOSTS.sam file which spells out its function. In our example the LMHOSTS file would contain a line which reads 192.168.2.3 OFF2-3 #PRE.

      The #pre tells windows to load this info at start up and whenever it is called on to do anything with a computer named OFF2-3 to resolve this to 192.168.2.3 and which then gets put into the destination address section of each IP packet making up the request.

      The computer recognizes this as a non local IP address and directs it to the Gateway address ie to the router.

      As this is a private IP address, it knows it has to first look up the VPN table you created in the router and resolve this IP address to the public IP address you entered; which is the address of the cable modem in the other office. It encrypts each packet and off it goes to your ISP whose computers then figure out where to forward the message to and so on.

      I still marvel at the whole process and how quickly information can be transmitted.

      There is one fly in this ointment however. For your router to do its job it has to know the IP address of the other router and unless you can get a static IP address out of your cable provider, the IP address of that router can change periodically. If it was Verizon DSL, this will change every time you happen to shut off the modem.

      Enter Dynamic Network Services, Inc. They are in the business of providing a simple yet very effective solution to this problem. They are not the only ones, but having researched a couple seemed most suited to what I wanted to do.

      Log onto their site at dyndns.org, create an account for yourself, a serious password and create at no charge up to 5 host names that their servers will resolve to its current IP address.

      For example, the host name you might give to the other office might be OTHROFF2@dyndns.biz where dyndns.biz is the name of the server you chose from one of their many servers.

      Your router would now have in its VPN setting for the other office the constant name of OTHROFF2@dyndns.biz instead of a possibly constantly changing IP address. The first time the link is activated, the router will get the current IP address for this name from the dyndns.biz server. It and dyndns will automatically take care of changes.

      You will happily pay them an annual fee of $9.95 US to avoid having to manually reset this connection at their site every month or so – this also allows you to have a lot more hosts plus some other goodies.

      The config function in the FVS318 has all the things to click on to make this happen.

      The FVS318 lets you have 8 simultaneous VPN tunnels. If you need more look at the FVS328. If you want wireless access as well, plug a Wireless Access Point into the router. If you want remote access from a single computer you could use Windows built in VPN capabilities or if you’d prefer a more robust solution that will definitely work with the Netgear routers, look at
      SafeNet.biz’s SoftRemote. If that remote acees is required from a home with multiple computers all needing Internet acess anyway, get an FVS318 for that location.

      Your next step is to install virus protection on each computer. I prefer TrendMicro’s PC-Cillin over Symantec or McAfee but thats a personal thing.

      I hope the above gives you an outline of what needs to be done and how to do it. You will have a lot of fun and frustration too in filling in all the details, so Good Luck!

      If your customers computers are at least Win98SE, I’m not sure of the benefit of going to Win2K. Bear in mind that Microsoft are discontinuing support for Win2k in April. This doesn’t mean squat in my life frankly but as a previous post noted Win2k Pro and XP Pro limit you to 10 connections at a time. If your files are stored on a single server, this could become a problem if users need continuous access to the records as in a healthcare office and cannot tolerate not being able to log in at will; they will handle the situation by logging on and not logging out. So maybe spread the files or prevent certain computers from logging into the other office. A study of their workflow will identify the real options.

      On a regulatory topic that came up in the posts – HIPAA by the way not HIPPA. At this point, it only applies to entities that are transmitting electronic claims and other designated transactions to/from an insurance carrier or clearing houses such as WebMD by other than the Internet. Although your customer handles medical records I would guess the only sanctions that might be applied in the event of disclosure of protected Health Information – PHI, would be in terms of other regulations. I know of no office thats been shut down because of HIPAA violations -there has been no vigorous pursuit of its implementation as is the case with OSHA and frankly what it codified is the same common sense and privacy steps that health care pros have always applied. Directives such as don’t leave patient cahts lying around and dont discuss a patients problems within earshot of another patient are more closely observed now – but again can be safely ignored and is being ignored by those offices thaey do not sen claims electronically. Dumb. It was really supposed to be aimed at stopping those organisations that have been selling patient names and their medical problems to drug companies and others to use as mailing lists for their products. The original thrust of the legislation was to allow people who changed their jobs to take their healthcare coverages with them and not be subject to pre-existing condition limitations etc. at the new job hence the name Health Insurance Portability and Accountability Act but it then became a “while we are about it…: scenario. Amogst others the EDI crowd got on board and used this as an opportunity to finally implement standard record formats for all healthcare related transactions other than those transmitted via the Internet. An about time thing in fact, but it seems that the EDI people have never heard of XML and have rather reinvented the same problem all over again – the inflexibility of fixed format, content and length records. Adding a new field or altering the length of an existing one again result in major costs.

      I apologise if I’ve bored anyone to death with this long post.

      • #2684050

        Afterthoughts

        by techasf ·

        In reply to Back to Basics

        1. Consider doing all your IT shopping at Provantage.com. Tough to beat their prices.

        2. Consider individual deskjets at each computer as opposed to print servers and laser printers. Far more productive not having to get up and get your letter – also a lot simpler when it comes to printing the envelope. Color too can make a huge difference to appeals if thats what they do. Depending on desk layout you could share one between two or more computers.

        3. As LordI suggested, if you are buying new boxes, consider a Linux box as your file server in each office rather than Windows 2003 Server. No connections limits, no extra client licences when you grow. Its there too when you implement internal e-mail and finally host your own web site.
        The HP6122 is a good bet. Fast, quiet, no annoying 10-20 second delay before first page prints. As with any HP deskjet, biggest advantage over competitive ink or bubblejets is the paper handling

        • #2680958

          But the disadvantage is

          by hal 9000 ·

          In reply to Afterthoughts

          Cost per page with the color tank being a single unit.

          What do you think about the Canon i560? It has different ink-tanks for each color and Black it works out far cheaper per page to print with and when one color is all used you are not in a position of throwing out the other two colors that may still be half full.

          Col

    • #2684253

      So you say you are a charity …

      by ken ·

      In reply to Is a VPN the right choice for me?

      I too work for a charity that will soon be setting up a new office 2 hours away from the main office. Obviously, this post has been interesting to me. I note the interest in a low cost solution. Did you know that Microsoft has charity prices? I set up a Win2K server at an unbelievably low cost. If you are a registered charity, you can too.

      Keep us posted on your progress.

    • #2684045

      Consulting?

      by oz_media ·

      In reply to Is a VPN the right choice for me?

      Woudln’t that just be overkill that sucks up your budget before you leave the gate though? Or did you have something else in mind. Remeber this is a KISS install, not your forever secure nonhackable fortress.

    • #2729480

      Secure File Sharing

      by thinkaloud ·

      In reply to Is a VPN the right choice for me?

      If the purpose of hooking up both offices is to enable both
      teams to share files, I would recommend having a look at
      B.efficient ( http://neusteps.com ).

      B.efficient allows distributed offices like yours share files
      easily and securely. Individual users can control who have
      the rights to access various documents without the need to
      trouble the IT adminsitrator to set it up. Encryption is built-
      in; hence all communication transfer (file, messaging,
      application etc) is encrypted.

    • #2666645

      Depends on the total layout

      by dchaney ·

      In reply to Is a VPN the right choice for me?

      If you are going to use windows 2000 servers at each location. Which is a good idea for data safety. The ability to set up a VPN is built into the OS. You would set up a VPN between the servers. If not you would get a broadband router at each location that supports a VPN tunnel. Best if they are the same brand , model. Set up a vpn tunnell between the routers. Set the DHCP in each router to different sets in the same range and make all other settings the same and they should be able to see each other.

Viewing 11 reply threads