Securely Transfer / Update Files Across Servers
Hello,
I'm still new to servers and what you can do with them, but this is what the customer requested.
We built and set up a server running Windows SBE 2011 at their home location. They will have a server also set up in their remote location. The customer wants a backup of the files from the remote location to be stored on the home location server AND for them to edit, save, and update the files at the home location to be instantly sent BACK to the remote location. How do I set this up and make it secure? I would imagine there is a way to do it with VPN, however I'm not too familiar with VPN's, so I would need step by step. I also know Dropbox would work, but I don't think that's is either secure enough for them or the best option.
I'm still new to servers and what you can do with them, but this is what the customer requested.
We built and set up a server running Windows SBE 2011 at their home location. They will have a server also set up in their remote location. The customer wants a backup of the files from the remote location to be stored on the home location server AND for them to edit, save, and update the files at the home location to be instantly sent BACK to the remote location. How do I set this up and make it secure? I would imagine there is a way to do it with VPN, however I'm not too familiar with VPN's, so I would need step by step. I also know Dropbox would work, but I don't think that's is either secure enough for them or the best option.
So do you have a Public ip address both locationsyou could set up the backup to run automatically and a task that would replicate the backup over to the other machine via the public IP address
this can be done without setting up a site to site VPN Virtual Private network
alsothere are numerous online backup solutions that you can use with the back up in a centralized area and then access or pull down from any location
there is a lot of security buildt it some of these online scenarios they are very popular and you should not be afraid of loosing data ...don't be afraid of them
if you're looking for a fully automated solution there is an affordable company called E silo that will back up and replicate for you based on the amount of data and put a device at your location if you want...not used to use them for smaller companies I supported
this can be done without setting up a site to site VPN Virtual Private network
alsothere are numerous online backup solutions that you can use with the back up in a centralized area and then access or pull down from any location
there is a lot of security buildt it some of these online scenarios they are very popular and you should not be afraid of loosing data ...don't be afraid of them
if you're looking for a fully automated solution there is an affordable company called E silo that will back up and replicate for you based on the amount of data and put a device at your location if you want...not used to use them for smaller companies I supported
ASKER
That would only update so often though, right? I think what they want is to be able to edit a file at the remote location, have it save also at the home location, then have them be able to edit it at the home location. From there, they want to be able to save it at the home location, and have it update to the remote location.
If you just share the folders out and give the users who need access to the file shares. You can then use a batch script to map the shares on the users PCs. So when the users makes changes to the files and folders they will be updated at the remote location.
Also, because the file shares are shared out they can then be backed up through the VPN. You can even use the Windows backup utility to achieve this without occurring any additional costs.
Also, because the file shares are shared out they can then be backed up through the VPN. You can even use the Windows backup utility to achieve this without occurring any additional costs.
Ideally, a business should NOT store company data at a personal house (there are many reasons for this). How you secure the data depends on the type of data you are trying to protect. What is the budget for this? Knowing a budget is key for offering an acceptable solution for you. Another question, what are you trying to backup? Just some files in a folder or the whole system? I will assume that you just want to backup some files based on the context of your question.
1) Do NOT (never ever) use Windows file shares to share data across the Internet. This is one of the most insecure actions you can take. Scripting file transfer is a bad idea as well since admins often hard code the password in the batch/script file.
2) There is the option to use a 3rd party cloud provider for a backup solution but there are risks associated with doing so. Understand what the risks are before storing data on someone else's computer.
3) You can look at several different VPN solutions to securely transfer data. OpenVPN is a mostly free solution and fairly easy setup for a client-server configuration. Another option is to use IPSEC which can come in several forms, the easiest would be a simple small business router that supports site-site IPSEC VPN.
4) I would also make sure that the drive at home is using full disk encryption to protect the hard drive from theft (assuming that the data contains sensitive information).
5) If you choose to go the VPN route there are many options for backup software starting from the builtin backup with Windows to 3rd party applications like Backup Exec. Look for one that suits your requirements and budget.
Let me know if you have any further questions or can provide more information.
1) Do NOT (never ever) use Windows file shares to share data across the Internet. This is one of the most insecure actions you can take. Scripting file transfer is a bad idea as well since admins often hard code the password in the batch/script file.
2) There is the option to use a 3rd party cloud provider for a backup solution but there are risks associated with doing so. Understand what the risks are before storing data on someone else's computer.
3) You can look at several different VPN solutions to securely transfer data. OpenVPN is a mostly free solution and fairly easy setup for a client-server configuration. Another option is to use IPSEC which can come in several forms, the easiest would be a simple small business router that supports site-site IPSEC VPN.
4) I would also make sure that the drive at home is using full disk encryption to protect the hard drive from theft (assuming that the data contains sensitive information).
5) If you choose to go the VPN route there are many options for backup software starting from the builtin backup with Windows to 3rd party applications like Backup Exec. Look for one that suits your requirements and budget.
Let me know if you have any further questions or can provide more information.
Lets put things in to perspective here!
1). The SBS2011 server and the remote server are in the same Active Directory forest!
2). There will be a router to router VPN in place! This means that the traffic going to and from both locations is encrypted via IPsec tunnel which is very secure.
3). A batch script can be used because the 2 servers are in the same Active Directory forest and there is no security risk as this is going through the VPN.
4). Files shares on the remote server can be shared to users that reside in the other location where the SBS2011 server is. Again, this is not insecure as all the traffic is going though a VPN and is encrypted.
5). The data from the remote location can be backed to the other location on external media such as tapes etc.
Regards,
JBond2010
1). The SBS2011 server and the remote server are in the same Active Directory forest!
2). There will be a router to router VPN in place! This means that the traffic going to and from both locations is encrypted via IPsec tunnel which is very secure.
3). A batch script can be used because the 2 servers are in the same Active Directory forest and there is no security risk as this is going through the VPN.
4). Files shares on the remote server can be shared to users that reside in the other location where the SBS2011 server is. Again, this is not insecure as all the traffic is going though a VPN and is encrypted.
5). The data from the remote location can be backed to the other location on external media such as tapes etc.
Regards,
JBond2010
ASKER
Thank you for all the responses! :)
My associate will be reading through this in a bit, and may ask more questions. I did want to specify one thing though that looked like it was a little confusion. The 'home location' I refer to is a business, but it's their headquarters. So, both servers are on business property. Hopefully that helps! :)
My associate will be reading through this in a bit, and may ask more questions. I did want to specify one thing though that looked like it was a little confusion. The 'home location' I refer to is a business, but it's their headquarters. So, both servers are on business property. Hopefully that helps! :)
Ah. You meant home as in headquarters/main office. Got it.
In that case, another option would be to get a dedicated circuit between the offices. This will depend on budget too and may or may not fit your needs. Having a dedicated circuit will allow seamless traffic between the 2 facilities and can have fewer issues over time then with VPN. With a dedicated circuit they could setup an MPLS connection which is scale-able and used in medium to large scale networks. Though this all will depend on budget.
Another question: How much data is planned to be backed up on a regular/daily/weekly basis?
In that case, another option would be to get a dedicated circuit between the offices. This will depend on budget too and may or may not fit your needs. Having a dedicated circuit will allow seamless traffic between the 2 facilities and can have fewer issues over time then with VPN. With a dedicated circuit they could setup an MPLS connection which is scale-able and used in medium to large scale networks. Though this all will depend on budget.
Another question: How much data is planned to be backed up on a regular/daily/weekly basis?
Giving that your infrastructure consists of x2 Servers, I think MPLS or a dedicated circuit would be overkill. I have configured many organisations in similar circumstances and small in size and a DSL line has always been more that adequate at both ends with a router to router VPN - IPsec tunnel.
Your organisation does not appear to be doing a lot and really does not require dedicated circuit or MPLS. Also consider taking a seed load of you data for backup purposes and then from there you can do incremental backups. Your backups can obviously run in the evening times.
Regards,
JBond2010
Your organisation does not appear to be doing a lot and really does not require dedicated circuit or MPLS. Also consider taking a seed load of you data for backup purposes and then from there you can do incremental backups. Your backups can obviously run in the evening times.
Regards,
JBond2010
From a security standpoint a dedicated circuit is more secure then a VPN. I do penetration testing for a living for fortune 100 companies, government agencies and everything in-between. In my experience, a dedicated line is more secure then a VPN, but for Scott it may not fit his needs (e.g. budget) but he specifically asked for a secure way to backup/transfer files between sites. IPsec is a solution but not the only one and may or may not be the right one for Scott's client.
From a security perspective open ports for VPN connectivity can allow an attacker to compromise an IPsec VPN (for example, take a look at the flaws around Aggressive Mode). With a dedicated link there is less attack surface to worry about. You can do port filtering for the firewall (though few organizations do this but should) to help mitigate the risk of using a VPN.
Jbond, thank you for reinforcing my suggestion on IPsec but let's wait for more information from Scott about the situation so we can better advise him.
From a security perspective open ports for VPN connectivity can allow an attacker to compromise an IPsec VPN (for example, take a look at the flaws around Aggressive Mode). With a dedicated link there is less attack surface to worry about. You can do port filtering for the firewall (though few organizations do this but should) to help mitigate the risk of using a VPN.
Jbond, thank you for reinforcing my suggestion on IPsec but let's wait for more information from Scott about the situation so we can better advise him.
ASKER
I think they just want assurance that their information is secure. It wouldn't have to be any more secure then how they can currently login to the home location server VIA the remote access offered by SBE 2011.
It's interesting to know that there are so many different options! I think the IPSec VPN may be the way to go for them from what I have read. What do you guys suggest?
If IPSec VPN I'd the way to go, what is the encryption rate? 128 bit? How would I set this up? I've only set up local domains and gateways.
You guys are great!
It's interesting to know that there are so many different options! I think the IPSec VPN may be the way to go for them from what I have read. What do you guys suggest?
If IPSec VPN I'd the way to go, what is the encryption rate? 128 bit? How would I set this up? I've only set up local domains and gateways.
You guys are great!
ASKER
To further answer questions, these are data files they want to transfer back and forth, some of relatively big size (50+ MB) that they may edit at either location.
As for backup, as long as the data has been copied to the home location server, it's set up with RAID 5, and a backup runs to an external they alternate out every week. They REALLY want to make sure they don't lose data!
As for backup, as long as the data has been copied to the home location server, it's set up with RAID 5, and a backup runs to an external they alternate out every week. They REALLY want to make sure they don't lose data!
There are a lot of small business IPsec VPN routers out there so I would suggest that you look to see what fits (cost and number of users - if any) but make sure it supports site-to-site VPN. Most of those though only support Aggressive Mode so make sure you change EVERY default there is to change otherwise there is the potential for attack (mostly brute-force). Also, stay away from any Chinese made networking gear as it cannot be trusted to not have a backdoor.
https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=small+business+ipsec+vpn+router+site-to-site
In regards to the data transfer, I was looking to find out what your aggregate was for the day (e.g. 50 GB, 100 GB, etc). Individual file size isn't that important but you will need to consider how much data you are going to be sending. Depending on current bandwidth size and requirement for the backups it may be worthwhile to look into a dedicated circuit.
If they "really don't want to lose the data" I would also suggest backing up to tape (or some other media) on a regular basis in addition to the off-site. Personally, I would never suggest to a company to store backup data in "the cloud" because it is too risky.
Backup Exec is a popular backup software. Check to see if this meets your needs.
http://www.symantec.com/pages.jsp?id=symantec-backup-exec&om_sem_cid=biz_sem_s173912633838255|pcrid|44046505009|pmt|b|plc||pdv|c
Other examples:
http://www.acronis.com/en-us/business/backup/
http://www.paragon-software.com/small-business/
Finally, I would suggest that the company edit files only from one location or look at using a document change /management control software. Else things could get messy with conflicting changes if done against a file stored in multiple locations.
https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=small+business+ipsec+vpn+router+site-to-site
In regards to the data transfer, I was looking to find out what your aggregate was for the day (e.g. 50 GB, 100 GB, etc). Individual file size isn't that important but you will need to consider how much data you are going to be sending. Depending on current bandwidth size and requirement for the backups it may be worthwhile to look into a dedicated circuit.
If they "really don't want to lose the data" I would also suggest backing up to tape (or some other media) on a regular basis in addition to the off-site. Personally, I would never suggest to a company to store backup data in "the cloud" because it is too risky.
Backup Exec is a popular backup software. Check to see if this meets your needs.
http://www.symantec.com/pages.jsp?id=symantec-backup-exec&om_sem_cid=biz_sem_s173912633838255|pcrid|44046505009|pmt|b|plc||pdv|c
Other examples:
http://www.acronis.com/en-us/business/backup/
http://www.paragon-software.com/small-business/
Finally, I would suggest that the company edit files only from one location or look at using a document change /management control software. Else things could get messy with conflicting changes if done against a file stored in multiple locations.
Regarding editing files. Since the introduction of Office 2010 one of the new features is Collaboration with Co-Authoring. Co-Authoring caters for multiple people to work on the same word document, just one example.
Also, please be advised that IPsec VPNs are industry standard. There are many good Router/Firewalls on the market such as Sonic Wall, Zyxel at competitive prices that will cater for your business requirements.
Regarding your backups, as I said in a previous comment, you can backup to external media such as tapes.
Also, please be advised that IPsec VPNs are industry standard. There are many good Router/Firewalls on the market such as Sonic Wall, Zyxel at competitive prices that will cater for your business requirements.
Regarding your backups, as I said in a previous comment, you can backup to external media such as tapes.
ASKER
My associate found this and I would like to know your opinions on it versus something like IPsec VPN.
http://filetransporterstore.com/collections/products/products/transporter-sync-2-pack
Do you think this would work for the purposes that we are looking for and would it be as secure?
http://filetransporterstore.com/collections/products/products/transporter-sync-2-pack
Do you think this would work for the purposes that we are looking for and would it be as secure?
IPsec VPN is the link between you offices. This is a achieve by a router firewall at both ends. You would have a router to router VPN IPsec tunnel. All traffic going though the VPN is encapsulated and encrypted via IPsec which is a security protocol which is a feature of a VPN and an industry standard security protocol. This must not be confused with a backup solution.
The filetransporter can backup files and this will be done through your VPN. Remember that the point of having a VPN between your 2 sites, is so both offices can communicate, access to file shares etc.
Regards,
JBond2010
The filetransporter can backup files and this will be done through your VPN. Remember that the point of having a VPN between your 2 sites, is so both offices can communicate, access to file shares etc.
Regards,
JBond2010
So from reading the manual, it looks like the device will connect up to http://filetransporter.com/ using an account that you create. This means that while the data physically resides on your network it probably traverses the filetransporter (FT) network in order to communicate to another FT device. It's cheap and not very professional and I'm not sure it would fit your requirements.
From their documentation:
Transporter will not stop two people from editing the same file at the same time. (In technical jargon, we don't offer a "distributed file locking" feature.)
This means that users should coordinate their usage of shared files and make copies prior to editing critical files.
From their documentation:
Transporter will not stop two people from editing the same file at the same time. (In technical jargon, we don't offer a "distributed file locking" feature.)
This means that users should coordinate their usage of shared files and make copies prior to editing critical files.
Again from my previous comments; your backups will not be running during business hours. This means there should be no files lock.
You must ensure that you have a policy in place where users log off from their PCs when they're finished for the day and this will also ensure that no files are locked when the backup is scheduled to run during the evening. Another point, do staff require access to files during unsociable hours?
The main focus here is, you do not have a complicated environment and you should not look to over complicate matters. If your environment grows, then obviously so will your business requirements regarding your IT infrastructure. Keep things simple and don't burden yourself with MPLS or dedicated circuits.
There are good hosted backup solutions such as Ahsay backup online. This is very popular with a lot companies as their data is kept off site. The prices for this are very competitive. Please see the link below.
http://www.ahsay.com/jsp/en/home/index.jsp?rf=www.google.ie&kw=
Even Window Backup will do the job for you. Remember start off simple and then build from there ;-)
http://technet.microsoft.com/en-us/library/cc772523.aspx
Regards,
JBond2010
You must ensure that you have a policy in place where users log off from their PCs when they're finished for the day and this will also ensure that no files are locked when the backup is scheduled to run during the evening. Another point, do staff require access to files during unsociable hours?
The main focus here is, you do not have a complicated environment and you should not look to over complicate matters. If your environment grows, then obviously so will your business requirements regarding your IT infrastructure. Keep things simple and don't burden yourself with MPLS or dedicated circuits.
There are good hosted backup solutions such as Ahsay backup online. This is very popular with a lot companies as their data is kept off site. The prices for this are very competitive. Please see the link below.
http://www.ahsay.com/jsp/en/home/index.jsp?rf=www.google.ie&kw=
Even Window Backup will do the job for you. Remember start off simple and then build from there ;-)
http://technet.microsoft.com/en-us/library/cc772523.aspx
Regards,
JBond2010
Jbond, you may want to take a look at the documentation for FT. It doesn't do "backup", it syncs... after every change. That means that 2 people working on the file during the day will cause a conflict. Also, careful on making assumptions as to how the organization will use FT or what the organization has for resources.
As a security professional, I disagree that cloud solutions are a secure solution because I break into them on a regular basis. Though I do agree with you that any organization should keep it simple, at least as much as their requirements allow them to. The more there are requirements often the more complex the setup and just because it is simple rarely means it is secure. Please understand that I am not pushing for MPLS or a dedicated circuit but offering the author CHOICES because there is a lot we do not know about his client's environment. Additionally, it may be competitive, cost wise, to do a dedicated circuit they just need to look into it. In some places in the US you can get a dedicated 10 Gigabit circuit for $693.35/month (this is an example and price depends on what you need and where you reside) and probably pay much less for a smaller circuit since 10G is probably a bit much for what they need.
Now, that makes me think also about the option for a shared circuit option which I had forgot about. Those can be as low as $13/month but with either type of circuit there is a installation cost. Either way might be a solution for Scott's client.
Windows backup is probably NOT a good solution for them because it doesn't (I don't ever recall it having the ability) allow the 2nd site to easily modify the files which go back to the main office. Backups are good for what I quoted above "if they "really don't want to lose the data" I would also suggest backing up to tape (or some other media) on a regular basis in addition to the off-site. " but not for syncing.
It all depends on the requirements.
For syncing software -
Free/opensource:
http://sourceforge.net/projects/freefilesync/
OTS (like the product Jbond suggested):
http://www.goodsync.com/
Enterprise:
https://www.novell.com/products/openenterpriseserver/features/online-file-storage-ifolder.html (typically there is no license requirement for the first 5 users)
If none of those work then search around and use those as a basis.
As a security professional, I disagree that cloud solutions are a secure solution because I break into them on a regular basis. Though I do agree with you that any organization should keep it simple, at least as much as their requirements allow them to. The more there are requirements often the more complex the setup and just because it is simple rarely means it is secure. Please understand that I am not pushing for MPLS or a dedicated circuit but offering the author CHOICES because there is a lot we do not know about his client's environment. Additionally, it may be competitive, cost wise, to do a dedicated circuit they just need to look into it. In some places in the US you can get a dedicated 10 Gigabit circuit for $693.35/month (this is an example and price depends on what you need and where you reside) and probably pay much less for a smaller circuit since 10G is probably a bit much for what they need.
Now, that makes me think also about the option for a shared circuit option which I had forgot about. Those can be as low as $13/month but with either type of circuit there is a installation cost. Either way might be a solution for Scott's client.
Windows backup is probably NOT a good solution for them because it doesn't (I don't ever recall it having the ability) allow the 2nd site to easily modify the files which go back to the main office. Backups are good for what I quoted above "if they "really don't want to lose the data" I would also suggest backing up to tape (or some other media) on a regular basis in addition to the off-site. " but not for syncing.
It all depends on the requirements.
For syncing software -
Free/opensource:
http://sourceforge.net/projects/freefilesync/
OTS (like the product Jbond suggested):
http://www.goodsync.com/
Enterprise:
https://www.novell.com/products/openenterpriseserver/features/online-file-storage-ifolder.html (typically there is no license requirement for the first 5 users)
If none of those work then search around and use those as a basis.
Scott,
Are both locations in Ft. Dodge?
Are both locations in Ft. Dodge?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The other location is in Phoenix.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
All good answers, but decided work would not be done properly enough by us for the customer.
Also, configure the NTFS permissions for the users that need access to the files and folders in the remote location so they access and modify the files as needed.