Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Olivier Delrieu
August 25, 2008, 12:36 am
rate this thread
I am setting up the IT infrastructure of a small company (staff of 10 in
the UK and Japan). We are in need of remote data center with secure
storage, and secure communication with this data center. We would like
to outsource as many things as possible and obtain a simple, yet secure,
Please note, I am IT savvy, but I'm no IT professional, and I am
therefore looking for advices. For now, I would go with the following
options... any comment?
- secure datacenter:
: a dedicated, redundant, server such as www.rackspace.co.uk
: a physical firewall
: Windows Server 2003
: most sensitive files encrypted with PGP
- secure communication:
: Windows VPN Client/server solution
Regarding VPN authentication: I prefer to use password-based
authentication with strong password policies rather than security token
cards. What options do I have left? Is Windows VPN client/server a good
option? Are MSCHAP2 or EAP difficult to implement? Are there better and
cheaper VPN client/server solutions available?
That's a lot of questions for one post... but any help would be much
Re: Advice needed on secure remote datacenter and secure communication
I cut the message below down to what I believe are your core
requirements, to help you figure out what you need I think you need to
examine your clients a little closer, feel free to privately e-mail me
or reply to this if you have specific questions after reading this.
1. What data / data types are you wanting to store / serve, databases
are a far cry from say images or source code when it comes to setup
2. As Jim stated below, what level of security do you need, why do you
need that level, and how much are you willing to spend to get it?
I will give the caveat that I am a Linux systems admin but I spent a
fair bit of time working with windows server, particularly 2003.
3. why are you isolating yourself to windows 2003, are the application
dependencies that require you to run this OS?
4. what applications are you going to be running, how many concurrent
users will be using the system?
5. do you need a firewall and a VPN solution or would a combination
solution suit your needs?
6. what data needs to be encrypted and how long do you need it to be
protected? <--- no encryption is full proof.
7. you need to take a close look at what the actual bandwidth
requirements are for your clients to prevent problems in completing
their work? you can go with a reliable but cheap hosting service if
you only need say 100KB/s bandwidth, higher performance hosts that
will guarantee bandwidth tend to cost more.
OK thats all the questions for now, how about some answers.
windows server 2003, regardless of what most people will say can be
highly secure, but it takes a great deal of effort to make it secure,
disa.mil puts out probably the best guide on how to secure windows
servers but it will take several days if not a week or more to set up
a secure 2k3 machine if you aren't use to the process. as for VPN,
typically I like to see a dedicated VPN/firewall appliance they tend
to do much better encryption and authentication of users than actually
running a vpn server on 2k3... that being said for the number of users
you are talking about you can probably get away with running vpn on
windows server directly but be sure to set policies on the service to
enable blacklisting and logging of failed attempts to deter brute
force attempts when you are only using a password based login.
Personally when I work with small businesses I prefer to use cisco
asa devices but they are not very user friendly for the initial
installation but they are really secure if setup properly. CISCO
ASA5505-50-BUN-K9 would probably be a good option for you but get the
version above the lowest level, they all do 10 concurrent user vpn but
they have different levels of licensing, the lowest only gives you 3
vlans an inside (internal not accessible to the world) an outside
(capable of being vpn'd into) and a dmz that is completely public to
whatever ports you need open. the higher level asa's give you more
advanced vlan configurations for systems that may be in multiple zones
etc. These cisco's only run about $600 which is extremely cheap for
their performance, they will do ipsec (basically password or other
authentication types) at the firewall, from there you can only access
machines in the outside vlan and you have to use your traditional
local login at the server as well; you can set password complexity
requirements at both levels; higher model cisco's also support ssl
login which would bypass the firewall login if a high strength ssl key
is installed on the client machine; for that method a local login at
the server would still be required.
Addressing your issue with PGP encryption on sensitive files, you may
want to look at setting up entire encrypted drives in your servers
using truecrypt, I think pgp can do the same. Doing whole disk
encryption, as strange as it may seem, tends to perform better for
servers in my experience than doing file level encryption, the mix of
encrypted and unencrypted sectors on a drive seem to cause issues
especially if you are sharing the space with your system partition. I
would setup a system that has a physical drive for the OS (preferably
raid 1) and a series of encrypted or unencrypted drives that suit my
storage needs. You have to ask why are you encrypting on the local
system although it is a very secure way of setting up the system, you
will take huge hits on performance if you get several concurrent users
because the system will typically open new decryption sequences for
each requesting user using ram and processing capacity in the process
not to mention reducing hdd i/o performance. For most small business
implementations encrypting network traffic and requiring high strength
keys is sufficient, you still take a hit on ram and cpu but your hdd i/
o is not restricted. You need to consider how much data as well,
depending on the strength of the encryption you need systems tend to
suffer with larger disk arrays, say larger than 3-4TB when doing a lot
All honesty if the business has the cash to outsource its IT services
a lot of times they have the resources required to host it themselves,
and I would recommend it if you need security and reliability, host
your backup servers in a co-location and run your primary servers
yourself or use two separate co-location services preferably in
different regions of whatever country you are posting from or one UK
one Japan sounds good based on your clients. Of course the whole
multiple locations thing is an idealized solution that assumes people
ever plan for disasters or facility problems.
Good luck with your planning I've been working on multi-million dollar
data centers for the past few years and I can say that the best way to
plan these types of projects out is to look at what you will be doing
with the setup in detail and then look at the day to day usage from
several angles, after that most questions will answer themselves.