Solved

Securely Transfer / Update Files Across Servers

Posted on 2014-11-24
25
85 Views
Last Modified: 2015-01-07
Hello,

I'm still new to servers and what you can do with them, but this is what the customer requested.

We built and set up a server running Windows SBE 2011 at their home location.  They will have a server also set up in their remote location.  The customer wants a backup of the files from the remote location to be stored on the home location server AND for them to edit, save, and update the files at the home location to be instantly sent BACK to the remote location.  How do I set this up and make it secure?  I would imagine there is a way to do it with VPN, however I'm not too familiar with VPN's, so I would need step by step.  I also know Dropbox would work, but I don't think that's is either secure enough for them or the best option.
0
Comment
Question by:Scott Thompson
  • 8
  • 8
  • 7
  • +1
25 Comments
 
LVL 15

Expert Comment

by:JBond2010
ID: 40462126
If you share out the file shares from the remote location and then configure your backup solution to backup the remote file shares.

Also, configure the NTFS permissions for the users that need access to the files and folders in the remote location so they access and modify the files as needed.
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 40462472
So do you have a Public ip  address both locationsyou could set up the backup to run automatically and a task that would replicate the backup over to the other machine via the public IP address
this can be done without setting up a site to site VPN Virtual Private network
alsothere are numerous online backup solutions that you can use with the back up in a centralized area and then access or pull down from any location
there is a lot of security buildt it  some of these online scenarios they are very popular and you should not be afraid of loosing data ...don't be afraid of them
if you're looking for a fully automated solution there is an affordable company called E silo that will back up and replicate for you based on the amount of data and put a device at your location if you want...not used to use them for smaller companies I supported
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 40462677
That would only update so often though, right?  I think what they want is to be able to edit a file at the remote location, have it save also at the home location, then have them be able to edit it at the home location.  From there, they want to be able to save it at the home location, and have it update to the remote location.
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 40462697
If you just share the folders out and give the users who need access to the file shares. You can then use a batch script to map the shares on the users PCs. So when the users makes changes to the files and folders they will be updated at the remote location.

Also, because the file shares are shared out they can then be backed up through the VPN. You can even use the Windows backup utility to achieve this without occurring any additional costs.
0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 40462875
Ideally, a business should NOT store company data at a personal house (there are many reasons for this).  How you secure the data depends on the type of data you are trying to protect. What is the budget for this? Knowing a budget is key for offering an acceptable solution for you. Another question, what are you trying to backup? Just some files in a folder or the whole system? I will assume that you just want to backup some files based on the context of your question.

1) Do NOT (never ever) use Windows file shares to share data across the Internet. This is one of the most insecure actions you can take. Scripting file transfer is a bad idea as well since admins often hard code the password in the batch/script file.

2) There is the option to use a 3rd party cloud provider for a backup solution but there are risks associated with doing so. Understand what the risks are before storing data on someone else's computer.

3)  You can look at several different VPN solutions to securely transfer data. OpenVPN is a mostly free solution and fairly easy setup for a client-server configuration. Another option is to use IPSEC which can come in several forms, the easiest would be a simple small business router that supports site-site IPSEC VPN.

4) I would also make sure that the drive at home is using full disk encryption to protect the hard drive from theft  (assuming that the data contains sensitive information).

5) If you choose to go the VPN route there are many options for backup software starting from the builtin backup with Windows to 3rd party applications like Backup Exec. Look for one that suits your requirements and budget.

Let me know if you have any further questions or can provide more information.
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 40462984
Lets put things in to perspective here!

1). The SBS2011 server and the remote server are in the same Active Directory forest!

2). There will be a router to router VPN in place! This means that the traffic going to and from both locations is encrypted via IPsec tunnel which is very secure.

3). A batch script can be used because the 2 servers are in the same Active Directory forest and there is no security risk as this is going through the VPN.

4). Files shares on the remote server can be shared to users that reside in the other location where the SBS2011 server is. Again, this is not insecure as all the traffic is going though a VPN and is encrypted.

5). The data from the remote location can be backed to the other location on external media such as tapes etc.


Regards,

JBond2010
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 40463271
Thank you for all the responses! :)

My associate will be reading through this in a bit, and may ask more questions.  I did want to specify one thing though that looked like it was a little confusion.  The 'home location' I refer to is a business, but it's their headquarters.  So, both servers are on business property.  Hopefully that helps! :)
0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 40463339
Ah. You meant home as in headquarters/main office. Got it.

In that case, another option would be to get a dedicated circuit between the offices. This will depend on budget too and may or may not fit your needs. Having a dedicated circuit will allow seamless traffic between the 2 facilities and can have fewer issues over time then with VPN.  With a dedicated circuit they could setup an MPLS connection which is scale-able and used in medium to large scale networks. Though this all will depend on budget.

Another question: How much data is planned to be backed up on a regular/daily/weekly basis?
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 40463544
Giving that your infrastructure consists of x2 Servers, I think MPLS or a dedicated circuit would be overkill. I have configured many organisations in similar circumstances and small in size and a DSL line has always been more that adequate at both ends with a router to router VPN - IPsec tunnel.

Your organisation does not appear to be doing a lot and really does not require dedicated circuit or MPLS. Also consider taking a seed load of you data for backup purposes and then from there you can do incremental backups. Your backups can obviously run in the evening times.


Regards,

JBond2010
0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 40463583
From a security standpoint a dedicated circuit is more secure then a VPN. I do penetration testing for a living for fortune 100 companies, government agencies and everything in-between. In my experience, a dedicated line is more secure then a VPN, but for Scott it may not fit his needs (e.g. budget) but he specifically asked for a secure way to backup/transfer files between sites. IPsec is a solution but not the only one and may or may not be the right one for Scott's client.

From a security perspective open ports for VPN connectivity can allow an attacker to compromise an IPsec VPN (for example, take a look at the flaws around Aggressive Mode). With a dedicated link there is less attack surface to worry about. You can do port filtering for the firewall (though few organizations do this but should) to help mitigate the risk of using a VPN.

Jbond, thank you for reinforcing my suggestion on IPsec but let's wait for more information from Scott about the situation so we can better advise him.
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 40463654
I think they just want assurance that their information is secure. It wouldn't have to be any more secure then how they can currently login to the home location server VIA the remote access offered by SBE 2011.

It's interesting to know that there are so many different options! I think the IPSec VPN may be the way to go for them from what I have read.  What do you guys suggest?

If IPSec VPN I'd the way to go, what is the encryption rate? 128 bit? How would I set this up? I've only set up local domains and gateways.

You guys are great!
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 40463661
To further answer questions, these are data files they want to transfer back and forth, some of relatively big size (50+ MB) that they may edit at either location.
As for backup, as long as the data has been copied to the home location server, it's set up with RAID 5, and a backup runs to an external they alternate out every week.   They REALLY want to make sure they don't lose data!
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 40463722
There are a lot of small business IPsec VPN routers out there so I would suggest that you look to see what fits (cost and number of users - if any) but make sure it supports site-to-site VPN. Most of those though only support Aggressive Mode so make sure you change EVERY default there is to change otherwise there is the potential for attack (mostly brute-force). Also, stay away from any Chinese made networking gear as it cannot be trusted to not have a backdoor.  

https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=small+business+ipsec+vpn+router+site-to-site


In regards to the data transfer, I was looking to find out what your aggregate was for the day (e.g. 50 GB, 100 GB, etc). Individual file size isn't that important but you will need to consider how much data you are going to be sending. Depending on current bandwidth size and requirement for the backups it may be worthwhile to look into a dedicated circuit.

If they "really don't want to lose the data" I would also suggest backing up to tape (or some other media) on a regular basis in addition to the off-site. Personally, I would never suggest to a company to store backup data in "the cloud" because it is too risky.

Backup Exec is a popular backup software. Check to see if this meets your needs.
http://www.symantec.com/pages.jsp?id=symantec-backup-exec&om_sem_cid=biz_sem_s173912633838255|pcrid|44046505009|pmt|b|plc||pdv|c

Other examples:
http://www.acronis.com/en-us/business/backup/

http://www.paragon-software.com/small-business/

Finally, I would suggest that the company edit files only from one location or look at using a document change /management control software. Else things could get messy with conflicting changes if done against a file stored in multiple locations.
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 40464316
Regarding editing files. Since the introduction of Office 2010 one of the new features is Collaboration with Co-Authoring.  Co-Authoring caters for multiple people to work on the same word document, just one example.

Also, please be advised that IPsec VPNs are industry standard. There are many good Router/Firewalls on the market such as Sonic Wall, Zyxel at competitive prices that will cater for your business requirements.

Regarding your backups, as I said in a previous comment, you can backup to external media such as tapes.
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 40464881
My associate found this and I would like to know your opinions on it versus something like IPsec VPN.

http://filetransporterstore.com/collections/products/products/transporter-sync-2-pack

Do you think this would work for the purposes that we are looking for and would it be as secure?
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 40464899
IPsec VPN is the link between you offices. This is a achieve by a router firewall at both ends. You would have a router to router VPN IPsec tunnel. All traffic going though the VPN is encapsulated and encrypted via IPsec which is a security protocol which is a feature of a VPN and an industry standard security protocol. This must not be confused with a backup solution.

The filetransporter can backup files and this will be done through your VPN. Remember that the point of having a VPN between your 2 sites, is so both offices can communicate, access to file shares etc.

Regards,

JBond2010
0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 40465045
So from reading the manual, it looks like the device will connect up to http://filetransporter.com/ using an account that you create. This means that while the data physically resides on your network it probably traverses the filetransporter (FT) network in order to communicate to another FT device. It's cheap and not very professional and I'm not sure it would fit your requirements.


From their documentation:
Transporter will not stop two people from editing the same file at the same time. (In technical jargon, we don't offer a "distributed file locking" feature.)
This means that users should coordinate their usage of shared files and make copies prior to editing critical files.
0
 
LVL 15

Expert Comment

by:JBond2010
ID: 40465126
Again from my previous comments; your backups will not be running during business hours. This means there should be no files lock.

You must ensure that you have a policy in place where users log off from their PCs when they're finished for the day and this will also ensure that no files are locked when the backup is scheduled to run during the evening. Another point, do staff require access to files during unsociable hours?

The main focus here is, you do not have a complicated environment and you should not look to over complicate matters. If your environment grows, then obviously so will your business requirements regarding your IT infrastructure. Keep things simple and don't burden yourself with MPLS or dedicated circuits.

There are good hosted backup solutions such as Ahsay backup online. This is very popular with a lot companies as their data is kept off site. The prices for this are very competitive. Please see the link below.

http://www.ahsay.com/jsp/en/home/index.jsp?rf=www.google.ie&kw=

Even Window Backup will do the job for you. Remember start off simple and then build from there ;-)

http://technet.microsoft.com/en-us/library/cc772523.aspx


Regards,

JBond2010
0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 40465270
Jbond, you may want to take a look at the documentation for FT. It doesn't do "backup", it syncs... after every change. That means that 2 people working on the file during the day will cause a conflict. Also, careful on making assumptions as to how the organization will use FT or what the organization has for resources.  

As a security professional, I disagree that cloud solutions are a secure solution because I break into them on a regular basis. Though I do agree with you that any organization should keep it simple, at least as much as their requirements allow them to. The more there are requirements often the more complex the setup and just because it is simple rarely means it is secure. Please understand that I am not pushing for MPLS or a dedicated circuit but offering the author CHOICES because there is a lot we do not know about his client's environment. Additionally, it may be competitive, cost wise, to do a dedicated circuit they just need to look into it. In some places in the US you can get a dedicated 10 Gigabit circuit for $693.35/month (this is an example and price depends on what you need and where you reside) and probably pay much less for a smaller circuit since 10G is probably a bit much for what they need.

Now, that makes me think also about the option for a shared circuit option which I had forgot about. Those can be as low as $13/month but with either type of circuit there is a installation cost. Either way might be a solution for Scott's client.  

Windows backup is probably NOT a good solution for them because it doesn't (I don't ever recall it having the ability) allow the 2nd site to easily modify the files which go back to the main office. Backups are good for what I quoted above "if they "really don't want to lose the data" I would also suggest backing up to tape (or some other media) on a regular basis in addition to the off-site. " but not for syncing.

It all depends on the requirements.


For syncing software -

 
Free/opensource:
http://sourceforge.net/projects/freefilesync/

OTS (like the product Jbond suggested):
http://www.goodsync.com/

Enterprise:
https://www.novell.com/products/openenterpriseserver/features/online-file-storage-ifolder.html  (typically there is no license requirement for the first 5 users)

If none of those work then search around and use those as a basis.
0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 40465510
Scott,
Are both locations in Ft. Dodge?
0
 
LVL 15

Assisted Solution

by:JBond2010
JBond2010 earned 166 total points
ID: 40465948
Another option would be to setup DFS - Distribution File System replicated between the 2 locations. You have the options of configuring bandwidth and also because SBS2011 is Windows Server 2008 R2 under the hood, your Forest and Domain functional levels can be set at Window Server 2008 or Windows Server 2008 R2 and you can then use DFSR which does incremental changes of files. So this would consume less bandwidth. With DFS your files shares are synced between the 2 locations.

This would occur through the router to router VPN. All you need to do then is backup the DFS file shares and this can be done at the one location.

DFS can be backed up via SMB and UNC paths and you can also use Windows backup utility for this. DFS is a feature of Windows server, so there is no additional costs involved.

Please see the link below for a step-by-step guide.

http://technet.microsoft.com/en-us/library/cc732863(v=ws.10).aspx

There are plenty of options and they don't always have to cost big money. Windows servers are feature rich and provide many options for business requirements.


Regards,

JBond2010
0
 
LVL 10

Assisted Solution

by:pand0ra_usa
pand0ra_usa earned 167 total points
ID: 40466026
Good suggestion Jbond. Scott, you should be aware of the limitations though it may work for your purposes.

http://guides.programming4.us/windows/windows-small-business-server-2011---distributed-file-system-%28part-1%29---file-replication-service,-installing-dfs-management.aspx

You can use DFS to create a loosely coupled collaboration environment where DFS Replication replicates data between multiple servers. However, DFS Replication does not include the ability to check out files (as you’d check out books from a library) or replicate files that are in use, such as multiuser databases. Therefore, use Windows SharePoint Services in environments where users regularly attempt to edit the same file at the same time from different locations.
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 40473797
The other location is in Phoenix.
0
 
LVL 12

Accepted Solution

by:
DarinTCH earned 167 total points
ID: 40474002
so in the end we have 2 different types of suggestions and 2 different issues

you seem to want both a backup scenario and file accessibility from 2 locations

the windows DFS is an excellent suggestion by the way for replication Distributed File System

the 2nd part of the discussion is access to these files
1 option was a common shared location - a centralized repository   - choices remain
A- a cheap way to provide access to these files from multiple locations is a online repository (read cloud solution)
B- repository local at one of the sites ( either accessible from multiple areas or replicated back and forth)
---to achieve B you need to have a link - pipe - circuit between offices
--(the link can be one of many options...these vary based on cost, security, endpoint devices.

if you choose a VPN over internet - the leased line/circuit cost can be alleviated
either way you will need a device on either end that can handle the networking
there are many moderately priced Firewalls/routers that can handle the network portion, VPN (ipsec or SSL)
ipsec VPN is a little more common for site to site VPN - whether the site is a business or home
SSL VPN runs via a browser and is accessible most anywhere there is internet
some Firewalls have very simple VPN solutions
some FW even have a USB port for an external HDD that can be accessed from anywhere
(very affordable option - but has some limits)- however many small business use something similar

finally as a security professional and a security trainer - I have to mention there are security concerns for each and every scenario we have suggested
as a professional we suggest you mitigate or minimize that risk or exposure
that being said the more security =- the more cost
the reason we have mentioned cloud is that it is affordable which seemed to be an initial requirement
again many many many large companies store their data in the cloud (someone else's data center)
whether its Dropbox, Amazon, or MS Azure there are hundreds of providers and very secure
I have clients that are businesses worth $1 million to hundreds of millions of $ that use cloud scenarios

unless you are dealing with medical data HIPAA or maybe SOX  that have special requirements - i wouldn't worry
just choose a reputable provider

if you have a tech support fellow, consultant or otherwise ... he should be able to suggest many options that he uses for other clients even
0
 
LVL 8

Author Closing Comment

by:Scott Thompson
ID: 40536636
All good answers, but decided work would not be done properly enough by us for the customer.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Over the past decade, as Internet security has become a chief concern of IT professionals, one of the most common questions administrators and users ask is, “Which is more secure, SFTP or FTPS?” In short, both file transfer protocols offer a high…
Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now