jwcolby
jwcolby at colbyconsulting.com
Thu Apr 23 08:41:22 CDT 2009
Joe,
> My understanding is that none of your servers are open to the "outside" world, and the only users
are those on your own internal network.
That is correct. My network is as secure as I can make it given my limited knowledge of network
security. I have a router with a built-in firewall, I run software firewalls on each and every
computer, I have anti-virus software running on every machine etc. Furthermore, at this point in
time I have no one other than myself authorized to get in to the network. I have had a couple of
times when I had people remote in to help me. I set up a user for them and then turn that user off
(or remove the user entirely) when they are done.
> You have raised another question that I would like to see discussed more fully. Under what
configuration is a VPN necessary? What are the advantages/disadvantages of using a VPN?
I am not a Notwork guy so I am not the best person to answer the VPN question but I will volunteer
what I think I know.
A VPN is simply a secure communication channel, often referred to as a "tunnel", usually over the
internet, which allows communications between a remote computer and a server or network. These
communications are encrypted and secured so that they cannot be snooped on.
So... a VPN is a "Virtual" "private" network. It is virtual because it is set up on demand instead
of being a set of NICS and cables permanently in place. It is private because it is encrypted and
only creates a network for those invited to join.
The VPN can be all hardware based, the router at the remote computer establishes a VPN "tunnel" to
the router at the server end. In this case the VPN literally extends the network at the server side
to be visible at the remote side. Essentially the remote computer just becomes another computer on
the LAN.
The VPN can also be software based, which is what Hamachi does. In this case the VPN is established
between two specific computers - the remote and a single specific server. In this case the remote
computer is not directly on the LAN but rather can communicate securely with the server running the
VPN software (Hamachi in this case), but can ONLY communicate with the server running the VPN software.
I use Hamachi because it usually works well, is free, and is easy to set up. I have Hamachi running
on every machine that I want to directly access.
Hamachi assigns a unique IP address in the 5.x.x.x range to each computer in the world running
Hamachi. Thus if I have a set of machines, each running Hamachi, I can see each machine as a
specific 5.x.x.x IP. Hamachi then allows me to set up one or several "networks" of any machines
running Hamachi that I "own", i.e. that I have the Hamachi password and IP address for. Thus I can
build a "Hamachi VPN" of just one machine and my laptop, or a dozen or more machines and my laptop.
Or I can create many different networks with different machines.
Inside of the Hamachi application, the "network" displays all of the computers in that "LAN" and I
can do anything I would on a normal LAN. I can run remote desktop IF the remote machine has the RD
service running. I can run VNC IF the remote machine has the VNC service running. I can view
shared directories on the remote machine. I can print to shared printers on the remote machine. Etc.
One thing that I use my Hamachi VPN for is browsing the internet when I am at a hotel, and in
particular if I need to buy something or view my banking etc. By setting up the VPN, I can "remote
desktop" into one of my machines at home. The VPN channel is encrypted and secure directly from my
laptop to a specific machine at my home office. Now I can use RD to open a browser on the server at
home. I can browse, order stuff on a credit card, view my bank accounts etc. and not have to worry
about my browsing being snooped by someone sitting in the parking lot of the hotel recording the
guests, looking for account numbers or passwords etc.
The VPN does have overhead involved, i.e. it does slow down the process of whatever you are doing
relative to a physical LAN but in cases where you need these capabilities you are usually willing to
give up the speed in order to gain security.
And that is what I think I know.
John W. Colby
www.ColbyConsulting.com
Joe O'Connell wrote:
> John,
>
> My understanding is that none of your servers are open to the "outside"
> world, and the only users are those on your own internal network. At
> home I have a similar small network that incorporates both wired and
> wireless PCs. This is also a closed network that is not open to the
> outside world.
>
> At the other end of the spectrum, my company provides hosting services,
> so all of our servers must be open to the "outside" world. These servers
> are located in a data center that has been designed for this purpose and
> that has all of the "normal" security features such as climate control,
> power backup, multiple fiber connections from multiple vendors,
> redundant hardware, fire walls, etc.
>
> Your setup works for you, so I would not change it just for the sake of
> change. AFAIK Terminal Services are a standard service of Windows
> Server 2003.
>
> Susan's question concerned giving access to an Access application
> remotely. In my answer to her, I should have included a caveat that I
> was assuming that the server sits behind a firewall and is already
> available to outside users.
>
> You have raised another question that I would like to see discussed more
> fully. My forte is application development, not system or network
> management which I leave to others, so my knowledge of these areas is
> limited. Under what configuration is a VPN necessary? What are the
> advantages/disadvantages of using a VPN?
>
> Joe O'Connell