Forinsight
asked on
Windows 7 File Sharing Workgroup Locally & via VPN
windows 7 with powerful machine i7, 8-core, 16-gb mem, ssd
apps: intuit tax pro series 2012 down to 2010
one local client connection
two remote client connections via vpn
vpn router: asus rt-n16 wireless router 300
experience index with vpn router: very fast
vpn client connection done in couple of seconds
application run via vpn takes 4 minutes at most to load data share
when data is loaded on tax proseries it's normal operation
secured authentication 128-bit, chap2 only
problem
although this is not an ideal or even advisable vpn environment but it works.(windows server 2012 with essentials is still in the making on a trial basis but is soon to come as owner approves budget, if ever he would because of expensive cost. however tax season is just about a week to go, owner wants this launched.)
proseries approved configuration: LAN. this is a lan albeit added vpn clients. all the same they operate within the shared folders. my problem is the security risks. how could i minimize the risks of data corruption? please tell me the most effective way to monitor the endpoints. any better than spiceworks. use this system but do not know how to effectively set the monitors and logs and triggers to alert on vpn intrusion or abnormality.
apps: intuit tax pro series 2012 down to 2010
one local client connection
two remote client connections via vpn
vpn router: asus rt-n16 wireless router 300
experience index with vpn router: very fast
vpn client connection done in couple of seconds
application run via vpn takes 4 minutes at most to load data share
when data is loaded on tax proseries it's normal operation
secured authentication 128-bit, chap2 only
problem
although this is not an ideal or even advisable vpn environment but it works.(windows server 2012 with essentials is still in the making on a trial basis but is soon to come as owner approves budget, if ever he would because of expensive cost. however tax season is just about a week to go, owner wants this launched.)
proseries approved configuration: LAN. this is a lan albeit added vpn clients. all the same they operate within the shared folders. my problem is the security risks. how could i minimize the risks of data corruption? please tell me the most effective way to monitor the endpoints. any better than spiceworks. use this system but do not know how to effectively set the monitors and logs and triggers to alert on vpn intrusion or abnormality.
cbmm
Spiceworks is not a firewall. You are not going to be able to monitor vpn access from it. This will have to be done via firewall/router. Data corruption...you need to have back ups, but data isnt going to get corrupt just from users connecting via vpn unless they are modifying data and connection is terminated incorrectly.
ASKER
"Spiceworks is not a firewall."
nobody ever say it's a firewall. that's not intelligent. what do you think it is?
"This will have to be done via firewall/router"
that's too broad. what do you think i need to do and use? why not help me if you know and can and tell me exactly what you mean?
nobody ever say it's a firewall. that's not intelligent. what do you think it is?
"This will have to be done via firewall/router"
that's too broad. what do you think i need to do and use? why not help me if you know and can and tell me exactly what you mean?
saw this data corruption due to local cache [1] not updated fast enough as multiple user modify the network file shares previously, there s hotfix but primarily you can also disable or reduce the time-out threshold for the local cache update specifically. Just a note, if you disable it, offline file features will not be available.
[1] http://support.microsoft.com/kb/2028965
Also another which may want to note is the "opportunistic locking" [2] that by default enabled for server message block (SMB) clients. It lets clients lock files and locally cache information without the risk of another user changing the file. There are some registry setting for tuning performance at same time enforcing this lock
[2] http://support.microsoft.com/kb/296264
Also has to be wary of DFS-R as it will not work well with Offline Files in a multi-user environment [3] because it does not provide any distributed locking mechanism or file checkout capability.
[3] http://technet.microsoft.com/en-us/library/cc773238(v=ws.10).aspx#BKMK_005
As for VPN and LAN user, I have seen one of the key security team concern is really the user notebook becomes a bridging btw internal and external n/w.The internal data may then be leaked and worst still the notebk become a entry point for malware and attackers, assuming the notebk is compromised. Know of Symantec that enforce location awareness capability [4] such that one location profile (e.g. either Corporate or Internet or disconnected) is enforced at any one time. Of course this add into the Symantec HIPS especially on NAC scheme to make sure client integrity and some best practices recommended by Symantec [5]. Wireless profile is possible too.
[4] http://www.symantec.com/connect/videos/configuring-location-awareness-sepm-console
[5] http://www.symantec.com/connect/forums/sep-location-awareness-examples
Overall, I am not so sure if Windows alone will achieve all the above but they do have NPS as RADIUS and maybe for the wireless part, you may want to consider EAP-TLS (but it required certificate which can be hassle for key mgmt and PKI setup) instead of Chapv2 as the latter is weak in its crypto protocol and is crackable as stated below [6]
[6] https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
Hope it helps, pardon for lengthy and going off tangent focusing more on other security aspects
[1] http://support.microsoft.com/kb/2028965
Also another which may want to note is the "opportunistic locking" [2] that by default enabled for server message block (SMB) clients. It lets clients lock files and locally cache information without the risk of another user changing the file. There are some registry setting for tuning performance at same time enforcing this lock
[2] http://support.microsoft.com/kb/296264
Also has to be wary of DFS-R as it will not work well with Offline Files in a multi-user environment [3] because it does not provide any distributed locking mechanism or file checkout capability.
[3] http://technet.microsoft.com/en-us/library/cc773238(v=ws.10).aspx#BKMK_005
As for VPN and LAN user, I have seen one of the key security team concern is really the user notebook becomes a bridging btw internal and external n/w.The internal data may then be leaked and worst still the notebk become a entry point for malware and attackers, assuming the notebk is compromised. Know of Symantec that enforce location awareness capability [4] such that one location profile (e.g. either Corporate or Internet or disconnected) is enforced at any one time. Of course this add into the Symantec HIPS especially on NAC scheme to make sure client integrity and some best practices recommended by Symantec [5]. Wireless profile is possible too.
[4] http://www.symantec.com/connect/videos/configuring-location-awareness-sepm-console
[5] http://www.symantec.com/connect/forums/sep-location-awareness-examples
Overall, I am not so sure if Windows alone will achieve all the above but they do have NPS as RADIUS and maybe for the wireless part, you may want to consider EAP-TLS (but it required certificate which can be hassle for key mgmt and PKI setup) instead of Chapv2 as the latter is weak in its crypto protocol and is crackable as stated below [6]
[6] https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/
Hope it helps, pardon for lengthy and going off tangent focusing more on other security aspects
You don't mention much about the storage, but I am assuming it is not RAID1. If you use standard windows sofware RAID1 for your SSDs then it will give you at least a 50% disk I/O performance boost in reads (no penalty for writes).
This is because it does load balancing on reads. not only that, but your data is protected.
This is because it does load balancing on reads. not only that, but your data is protected.
ASKER
breadtan
thank you so much for giving your exhaustive recommendation on the issue. no one will be using any notebook. i've got only 3 vpn clients but only 2 for the time being.
the issue i'm particularly wanted to get addressed is this as above specified:
"please tell me the most effective way to monitor the endpoints"
extrapolation
my vpn server is a vpn router asus rt-n16. i configured it authenticate windows vpn clients using its own native vpn with 128-bit security. my problem is i don't know how to monitor endpoints: from vpn router to pvn client. asus native traffic monitor and logs could not provide sufficient data for analysis for security and troubleshooting. what are the necessary vpn network tools that effectively carry out this tasks without being 'buggy'.
dlethe
i don't have any problem with speed on the system much less hard drive because i use SSD which is much much faster throughput than any hard drives available in the market even with with raid 0,1,5,10. but, because you speak about speed. perhaps you have an idea how the speed of my vpn can be boosted. i've got 30d and 5u. because of transmission my clients are using my bandwidth. that's normal. but what is not normal is that each client is throttled at 1.8mpbs (d) and below 1mpbs (u).
what can i do to to configure my environment to prioritize my vpn clients with my max upload speed of 5mpbs?
thank you so much for giving your exhaustive recommendation on the issue. no one will be using any notebook. i've got only 3 vpn clients but only 2 for the time being.
the issue i'm particularly wanted to get addressed is this as above specified:
"please tell me the most effective way to monitor the endpoints"
extrapolation
my vpn server is a vpn router asus rt-n16. i configured it authenticate windows vpn clients using its own native vpn with 128-bit security. my problem is i don't know how to monitor endpoints: from vpn router to pvn client. asus native traffic monitor and logs could not provide sufficient data for analysis for security and troubleshooting. what are the necessary vpn network tools that effectively carry out this tasks without being 'buggy'.
dlethe
i don't have any problem with speed on the system much less hard drive because i use SSD which is much much faster throughput than any hard drives available in the market even with with raid 0,1,5,10. but, because you speak about speed. perhaps you have an idea how the speed of my vpn can be boosted. i've got 30d and 5u. because of transmission my clients are using my bandwidth. that's normal. but what is not normal is that each client is throttled at 1.8mpbs (d) and below 1mpbs (u).
what can i do to to configure my environment to prioritize my vpn clients with my max upload speed of 5mpbs?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
you're respectful and humble but super sharp on your answers. encyclopedic in scope but works.
Thanks for the f/d. Glad to have help :)
ASKER
is it possible to ping you for questions on this forum that i prefer you to answer them? how?
Thanks..not sure what is the best way but typically there is a request switch for each question. Primarily I am still focusing on security related ;)