Advice needed on secure remote datacenter and secure communication

Discussion in 'Computer Security' started by Olivier Delrieu, Aug 25, 2008.

  1. Dear All,

    I am setting up the IT infrastructure of a small company (staff of 10 in
    the UK and Japan). We are in need of remote data center with secure
    storage, and secure communication with this data center. We would like
    to outsource as many things as possible and obtain a simple, yet secure,
    IT solution.

    Please note, I am IT savvy, but I'm no IT professional, and I am
    therefore looking for advices. For now, I would go with the following
    options... any comment?

    - secure datacenter:
    : a dedicated, redundant, server such as www.rackspace.co.uk
    : a physical firewall
    : Windows Server 2003
    : most sensitive files encrypted with PGP
    - secure communication:
    : Windows VPN Client/server solution

    Regarding VPN authentication: I prefer to use password-based
    authentication with strong password policies rather than security token
    cards. What options do I have left? Is Windows VPN client/server a good
    option? Are MSCHAP2 or EAP difficult to implement? Are there better and
    cheaper VPN client/server solutions available?

    That's a lot of questions for one post... but any help would be much
    appreciated,

    Thanks,

    Olivier
    Olivier Delrieu, Aug 25, 2008
    #1
    1. Advertising

  2. Olivier Delrieu

    Jim Watt Guest

    On Mon, 25 Aug 2008 02:36:41 +0200, Olivier Delrieu <>
    wrote:

    >Dear All,
    >
    >I am setting up the IT infrastructure of a small company (staff of 10 in
    >the UK and Japan). We are in need of remote data center with secure
    >storage, and secure communication with this data center. We would like
    >to outsource as many things as possible and obtain a simple, yet secure,
    >IT solution.
    >
    >Please note, I am IT savvy, but I'm no IT professional, and I am
    >therefore looking for advices. For now, I would go with the following
    >options... any comment?
    >
    >- secure datacenter:
    > : a dedicated, redundant, server such as www.rackspace.co.uk
    > : a physical firewall
    > : Windows Server 2003
    > : most sensitive files encrypted with PGP
    >- secure communication:
    > : Windows VPN Client/server solution
    >
    >Regarding VPN authentication: I prefer to use password-based
    >authentication with strong password policies rather than security token
    >cards. What options do I have left? Is Windows VPN client/server a good
    >option? Are MSCHAP2 or EAP difficult to implement? Are there better and
    >cheaper VPN client/server solutions available?
    >
    >That's a lot of questions for one post... but any help would be much
    >appreciated,


    You need to consider who or what do you want to protect your
    data against and how much you have to spend.

    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Aug 26, 2008
    #2
    1. Advertising

  3. Olivier Delrieu

    Jim Watt Guest

    On Mon, 25 Aug 2008 02:36:41 +0200, Olivier Delrieu <>
    wrote:

    >Dear All,
    >
    >I am setting up the IT infrastructure of a small company (staff of 10 in
    >the UK and Japan). We are in need of remote data center with secure
    >storage, and secure communication with this data center. We would like
    >to outsource as many things as possible and obtain a simple, yet secure,
    >IT solution.
    >
    >Please note, I am IT savvy, but I'm no IT professional, and I am
    >therefore looking for advices. For now, I would go with the following
    >options... any comment?
    >
    >- secure datacenter:
    > : a dedicated, redundant, server such as www.rackspace.co.uk
    > : a physical firewall
    > : Windows Server 2003
    > : most sensitive files encrypted with PGP
    >- secure communication:
    > : Windows VPN Client/server solution
    >
    >Regarding VPN authentication: I prefer to use password-based
    >authentication with strong password policies rather than security token
    >cards. What options do I have left? Is Windows VPN client/server a good
    >option? Are MSCHAP2 or EAP difficult to implement? Are there better and
    >cheaper VPN client/server solutions available?
    >
    >That's a lot of questions for one post... but any help would be much
    >appreciated,


    You need to consider who or what do you want to protect your
    data against and how much you have to spend.

    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Aug 26, 2008
    #3
  4. Olivier Delrieu

    Guest

    Re: Advice needed on secure remote datacenter and securecommunication

    I cut the message below down to what I believe are your core
    requirements, to help you figure out what you need I think you need to
    examine your clients a little closer, feel free to privately e-mail me
    or reply to this if you have specific questions after reading this.

    1. What data / data types are you wanting to store / serve, databases
    are a far cry from say images or source code when it comes to setup
    and management?

    2. As Jim stated below, what level of security do you need, why do you
    need that level, and how much are you willing to spend to get it?

    I will give the caveat that I am a Linux systems admin but I spent a
    fair bit of time working with windows server, particularly 2003.

    3. why are you isolating yourself to windows 2003, are the application
    dependencies that require you to run this OS?

    4. what applications are you going to be running, how many concurrent
    users will be using the system?

    5. do you need a firewall and a VPN solution or would a combination
    solution suit your needs?

    6. what data needs to be encrypted and how long do you need it to be
    protected? <--- no encryption is full proof.

    7. you need to take a close look at what the actual bandwidth
    requirements are for your clients to prevent problems in completing
    their work? you can go with a reliable but cheap hosting service if
    you only need say 100KB/s bandwidth, higher performance hosts that
    will guarantee bandwidth tend to cost more.

    OK thats all the questions for now, how about some answers.

    windows server 2003, regardless of what most people will say can be
    highly secure, but it takes a great deal of effort to make it secure,
    disa.mil puts out probably the best guide on how to secure windows
    servers but it will take several days if not a week or more to set up
    a secure 2k3 machine if you aren't use to the process. as for VPN,
    typically I like to see a dedicated VPN/firewall appliance they tend
    to do much better encryption and authentication of users than actually
    running a vpn server on 2k3... that being said for the number of users
    you are talking about you can probably get away with running vpn on
    windows server directly but be sure to set policies on the service to
    enable blacklisting and logging of failed attempts to deter brute
    force attempts when you are only using a password based login.

    Personally when I work with small businesses I prefer to use cisco
    asa devices but they are not very user friendly for the initial
    installation but they are really secure if setup properly. CISCO
    ASA5505-50-BUN-K9 would probably be a good option for you but get the
    version above the lowest level, they all do 10 concurrent user vpn but
    they have different levels of licensing, the lowest only gives you 3
    vlans an inside (internal not accessible to the world) an outside
    (capable of being vpn'd into) and a dmz that is completely public to
    whatever ports you need open. the higher level asa's give you more
    advanced vlan configurations for systems that may be in multiple zones
    etc. These cisco's only run about $600 which is extremely cheap for
    their performance, they will do ipsec (basically password or other
    authentication types) at the firewall, from there you can only access
    machines in the outside vlan and you have to use your traditional
    local login at the server as well; you can set password complexity
    requirements at both levels; higher model cisco's also support ssl
    login which would bypass the firewall login if a high strength ssl key
    is installed on the client machine; for that method a local login at
    the server would still be required.

    Addressing your issue with PGP encryption on sensitive files, you may
    want to look at setting up entire encrypted drives in your servers
    using truecrypt, I think pgp can do the same. Doing whole disk
    encryption, as strange as it may seem, tends to perform better for
    servers in my experience than doing file level encryption, the mix of
    encrypted and unencrypted sectors on a drive seem to cause issues
    especially if you are sharing the space with your system partition. I
    would setup a system that has a physical drive for the OS (preferably
    raid 1) and a series of encrypted or unencrypted drives that suit my
    storage needs. You have to ask why are you encrypting on the local
    system although it is a very secure way of setting up the system, you
    will take huge hits on performance if you get several concurrent users
    because the system will typically open new decryption sequences for
    each requesting user using ram and processing capacity in the process
    not to mention reducing hdd i/o performance. For most small business
    implementations encrypting network traffic and requiring high strength
    keys is sufficient, you still take a hit on ram and cpu but your hdd i/
    o is not restricted. You need to consider how much data as well,
    depending on the strength of the encryption you need systems tend to
    suffer with larger disk arrays, say larger than 3-4TB when doing a lot
    of encryption.

    All honesty if the business has the cash to outsource its IT services
    a lot of times they have the resources required to host it themselves,
    and I would recommend it if you need security and reliability, host
    your backup servers in a co-location and run your primary servers
    yourself or use two separate co-location services preferably in
    different regions of whatever country you are posting from or one UK
    one Japan sounds good based on your clients. Of course the whole
    multiple locations thing is an idealized solution that assumes people
    ever plan for disasters or facility problems.

    --
    Good luck with your planning I've been working on multi-million dollar
    data centers for the past few years and I can say that the best way to
    plan these types of projects out is to look at what you will be doing
    with the setup in detail and then look at the day to day usage from
    several angles, after that most questions will answer themselves.

    Brett




    On Aug 24, 7:36 pm, Olivier Delrieu <> wrote:

    > - secure datacenter:
    > : a dedicated, redundant, server such aswww.rackspace.co.uk
    > : a physical firewall
    > : Windows Server 2003
    > : most sensitive files encrypted with PGP
    > - secure communication:
    > : Windows VPN Client/server solution
    >
    > Regarding VPN authentication: I prefer to use password-based
    > authentication with strong password policies rather than security token
    > cards. What options do I have left? Is Windows VPN client/server a good
    > option? Are MSCHAP2 or EAP difficult to implement? Are there better and
    > cheaper VPN client/server solutions available?
    , Aug 28, 2008
    #4
  5. Olivier Delrieu

    Guest

    Re: Advice needed on secure remote datacenter and securecommunication

    I cut the message below down to what I believe are your core
    requirements, to help you figure out what you need I think you need to
    examine your clients a little closer, feel free to privately e-mail me
    or reply to this if you have specific questions after reading this.

    1. What data / data types are you wanting to store / serve, databases
    are a far cry from say images or source code when it comes to setup
    and management?

    2. As Jim stated below, what level of security do you need, why do you
    need that level, and how much are you willing to spend to get it?

    I will give the caveat that I am a Linux systems admin but I spent a
    fair bit of time working with windows server, particularly 2003.

    3. why are you isolating yourself to windows 2003, are the application
    dependencies that require you to run this OS?

    4. what applications are you going to be running, how many concurrent
    users will be using the system?

    5. do you need a firewall and a VPN solution or would a combination
    solution suit your needs?

    6. what data needs to be encrypted and how long do you need it to be
    protected? <--- no encryption is full proof.

    7. you need to take a close look at what the actual bandwidth
    requirements are for your clients to prevent problems in completing
    their work? you can go with a reliable but cheap hosting service if
    you only need say 100KB/s bandwidth, higher performance hosts that
    will guarantee bandwidth tend to cost more.

    OK thats all the questions for now, how about some answers.

    windows server 2003, regardless of what most people will say can be
    highly secure, but it takes a great deal of effort to make it secure,
    disa.mil puts out probably the best guide on how to secure windows
    servers but it will take several days if not a week or more to set up
    a secure 2k3 machine if you aren't use to the process. as for VPN,
    typically I like to see a dedicated VPN/firewall appliance they tend
    to do much better encryption and authentication of users than actually
    running a vpn server on 2k3... that being said for the number of users
    you are talking about you can probably get away with running vpn on
    windows server directly but be sure to set policies on the service to
    enable blacklisting and logging of failed attempts to deter brute
    force attempts when you are only using a password based login.

    Personally when I work with small businesses I prefer to use cisco
    asa devices but they are not very user friendly for the initial
    installation but they are really secure if setup properly. CISCO
    ASA5505-50-BUN-K9 would probably be a good option for you but get the
    version above the lowest level, they all do 10 concurrent user vpn but
    they have different levels of licensing, the lowest only gives you 3
    vlans an inside (internal not accessible to the world) an outside
    (capable of being vpn'd into) and a dmz that is completely public to
    whatever ports you need open. the higher level asa's give you more
    advanced vlan configurations for systems that may be in multiple zones
    etc. These cisco's only run about $600 which is extremely cheap for
    their performance, they will do ipsec (basically password or other
    authentication types) at the firewall, from there you can only access
    machines in the outside vlan and you have to use your traditional
    local login at the server as well; you can set password complexity
    requirements at both levels; higher model cisco's also support ssl
    login which would bypass the firewall login if a high strength ssl key
    is installed on the client machine; for that method a local login at
    the server would still be required.

    Addressing your issue with PGP encryption on sensitive files, you may
    want to look at setting up entire encrypted drives in your servers
    using truecrypt, I think pgp can do the same. Doing whole disk
    encryption, as strange as it may seem, tends to perform better for
    servers in my experience than doing file level encryption, the mix of
    encrypted and unencrypted sectors on a drive seem to cause issues
    especially if you are sharing the space with your system partition. I
    would setup a system that has a physical drive for the OS (preferably
    raid 1) and a series of encrypted or unencrypted drives that suit my
    storage needs. You have to ask why are you encrypting on the local
    system although it is a very secure way of setting up the system, you
    will take huge hits on performance if you get several concurrent users
    because the system will typically open new decryption sequences for
    each requesting user using ram and processing capacity in the process
    not to mention reducing hdd i/o performance. For most small business
    implementations encrypting network traffic and requiring high strength
    keys is sufficient, you still take a hit on ram and cpu but your hdd i/
    o is not restricted. You need to consider how much data as well,
    depending on the strength of the encryption you need systems tend to
    suffer with larger disk arrays, say larger than 3-4TB when doing a lot
    of encryption.

    All honesty if the business has the cash to outsource its IT services
    a lot of times they have the resources required to host it themselves,
    and I would recommend it if you need security and reliability, host
    your backup servers in a co-location and run your primary servers
    yourself or use two separate co-location services preferably in
    different regions of whatever country you are posting from or one UK
    one Japan sounds good based on your clients. Of course the whole
    multiple locations thing is an idealized solution that assumes people
    ever plan for disasters or facility problems.

    --
    Good luck with your planning I've been working on multi-million dollar
    data centers for the past few years and I can say that the best way to
    plan these types of projects out is to look at what you will be doing
    with the setup in detail and then look at the day to day usage from
    several angles, after that most questions will answer themselves.

    Brett




    On Aug 24, 7:36 pm, Olivier Delrieu <> wrote:

    > - secure datacenter:
    > : a dedicated, redundant, server such aswww.rackspace.co.uk
    > : a physical firewall
    > : Windows Server 2003
    > : most sensitive files encrypted with PGP
    > - secure communication:
    > : Windows VPN Client/server solution
    >
    > Regarding VPN authentication: I prefer to use password-based
    > authentication with strong password policies rather than security token
    > cards. What options do I have left? Is Windows VPN client/server a good
    > option? Are MSCHAP2 or EAP difficult to implement? Are there better and
    > cheaper VPN client/server solutions available?
    , Aug 28, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. fesbert
    Replies:
    1
    Views:
    506
  2. Douglas McIver

    DataCenter Connections and best practices

    Douglas McIver, Aug 2, 2005, in forum: Cisco
    Replies:
    0
    Views:
    549
    Douglas McIver
    Aug 2, 2005
  3. =?Utf-8?B?QkFUTUFO?=

    VB6 Compiler for Win 2003 Datacenter - 64-bit Itanium

    =?Utf-8?B?QkFUTUFO?=, Sep 1, 2005, in forum: Windows 64bit
    Replies:
    1
    Views:
    811
    Andre Da Costa
    Sep 1, 2005
  4. Jason Gurtz
    Replies:
    7
    Views:
    3,669
    Jason Gurtz
    Jan 29, 2008
  5. jimk - AFCDS

    Datacenter OS Install License Options

    jimk - AFCDS, Feb 13, 2008, in forum: Windows 64bit
    Replies:
    5
    Views:
    451
    Jim Compris
    Feb 16, 2008
Loading...

Share This Page