September 5th, 2006, 05:22 AM
Secure File access across a WAN
Mainly looking for ideas as to what I need to implement.
heres the situation:
We have baout 10 offices located throughout a state...each office needs to be able to share files and what not with other offices, however it must be secure as this information deals with Sensitive Patient Data. Most of these offices are separated by at least 80+ miles.
So Security is a very high priority.
I thought about maybe setting up a VPN to a central server somewhere, but not sure I really want to have to buy VPN equipment for all the offices and set it all up.
Looking to see if maybe their is some easier way, but as secure...I thought about maybe setting up a central File server that would be passworded, but I dont' think that would be secure enough for holding sensitive data. Since it would be possible to run something to capture the data from that office to the server a little to easy.
I think maybe something that would both encrypt the data where it is stored...encrypt it while its being transmitted...and be passworded...at least 2 stage authentication.
Kinda new to this area of IT, just trying to see what some of your guys opinions are.
September 5th, 2006, 07:21 AM
You mention patient data so obviously you have to be HIPAA complaint. Thus the data would need to be encrypted end to end. Althougth I have yet to see an exact encryption mandate, I would have to say that 128bit SSL would be enough. How are you currently transferring the files?
Another question .... when you say WAN ... do you mean they already have a connection to each other? Such as a T1 or frame-relay?
September 5th, 2006, 11:26 AM
As a side note, you don't have to buy VPN equipment. Lots of routers support IPsec. Use that.
Experience is something you don't get until just after you need it.
September 5th, 2006, 03:58 PM
I'm sorry...was a little vague on my description.
Each office is connected to the internet via DSL lines...the main office has a T1 for connectivity.
Just trying to see what the best method would be to secure this data....was definitely thinking encrypting data while its being transferred...and would like to encrypt data as its stored on the server.
The offices aren't very big...only about 5 -8 computers per office with a SOHO router at each office.
I could use VPN, but its something I've never really messed with which is why i was trying to stay away from it :P...but I could learn how to set it up relatively quick.
As far as current transfer methods, I'm not going to go into detail on that, but I put a stop to it, as it was insecure.
Just trying to see what other people recommend for this situation..whatever would be the most secure.
September 5th, 2006, 04:43 PM
I would use something like a Cisco ISR router at the main location to terminate the T1. I would then use something like a Cisco ASA 5505 at each location to create a VPN tunnel back to the ISR router. Surely you can use anything else that supports VPN but this was just to give you an idea. The most secure thing would be to have point-to-point circuits to each location. The second best thing would be the VPN as I mentioned above. Additionally you could install a VPN gateway at your main location and have them use client software to connect. However, I recommend the ASA 5505 at the remotes and something like a 2811/K9 HSEC at the host.
September 5th, 2006, 05:59 PM
My setup is similar to Net2's
I use a Watchguard products and have licensed both their Branch Office VPN and Mobile User VPN options.
The 2 main offices use F700's and are connected via a vpn tunnel over the branch office vpn. I also have laptop users connect using the MUVPN software.
The downside of this is that speed between the sites over the vpn can be slow. We have a 3.5mbps dsl connection here which is pretty speedy as far as wan is concerned but compared to a 100mbps lan it can be pretty pokey. Plus you've got the vpn overhead as well. If you're thinking of using something like msAccess over this connection ... don't. (unless you are using access as a front end for mssql) A vpn of any flavour is not going to be useful (or reliable) for having files open over it (ie: a spreadsheet) You can do it...but it's slow, you risk corruption and it's just a bad idea.
If you just need transfer capability you might look at setting up a ssh server. You can do this on a winbox without too much trouble http://pigtail.net/LRP/printsrv/cygwin-sshd.html
I use this to communicate with my webserver. I have disabled ftp and use ssh to transfer files. Works nicely. One thing I noticed was I was getting a ton of login attempts on the ssh port so I retricted ssh accessthrough the firewall to my ip addy for added security. You could do the same to each of your BO's.
One final idea, especially if you need to run common apps over the BO's, is to set up a Terminal Server at HO. Then users can log in and all data and apps are local to HO, the BO machines are just thin clients. With TS you don't need a vpn (and they can actually be a problem) http://www.sessioncomputing.com/security.htm for additional TS security you could look at an ssl gateway http://www.watchguard.com/products/fb-ssl.asp
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
September 6th, 2006, 02:35 AM
To build on zigar's ssh suggestion, why not set up a sftp server?
September 6th, 2006, 03:34 AM
Use www.ipcop.org and www.openvpn.se
as your VPN tunnel....
You can bridge this as well.....
Works for me.....
Franklin Werren at www.bagpipes.net
Yes I do play the Bagpipes!
And learning to Play the Bugle
September 6th, 2006, 04:36 AM
perhaps you could try installing an SSH server on each of the borders of your network. the ssh sending server will encrypt the outgoing data... and the receiiving server would be able to interpret it.
September 6th, 2006, 06:01 AM
For compliance purposes ( mainly HIPAA) I would stick with commercial off the shelf gear as its security has been proven. If the gear isnt certified, its alot harder to merely verify the configuration.