Security·4,716 discussions

Remote Access

Locked

Hi All, I need your help to find the best solution for this:

I?ve an Exchange Server and a File Server (2 2003 Servers).
The iternal network uses these resources with no problem, but I need to have them available out of the office.

What?s the best solution -> Build a VPN!
How? Should I expose POP, SMTP and File sharing to the internet using RRAS, should I use a router with VPN capabilitys?
Could I have security problems having the server files available by a VPN, same thing about the smtp?

Please advice me in what solution, and if possible, what router or other equipment should I use. Please kep in mind, the budget is tight…

Thanks

Paulo

Topic

Security is an illusion

In reply to Remote Access

Here is a link to a story on securityfocus.com that should put the fear of God into anyone that wants to permit password protected inbound access from the Internet to their private LAN.

http://securityfocus.com/news/11355

Here are a few things to think about.

1. Just because you are unable to break into your security domain doesn’t mean that anyone can’t break into your security domain. There are a lot of very clever hackers.

2. Any time that you enable ANY new feature on your systems you have created a new attack vector.

3. The amount of time that is required to break any given encryption scheme is being dramatically reduced every year. Part of the reason is that new decryption techniques are always being developed. Another part of the reason is that affordable computer horsepower is increasing dramatically every year. The result is that any encryption scheme will merely delay an attacker from compromising your password or token based security.

When you allow access to private information from the Internet you create two problems. The first is to allow access to your LAN by legitimate users while preventing unauthorised access. The second is to keep the confidential information that is being legitimately accessed from being read and understood by an unauthorised person. Both methods usually involve encryption. The problem of preventing unauthorised access to your LAN is usually addressed by encrypting passwords. The problem of preventing unauthorised people from reading confidential information that is being transmitted to a legitimate user is to encrypt the confidential information before it is sent over the Internet.

The article referenced above tells about a technique of making huge tables of encrypted passwords and translating them to their true password. These tables are being created for many of the most popular encryption techniques. This makes translating an intercepted encrypted password into its true form as easy as looking up the encrypted password in a table.

The same article also tells about how many of the same encryption techniques are being made useless for transmitting confidential files. Decryption algorithms already exist for many of the most popular encryption techniques used for transmitting files and other confidential data. This means that if the legitimate user is reading a file that a bad guy wants to read then the bad guy doesn’t even have to break into your LAN. The bad guy simply has to capture packets to the legitimate user and decrypt them to read the confidential information.

The fact that your users would probably be using a public wireless “hot spot” to access your LAN means that many people could be capturing the traffic between that user and your LAN. Nobody would even know that the data was being captured by bad guys. All the bad guys have to do is to save the data to disk and decrypt it. They have all the time in the world to do this.

My conclusion is that there is no reliable method of protecting a private LAN that is connected to the Internet or to a modem from being compromised. Additionally, when you deliberately create an access path (from the Inernet or modem or whatever) into your LAN (for legitimate access) you make intrusion into the LAN much easier than if you didn’t allow inbound connections. Even if you don’t suffer intrusion into your LAN the data being transmitted to a legitimate user can be intercepted and decrypted by bad guys.

My advise is to forget about accessing corporate files from the Internet.

I?m afraid…

In reply to Security is an illusion

That?s why I post it. “stress junkie” you earn that name…

Anyway, having a server with internet domain mail is not an option. We really need to have it.
And, for operation needs, we need exchange (sharing contacts and calendars, meeting, etc…). So in this part it?s solved, all I?ve to do is “secure” it.

About files, I know that a VPN can be made using encryption and shared certificates.

It?s not full proof but, nothing is except unplugging the modem 🙂

If you could help me on choosing the best way to setup a VPN, then I would use it to share files and email access.

Thanks

Exchange at the very least….

In reply to Remote Access

For exposing your exchange server, have you thought of using OWA over https with certificates? OWA 2003 has come a long way and you have almost full feature functionality. There’s also a feature of OWA 2003 that allows full featured use of the Outlook client.

As far as the VPN solution goes, I’d phone up Cisco or a cisco integration partner in your area and start a relationship with them to work towards a hardware based VPN solution. It will cost you nothing to talk to people.

I know you said your budget is tight, but doing things correctly costs money. Come up with a couple of solutions and show your firm what they get for each cost. I think when they see they’ll get a rock solid solution for a little more money, they might open the wallet.

I agree. Use a security package.

In reply to Exchange at the very least….

If you use a security package then you can blame them if anything goes wrong. If you put your own solution together from various parts or if you use an open source solution then you will be seen as the cause if anything goes wrong. Managers will feel more confident about using an expensive security package than they would be about a VPN that you designed yourself or obtained from open source. This confidence in purchased solutions should help them to open their wallets.

Cisco has a good reputation among managers. If you keep up with security bulletins then you will find that Cisco has as many problems as any other vendor. However, your management would probably feel more confident about an expensive Cisco solution than they would be about an in house designed solution or an open source solution.

Continuing

In reply to I agree. Use a security package.

Thanks to both!
I?m looking and I found a solution that might be interesting. For about 1300 ? I can get a Procurve VPN router. I?ve seen some information about it, and it seems to be a good product. implementing a VPN.
” IPSec VPN module
enables site-to-site and client sessions;
tunneling protocols include IPSec and GRE;
encryption methods include 3DES-CBC, DESCBC,
AES-CBC, 128-bit, 192-bit, and 256-bit;
hash algorithms supported are SHA-1, MD5,
and manual IPSec policies; supports the
ability to route traffic between tunnels (hub
and spoke VPNs)”
This looks good.
Toghether with 2003 Server I think I can get a prety good security, not full-proof.

“There’s also a feature of OWA 2003 that allows full featured use of the Outlook client” – This is very interesting! Where can I see more info on this?

Thanks!

A couple of ideas

In reply to Continuing

I’m reluctant to say this or that package is good due to the ideas that I expressed in my first post. However I can give you an idea about specific encryption algorithms based on my continuing research in this area.

Good algorithms:
AES: very popular and very good
blowfish: very good
twofish: very good

Bad algorithms:
MD5: only useful to compare the contents to two files.
SHA-1: decryption was only recently discovered.

Read the article that I referenced in my first post for more information. Page two of that article has a short list of algorithms that are not very secure.

Other considerations:
Use as many bits to encode as is possible. 256 bits seems to be the highest number of bits that is widely available in the various algorithms.

Laptop computers may take a longer time to transfer files when encryption is installed. It shouldn’t be very much but some users may complain. Be prepared to explain that the degradation in computer performance is necessary.

I realise that many business manangers regard connecting to the Internet and allowing remote access to the corporate LAN as being a business necessity. My first post was geared to getting readers to rethink the value of allowing inbound connections from the Internet or from a modem to the corporate LAN. Preventing any remote access to the corporate LAN is an ideal that probably cannot be sold to management. Nevertheless if we fully understand the potential for disaster then we are better prepared to evaluate the scope of trying to secure a network. Hopefully you and other readers will at least realise the perils involved in allowing some legitimate remote access. Once you realise the dangers then you are better prepared to do a good job.

[Author]

Replies