Safest way to VPN to network? Configuring Server 2008 as Gateway...?

Coram Daes · 08 Apr 2012

I am doing an overhaul of my home network, in particular related to safe external connections and safe sharing.

There is no conn issues or alike, I am only looking for an opinion regarding how to connect to my home network from an external computer, and tips regarding safe configuration.

As it is I have one Radmin license which should be a pretty safe way to connect but I am, currently, also able to use RDP protocol.
The obvious advantage with RDP is that I can use any W7 computer. Even my phone,

I have two Windows 2008 based servers, one WHS and one Standard. I was thinking of letting the Standard act as a Gateway and thus removing direct external access to the WHS, I assume that would increase security, but I am not sure of how to configure the Standard server securely. Or if I could use another software than Radmin and RDP to connect.

Tips? Thoughts? Questions?

2xg · 08 Apr 2012

Hi Coram,

if you are concerned about security, the safest way of protecting your network is adding a Security Appliance like Sonicwall. You may use VPN or Remote Desktop Services (RDS), either one will be fine but again having a very secured network is beneficial. I am a big fan of Sonicwall.

Hope this helps.

Coram Daes · 09 Apr 2012

Looking at that.

Other tips?

Edit:
Are you telling me to buy something like this

or could you be a tad more specific as to what product you are referring to?

Its for a HOME network, if that was not clear, I am not spending a gazillion bucks on a enterprise solution...

jimbo45 · 09 Apr 2012

Hi there
one of the Simplest ways is to set your computer to ensure that from outside you only RDP to a VIRTUAL Machine then VPN to your INTERNAL LAN.

With VMware workstation rel 8.0 Nobody needs to be logged on to the HOST so that can be kept locked.

RDP'ing to a VM is exactly the same as to a REAL machine -- . Your Router should be able to ensure only authorized connections from outside are permitted to access the VM.

You'll need to Port forward in your router RDP I think uses 3809 but you can google for this bit). If your remote ISP doesn't have that port open then just use Putty and Tunnelling -- again subject a bit complex for this post but plenty on Google. Putty.exe is FREE BTW.

Only allow those inward connection ports to be open on your Router.

Don't go Bonkers with this security stuff - normal Windows firewall and decent settings in your home router should be MORE than enough and if the VM is unfortunate enough to become infected - just bin it and fire up a new one. You can "clone VM's" easily.

This way your HOST should be more than adequately protected -- CHEAPLY.

If you don't have a static IP address or an accessible domain at home then use one of the FREE dynamic DNS providers to ensure you can connect from the "public Internet" to your machine.

Most Security people go totally Overboard with this sort of stuff -- You aren't protecting the CIA's machines.

Incidently your router should have a decent set of logs so you can see who's logged in or attempted to login and when.

Once you've successfully logged in to your VM then you can sort out what connections you need to your INTERNAL network with possibly something like OPENVPN (Free). It's much easier operating a VPN from an INTERNAL LAN anyway and you won't have some problems with ISP's not being compatable with some VPN systems.

Very FREE (apart from the license for the OS for your VM).

You could if you were feeling "Geekish" make the VM a Linux machine. You can then connect to your Internal LAN via your VPN. Linux in any case has decent built in security.

(Linux is free -- you'd have to use VNC or TightVnc - from your remote computer to access the Linux machine VM -- looks and feels just like RDP -- then plenty of free VPN software to access your LAN. If you only need to access ONE machine then Linux's RDESKTOP (built in ) will connect to the Windows machine).

Cheers
jimbo

Coram Daes · 09 Apr 2012

Thanks Jimbo, thanks for giving the VM tip.
I do not mean to sound ungrateful for the length of your post, but I have the rest pretty much covered.

I can guess, but why would a Virtual machine be safer to connect to? The different filesystems?
A VM needs as much protection as a RM (Real Machine) regarding AV and such, else it will "break" as well.
Linux would be ok, I am a bit n00b so some conf may be tricky'sh but I think I can handle it.

richnrockville · 09 Apr 2012

Coram Daes. I use a VPN called hamachi which has a free version. I have used it for years to connect to my clients machines via 5.xxx.xxx.xxx IP address, which is not routable on the internet routers. I works via tunneling.
Just my opinion. opening port 3389 which is the standard RDP port is where the bad guys keep trying to get into people's servers Remote Desktop Sevices and just keep trying, sometimes they guess some credentials and luck out.
give it a google and see what you think, https://secure.logmein.com/products/hamachi/

they have a pay version, what I use and have been very satisfied. I can RDP to any of my clients and their machines. Love it.

Rich

2xg · 09 Apr 2012

Coram - The Basic appliance is reasonable. There's no need to buy other options such as Gateway Security package (Anti-Virus/Anti-Spyware/Advanced content filtering). Amazon.com: Tz 100 Network Security Appliance: Electronics

I wouldn't spend gazillion for that image that you've posted either.

I've been exposed with Sonicwall so I would highly recommend it if you running Windows Servers in your network with either VPN or RDS.

Coram Daes said:

Looking at that.

Other tips?

Edit:
Are you telling me to buy something like this

or could you be a tad more specific as to what product you are referring to?

Its for a HOME network, if that was not clear, I am not spending a gazillion bucks on a enterprise solution...

Coram Daes · 10 Apr 2012

I have used Hamachi as a game-related server so that could be worth checking up, they have obviously expanded their services.

That Sonicwall router seems competent enough, but maybe I could use Mikrotik instead, they are way cheaper.