General discussion

Locked

Is a VPN the right choice for me?

By RAGEDBULL ·
I have been asked to completely redevelop an organization?s computer infrastructure. They are set up in two small offices, in two separate towns. I have heard that a VPN is the right way to go; however, I am not familiar with the technology because I usually set up end-user home networks. I need a lot of help in this area. I can go in any direction with this project, costs at a minimum. All I am starting with is that all computers in the network will be running windows 2kpro. My first question: Does this situation require a VPN? My second question: If it does require a VPN, what software-wise do I need to do, and what external hardware should I purchase to set this up (I also want each office, of no more than 20 users, to be connecting to the internet via a cable or DSL connection)?

This conversation is currently closed to new comments.

42 total posts (Page 4 of 5)   Prev   02 | 03 | 04 | 05   Next
Thread display: Collapse - | Expand +

All Comments

Collapse -

VPN-Diagram

by LordInfidel In reply to More About Astaro

Here is a VPN Net-to-Net diagram for you.

http://www.directionweb.com/how-to/VPN-Diagram.txt

It is important to note that it is much easier having your fwl and vpn integrated, and having your vpn being the dfltgwy for the network hosts.

If you have it as a seperate device, which in reality is really the most secure method, you really need to know routing so you can route thru the vpn tunnel to get to the other network.

Get this book:
Building Linux VPN's from O'reilly

Also visit:
freeswan.org
http://jixen.tripod.com/#Rw-routing-tips
http://www.colettis.com.ar/~daniel/Documentos/Tech/FreeSWAN/x509/HTML/node6.html

Installing and Configuring your own CA is extremely simple assuming that you have OpenSSH installed.

Creating, Issuing and Signing certs is also very easy.

Collapse -

More ...

by dwdino In reply to More About Astaro

Here goes.

First, you do not want to put your file/print server on the same box as your firewall/gateway for security reasons. Can it be done, yes; best practice, no.

Now, if you download Astaro, you receive an ISO. This ISO is burned to cd and is now ready to be installed. You go find and old PC (366 w/128MB ram and 3GB HD) of generic hardware. Install 2 NICs (minimum) of standard type for driver ease (i.e. 3com).

Now place the Astaro CD into drive and boot. System will come up and prompt you for all necessary information: ip configuration, internal/external network, DHCP, etc. When config wizard completes, remove CD, reboot.

Your firewall is now live, 100% locked down, so not usefull, but live.

You now open a web browser and goto https://IPAddressOfFirewall and login. The elaborate web interface makes the configuration really easy.

You build a couple of simple rules like "any internal to any external on port 80 allow" and "any internal to mail host on port 110 or 25 allow". Now your customers can surf the net and get email.

I can help will rules and configurations.

Then we setup the VPN between the two systems...

You can go here for a demonstration to get a feel of the interface.

https://demo.astaro.com

Collapse -

Actually I just saw

by HAL 9000 Moderator In reply to Is a VPN the right choice ...

An add from TR for "Administers Guide to VPN" it might be worth you're while to get a copy of this publication and read up on the topic before you go any further if you're in America. Most of the TR publications are excellent and very helpful.

Col

Collapse -

Novell Branch Office

by Jose Mir In reply to Is a VPN the right choice ...

Some points in favor of Novell Branch Office:
* Faster and more stable environment.
* All your network resources could be administered from anywhere.
* It will also simplify the back-up tasks.
* Security is completely under control.
* Novell is more virus and hacking proof than M$.
* Learning to install and administer NetWare environments, and almost any other Novell product, is easier than many non-Novell technicians think.
* The client will receive the solution he really needs instead of just the one that is ?easier for the technician to implement because limited knowledge about existing products?

Regards,

Jose.-

Collapse -

That would be my take too BUT...

by Oz_Media In reply to Novell Branch Office

Unless you have some pretty nice equipment, NWv.7 will be a hassle. It requires quite the server to run productively also has a relatively high cost itself. Now if choosing between a MS NOS and server or MW well its a nobraner as NW will wni hands down for the ability to run without a F/T admin onsite. This may not be a COST effective, although it IS a viable solution.

Collapse -

Back to Basics

by techasf In reply to Is a VPN the right choice ...

At this point you must be drowning in advice, options, alternatives and information.

Perhaps given the scope of what you are trying to do, the most important advice has been "get some professional help" if possible on a mentor basis. Before you do this you may want to spend some time at the offices of your customer and get a real understanding of how they do things at present, their volumes and future directions. One possible requirement not even noted is that as a charity organisation, a Web site is almost an absolute these days. Don't even think about them hosting it - not initially anyway.

There may be good reasons why you would rather not call in existing expertise. If so break the project down into a series of tasks so that your and the customer's learning curve is doable and disasters and miscalculations more manageable.

However, if involving a third party will not be a problem, put together an RFP and get some input. Decide on what role you want to play - overall project manager, actual implementation, whatever. This role can change as your expertise increases.

This approach will most certainly polish you marble with the customer.

This is the approach I followed with one of my major healthcare customers on the US east coast. He has 4 offices, each office needed to access the other offices patient records for cross scheduling etc and using the phone to do this was getting old - rapidly. He was not about to shell out $150,000 for a quote he received based upon a centralized Win2k server at one office with other servers at the other offices linked up through ISDN connections along with installation of new application software. He also did not relish the idea of the central site being down or its circuit being down leaving the other 3 offices at a standstill.

This is about 4 years ago and availability made cable and/or DSL a non-starter. The peer to peer application software already installed allowed him to acess any from any so all that was needed was to set up reliable links. I got myself quickly educated on ISDN and FR, the latter winning hands down.

I put out an RFP for the first 2 offices which were installed by a third party (now out of business) with significant support from the Verizon agent (still in business). I learned enough from the initial installation, from reading the manuals and seeing how the Motorola CSU's and Intel routers had been configured to set up the next two myself with a large slice of Intel tech support.

Early in 2003 I added a DSL link to the Internet at one office. There was no way to do this through the Intel routers; it was FR or zip so needed to find a DSL capable router. Up to that point I had been installing primarily Linksys DSL/Cable routers at the offices that needed Internet access at multiple computers on their networks but had run into odd problems with the hardware and larger problems with their support - not its quality, always very good, but turnaround time. I was used to a fairly short wait queue before getting access to a tech. What had started to happen was to be told we'll call you back within 2 hours or so even though I'd identified myself as a consultant.

I started shopping around and settled on Netgear. Their specs were good, they were winning awards and most importantly perhaps, I'd called Tech Support a number of times with questions at various times of the day and night and never had to wait more than a few minutes

I wound up installing a Netgear FVS318 Cable/DSL VPN Firewall/Router and put in a few after that at other offices. I initially leaned very heavily on their Tech support.

The DSL link was and stayed problematic - often slow and often died. Problem was distance from the CO - around 18000', which is really pushing DSL.

Late last year we revisited cable and DSL in view of an increasing need for high speed internet access at their other offices and with a view to replacing the FR links rather than just adding the costs of cable/DSL.

Replacing the FR links would require a VPN mesh between all offices. I have both DSL and cable modem at my office so I was able to set up several FVS318's in my office and resolve my VPN learning curve, performance and other issues before doing anything at the customer. A key issue was static vs dynamic IP addresses. More on this later. At under $120 US a router the customer was quite happy to **** this even if it didn't work - the prospect of having a montlhy communications bill of around $620 instead of around $1500 was a great incentive.

So far the story has a happy ending. The office with the slow Verizon DSL now has a somewhat faster and more stable COVAD DSL link and the other 3 have cable modems. The VPN mesh is in place and has been up now for a month with only two problems; both times with the COVAD DSL link and which required rebooting the Zyxel modem/router supplied by COVAD to which the actual DSL line is attached. I configured this as a bridge ie as a pass through to the FVS318. Zyxel support were most helpful in getting this done.

Doctors and staff are very happy with the results. The FR circuits have been cancelled and a COVAD SDSL 768/768 line is going in March 8 to replace the nominal 1.5/384 DSL link. Its a dedicated line and COVAD guarantee 80% of bandwidth. This will put it on par with the cable connections at the other offices which are nominally 1.5/384 but usually run between 650 and 700. Why not cable at the DSL office: cost of installation would be close on $2000 US. Cable monthly is around $150, the SDSL $200. A 40 month breakeven on cable was unattractive - too much can change in this time frame.

There are a total of 30 computers on the network. They are primarily Win98SE's with a number of Win2k's and WinXP's. All servers are Win98SE. Why? There is no connection limit and at any point in time up to 30 computers could be logged into one office's server. In practice this number is around 25. The application software itself reports who's logged in and from which office.

So as you can see, been there done that and lets see if I can pass on the stuff that will help put a smile on your customers face and a few $$$'s in your pocket.

First of all from what you've now noted about your customer, VPN sounds like a requirement. In any case there is a minimal add on cost to the boxes you need for broadband access anyway.

The following assumes that you will be installing a Netgear FVS318 at each office and very likely one at your own if you have broadband access - this for remote access and management. I have this in place myself but to date have just had to use it for status checks and looking at the logs of the customer's FVS318's. Its quite educational to see just how many times a router is being pinged by some unknown body with unknown intent. Except when doing some testing, all the routers are set to not respond to pings. What can't be "seen" can't be hacked.

Your starting point is a visit to Netgear.com and download the ref manual for the FVS318. Chapter 6 will give you a pretty good grounding in VPN.

Tech support everywhere are usually much more helpful if you demonstrate at least a basic knowledge of the subject and some awareness of their product line.

I am assuming an existing LAN at each customer. If not, the FVS318 is a switch to boot and has 8 RJ45 ports.

I'm also making no assumptions about your level of expertise other than you have set up some home networks but with no mention of internet connections.

SHARED INTERNET ACCESS 101

The cable for a cable connection plugs into the cable modem supplied by the cable co. It is connected by a patch cable to the internet port on the FVS318 and which makes internet access available at each of its 8 ports or for that matter to a hub connected to any one of these ports.

Your cable modem will have an IP address assigned by your cable provider. The router will have two, the WAN IP address - same as above, which it can detect automatically along with the type of access and its own LAN address.

At Office #1 this will be say 192.168.1.1 and Office #2 will be say 192.168.2.1.

The computers at office #1 will have IP addresses starting at 192.168.1.2 and up, at Office #2 starting at 192.168.2.2 and up. Subnets will be 255.255.255.0 in all cases.

The FVS comes with a default LAN IP of 192.168.0.1 so to configure it, connect a computer to it with say an IP of 192.168.0.2. You then access the router thru IE using http://192.168.0.1 let it detect and set up the connection to the Internet thru the cable modem.

Reconfigure the router's LAN IP to the office it belongs to and also reset the IP address of the computer used to configure the router back to its regular IP address. Remember to configure the router for remote management and tell it if you want alerts e-mailed to you. Most importantly, the first thing you want to do as soon as yopu have Internet access is to download the latest update to your routers software: check first with their tech support to avoid downloading a beta test version.

Before you log out, set the password of the
router to say a mix of 16 letters, numbers etc. This will block someone - internal or external from getting access to the router and screwing up your network.

After a shutdown restart if indicated of the computer you can then select Internet Options from the Control Panel, select Connections then LAN settings, auto detect settings, no proxy server etc. and let the wizard set up your internet connection.

Part of what should happen is that a gateway IP address - the router's LAN address is setup and this same IP address will be set up as the DNS server. The router is taking responsibility for these functions rather than a computer on the network.

Do the above at the other computers and you are done.

ACCESSING REMOTE RESOURCES 101

To keep things simple forget about domains and Windows ADS and the other baggage and just set up two workgroups, one for each office named GROUP1 and GROUP2

You could let the router assign each computer's IP address dynamically but in practice you will need to set fixed IP addresses for the computers that have the resources that you want computers at the other office to access.

Assume you are at a computer and want to access the hard drive of a computer in another office. You can do this manually or call a script to do this. eg map K: to \\OFF2-3\CDRIVE where OFF2-3 is the Windows name for that computer and CDRIVE is the name you gave the share at that machine when you set up it drive C: as shared.

For the OS to make sense of this, you must either have configured a computer as a WINS server or a lot more simply create a LMHOSTS file in the system root directory of the computer itself. There is an LMHOSTS.sam file which spells out its function. In our example the LMHOSTS file would contain a line which reads 192.168.2.3 OFF2-3 #PRE.

The #pre tells windows to load this info at start up and whenever it is called on to do anything with a computer named OFF2-3 to resolve this to 192.168.2.3 and which then gets put into the destination address section of each IP packet making up the request.

The computer recognizes this as a non local IP address and directs it to the Gateway address ie to the router.

As this is a private IP address, it knows it has to first look up the VPN table you created in the router and resolve this IP address to the public IP address you entered; which is the address of the cable modem in the other office. It encrypts each packet and off it goes to your ISP whose computers then figure out where to forward the message to and so on.

I still marvel at the whole process and how quickly information can be transmitted.

There is one fly in this ointment however. For your router to do its job it has to know the IP address of the other router and unless you can get a static IP address out of your cable provider, the IP address of that router can change periodically. If it was Verizon DSL, this will change every time you happen to shut off the modem.

Enter Dynamic Network Services, Inc. They are in the business of providing a simple yet very effective solution to this problem. They are not the only ones, but having researched a couple seemed most suited to what I wanted to do.

Log onto their site at dyndns.org, create an account for yourself, a serious password and create at no charge up to 5 host names that their servers will resolve to its current IP address.

For example, the host name you might give to the other office might be OTHROFF2@dyndns.biz where dyndns.biz is the name of the server you chose from one of their many servers.

Your router would now have in its VPN setting for the other office the constant name of OTHROFF2@dyndns.biz instead of a possibly constantly changing IP address. The first time the link is activated, the router will get the current IP address for this name from the dyndns.biz server. It and dyndns will automatically take care of changes.

You will happily pay them an annual fee of $9.95 US to avoid having to manually reset this connection at their site every month or so - this also allows you to have a lot more hosts plus some other goodies.

The config function in the FVS318 has all the things to click on to make this happen.

The FVS318 lets you have 8 simultaneous VPN tunnels. If you need more look at the FVS328. If you want wireless access as well, plug a Wireless Access Point into the router. If you want remote access from a single computer you could use Windows built in VPN capabilities or if you'd prefer a more robust solution that will definitely work with the Netgear routers, look at
SafeNet.biz's SoftRemote. If that remote acees is required from a home with multiple computers all needing Internet acess anyway, get an FVS318 for that location.

Your next step is to install virus protection on each computer. I prefer TrendMicro's PC-Cillin over Symantec or McAfee but thats a personal thing.

I hope the above gives you an outline of what needs to be done and how to do it. You will have a lot of fun and frustration too in filling in all the details, so Good Luck!

If your customers computers are at least Win98SE, I'm not sure of the benefit of going to Win2K. Bear in mind that Microsoft are discontinuing support for Win2k in April. This doesn't mean squat in my life frankly but as a previous post noted Win2k Pro and XP Pro limit you to 10 connections at a time. If your files are stored on a single server, this could become a problem if users need continuous access to the records as in a healthcare office and cannot tolerate not being able to log in at will; they will handle the situation by logging on and not logging out. So maybe spread the files or prevent certain computers from logging into the other office. A study of their workflow will identify the real options.

On a regulatory topic that came up in the posts - HIPAA by the way not HIPPA. At this point, it only applies to entities that are transmitting electronic claims and other designated transactions to/from an insurance carrier or clearing houses such as WebMD by other than the Internet. Although your customer handles medical records I would guess the only sanctions that might be applied in the event of disclosure of protected Health Information - PHI, would be in terms of other regulations. I know of no office thats been shut down because of HIPAA violations -there has been no vigorous pursuit of its implementation as is the case with OSHA and frankly what it codified is the same common sense and privacy steps that health care pros have always applied. Directives such as don't leave patient cahts lying around and dont discuss a patients problems within earshot of another patient are more closely observed now - but again can be safely ignored and is being ignored by those offices thaey do not sen claims electronically. Dumb. It was really supposed to be aimed at stopping those organisations that have been selling patient names and their medical problems to drug companies and others to use as mailing lists for their products. The original thrust of the legislation was to allow people who changed their jobs to take their healthcare coverages with them and not be subject to pre-existing condition limitations etc. at the new job hence the name Health Insurance Portability and Accountability Act but it then became a "while we are about it...: scenario. Amogst others the EDI crowd got on board and used this as an opportunity to finally implement standard record formats for all healthcare related transactions other than those transmitted via the Internet. An about time thing in fact, but it seems that the EDI people have never heard of XML and have rather reinvented the same problem all over again - the inflexibility of fixed format, content and length records. Adding a new field or altering the length of an existing one again result in major costs.

I apologise if I've bored anyone to death with this long post.

Collapse -

Afterthoughts

by techasf In reply to Back to Basics

1. Consider doing all your IT shopping at Provantage.com. Tough to beat their prices.

2. Consider individual deskjets at each computer as opposed to print servers and laser printers. Far more productive not having to get up and get your letter - also a lot simpler when it comes to printing the envelope. Color too can make a huge difference to appeals if thats what they do. Depending on desk layout you could share one between two or more computers.

3. As LordI suggested, if you are buying new boxes, consider a Linux box as your file server in each office rather than Windows 2003 Server. No connections limits, no extra client licences when you grow. Its there too when you implement internal e-mail and finally host your own web site.
The HP6122 is a good bet. Fast, quiet, no annoying 10-20 second delay before first page prints. As with any HP deskjet, biggest advantage over competitive ink or bubblejets is the paper handling

Collapse -

But the disadvantage is

by HAL 9000 Moderator In reply to Afterthoughts

Cost per page with the color tank being a single unit.

What do you think about the Canon i560? It has different ink-tanks for each color and Black it works out far cheaper per page to print with and when one color is all used you are not in a position of throwing out the other two colors that may still be half full.

Col

Collapse -

So you say you are a charity ...

by Ken In reply to Is a VPN the right choice ...

I too work for a charity that will soon be setting up a new office 2 hours away from the main office. Obviously, this post has been interesting to me. I note the interest in a low cost solution. Did you know that Microsoft has charity prices? I set up a Win2K server at an unbelievably low cost. If you are a registered charity, you can too.

Keep us posted on your progress.

Collapse -

Consulting?

by Oz_Media In reply to Is a VPN the right choice ...

Woudln't that just be overkill that sucks up your budget before you leave the gate though? Or did you have something else in mind. Remeber this is a KISS install, not your forever secure nonhackable fortress.

Back to IT Employment Forum
42 total posts (Page 4 of 5)   Prev   02 | 03 | 04 | 05   Next

Related Discussions

Related Forums