Solved

Win2k Secure TCP/IP

Posted on 2009-07-01
4
402 Views
Last Modified: 2012-05-07
I have a couple of win2k machines that are on separate networks and separate domains.  I need a persistent and secure TCP/IP tunnel between the two.

What is the quickest, cheapest, and most reliable way to get that going.

I can not use hardware based VPN since one of the servers is not owned by us and can we can not place additional hardware there.

The connection needs to be established at boot up and needs to stay connected so that our TCP/IP application can communicate securely.

Our app is a simple socket to socket TCP/IP over a single port that is persistent.

thanks.




0
Comment
Question by:wskorski
  • 2
4 Comments
 
LVL 28

Accepted Solution

by:
Bill Bach earned 250 total points
ID: 24759251
Quick, Cheap, and Reliable: Pick any two!

A few possibilities to consider:
1) You mention that hardware VPN is not possible, as one server is not under your control from the network perspective.  However, what about a software VPN (installed on the remote server) connecting back to your own hardware-based firewall?  I am thinking that a SonicWall Firewall/VPN solution (e.g. TZ190 on the small end, or any of the larger units) would provide high-speed VPN capabilities, and would be able to work with a small VPN client on the server that you cannot access for hardware.  (This assumes that you can install software there, of course.) (Quick and Reliable)

2) It sounds like the app is your own application.  Why not encrypt the data at the app level, and allow the system to use normal unencrypted TCP connections for data transfer?  This might be a bit slower and add some CPU overhead, but you can use an open-source encryption module (e.g. Blowfish) to implement the encryption (or just do some simple data mangling, even).  (Quick and Cheap)

3) Using a repeater might be a viable option, if you don't want to mess with any of this.  The PC-HelpWare tool (a free component similar to VNC) has a "repeater" component which provides source code as well.  It would be possible to implement the repeater on a public server (owned by you, of course), and then have the remote server connect to the repeater, and your own system connect to the repeater on the other end, and it can funnel traffic through to you.  As PCHelpware is also open source, you'll have the source code to build your own, using whatever posts and security you want to.  (Cheap and Reliable)

0
 
LVL 6

Assisted Solution

by:PWeerakoon
PWeerakoon earned 250 total points
ID: 24759442
Hi,
You can use IPSec Transport mode to establish an encrypted connection between the two servers.

IPSec software in built into Windows 2000 and above.

Here's a configuration guide...
http://technet.microsoft.com/en-us/library/bb742429.aspx

You can use a pre-shared key to establish the connection because the remote server is not under your control for AD integrated Kerberos and I assume you don't have certificates.

Basically, the idea is to setup a IPSec policy that would encrypt IP packets going from your server IP address to the remote server IP address. The IPSec policy engine loads at boot-time and sits above the network layer, so anything that is sent from the operating system to the network is inspected and encrypted if it matched the policy.

The downside is the encryption is done by the server cpu unlike a dedicated VPN hardware device. However, you can get a Network card that has an 'IPSEC offload' chip so that the processing is done on the NIC (if performance is a problem).

Also, starting with Windows XP SP2 and I believe Server 2003 SP2, you have to manually configure a registry key to get IPSEC to work over a NAT. Research IPsec NAT-t for this.


0
 

Author Comment

by:wskorski
ID: 24759607
Thanks BillBach :
1) Sorry I forgot to mention.  My server is already running a Cisco VPN client on it, and you can't have to soft VPN clients running on the same server, as far as I know.

2) Our TCP listener is our own, by the remote TCP sender is not.

3) PCHelpware?  WHere does the encryption take place?
0
 

Author Comment

by:wskorski
ID: 24806265
Ok, IPSec was easy enough to set up except IPSec does not play well with NAT.  It even does worse if you have NAT on both ends.

I ended up using Zebedee to create a VPN Tunnel.    It's free and works very well.

thanks
Wes
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

A few months ago I attended the Rocky Mountain IPv6 Summit which was a two-day educational event; it was the 3rd annual conference held here in Denver, Colorado that was held at the Hyatt Regency Denver at the Colorado Convention Center. It was an e…
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now