Gallery

Soft-centred security

Posted on 15 Jun 2007 at 11:23

Steve Cassidy follows up last month's summary of hardware VPNs with a look at software VPN-based network designs.

I don't like going back to ask for more licences mid-project, and I spend much time being called in to sort out matters that are by their nature extra-budgetary: how much worse it must be for these guys who are obliged to practise good cost control, when they have to grovel with a "well, unfortunately, BodgeGuard needs extra licences to do what you want". Little wonder then, that in such situations, they'll try to get by with whatever comes with the server.

3 Software client and single Small Business Server

Here, the notion that a server makes a good recipient for VPN traffic is pushed about as far as it's possible to push it. In a small business (which I'd define as fewer than ten machines, although some truly boggling design documents on Microsoft's site punt numbers like 100), so the story runs, it's best to have every single job the company needs running inside one box. So you have - take a deep breath now - DHCP, DNS, AD, SQL, Exchange, ISA (Proxy), VPN and AV (anti-virus, although, strictly speaking, that's from a third party), file and print, and quite possibly a stunning OpenGL 3D screensaver, all hammering away at once, with all the LAN's users dependent on every single one of those services (except, perhaps, the screensaver).

In one way, I absolutely love this design philosophy, because without it I wouldn't have nearly so many clients, poor wretches who've fallen foul of one or another of these dodgy assumptions. But at another, less cynical, level I think it's unspeakably awful. It throws a lifeline to the serverphobes - those people who did very well out of peer-to-peer networking, who viewed the purchase of a server as an aberration that borders on certifiable, and whose idea of budgetary probity is to make sure everyone understands how expensive RAM used to be in 1994.

The fact is, almost none of the Small Business Server installations I've come across manages to stick to the configuration suggested in the SBS documentation, and their VPN implementations are no better. Somewhere within the first 20 pages of the how-to guide Microsoft tells you, as a prospective SBS owner, to get your internet connection configured by a skilled consultant. I'd actually go much further by saying that the desirable configuration for an SBS host machine is almost always two or three times more than people actually have bought. SBS machines should have:

Their own dedicated firewall outside them (yes, I know this means you have another network with almost nothing on it and you have to make the firewall's IP addresses line up with SBS's own way of providing IP addresses to workstations);

Enough processing power and memory for the projected peak load (which means an SBS server should be larger than an equivalent non-SBS device);

And since you can't have more than one Domain Controller in an SBS network, SBS machines that are exposed to internet traffic should be backed up twice a day. Yes, I said twice. I know this is a grumpy attempt to force those who choose this option to think again, but remember, by choosing this option you've put every single egg you own into a single basket. If I had my way, SBS would nowadays only be sold as a paired-cluster operating system, so that when the inevitable mistake is made and a Denial-of-Service attack kills the Ethernet card that's open to the internet, your internal LAN users at least stand some chance of carrying on with their work while a fix is arranged with the ISP.

None of this has yet got around to talking about actual VPN products. You can always say with some degree of truth that all VPN client software does the same job: it tunnels through the net to shake hands with the exposed address of the gateway. But there's a good deal of usability testing that you'll need to undertake before you plump for any specific product. Systems that work well at home don't always work so well for genuine roaming users. For instance, no matter how useful it is to make everyone pass through your virus-scanning, anti-trojan LAN proxy server (and many VPN software clients will help you impose such a rule), this makes it completely impossible for a user in a hotel or airport lounge to sign in and pay for their few minutes of access. And, as I said last month about hardware-mediated VPNs, so far nobody has come up with a VPN client that knows how to preserve the integrity of a file you've opened for editing remotely, without the protection afforded by Terminal Services or Citrix MetaFrame. Beware the creeping budget-buster - that sudden, horrid realisation that your "remote working project" needs a whole new technology platform to actually operate safely, over and above a VPN pipeline and some laptops - which has scuppered many a hopeful project manager.

Download a year of Steve Cassidy's Networks columns by heading to our Free Downloads site