Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Secure File access across a WAN

  1. #1
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747

    Secure File access across a WAN

    Mainly looking for ideas as to what I need to implement.


    heres the situation:


    We have baout 10 offices located throughout a state...each office needs to be able to share files and what not with other offices, however it must be secure as this information deals with Sensitive Patient Data. Most of these offices are separated by at least 80+ miles.

    So Security is a very high priority.

    I thought about maybe setting up a VPN to a central server somewhere, but not sure I really want to have to buy VPN equipment for all the offices and set it all up.

    Looking to see if maybe their is some easier way, but as secure...I thought about maybe setting up a central File server that would be passworded, but I dont' think that would be secure enough for holding sensitive data. Since it would be possible to run something to capture the data from that office to the server a little to easy.

    I think maybe something that would both encrypt the data where it is stored...encrypt it while its being transmitted...and be passworded...at least 2 stage authentication.


    Kinda new to this area of IT, just trying to see what some of your guys opinions are.
    =

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    119
    You mention patient data so obviously you have to be HIPAA complaint. Thus the data would need to be encrypted end to end. Althougth I have yet to see an exact encryption mandate, I would have to say that 128bit SSL would be enough. How are you currently transferring the files?

    Another question .... when you say WAN ... do you mean they already have a connection to each other? Such as a T1 or frame-relay?

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    As a side note, you don't have to buy VPN equipment. Lots of routers support IPsec. Use that.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    I'm sorry...was a little vague on my description.


    Each office is connected to the internet via DSL lines...the main office has a T1 for connectivity.


    Just trying to see what the best method would be to secure this data....was definitely thinking encrypting data while its being transferred...and would like to encrypt data as its stored on the server.

    The offices aren't very big...only about 5 -8 computers per office with a SOHO router at each office.

    I could use VPN, but its something I've never really messed with which is why i was trying to stay away from it :P...but I could learn how to set it up relatively quick.



    As far as current transfer methods, I'm not going to go into detail on that, but I put a stop to it, as it was insecure.


    Just trying to see what other people recommend for this situation..whatever would be the most secure.
    =

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Posts
    119
    I would use something like a Cisco ISR router at the main location to terminate the T1. I would then use something like a Cisco ASA 5505 at each location to create a VPN tunnel back to the ISR router. Surely you can use anything else that supports VPN but this was just to give you an idea. The most secure thing would be to have point-to-point circuits to each location. The second best thing would be the VPN as I mentioned above. Additionally you could install a VPN gateway at your main location and have them use client software to connect. However, I recommend the ASA 5505 at the remotes and something like a 2811/K9 HSEC at the host.

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    682
    My setup is similar to Net2's

    I use a Watchguard products and have licensed both their Branch Office VPN and Mobile User VPN options.

    The 2 main offices use F700's and are connected via a vpn tunnel over the branch office vpn. I also have laptop users connect using the MUVPN software.

    The downside of this is that speed between the sites over the vpn can be slow. We have a 3.5mbps dsl connection here which is pretty speedy as far as wan is concerned but compared to a 100mbps lan it can be pretty pokey. Plus you've got the vpn overhead as well. If you're thinking of using something like msAccess over this connection ... don't. (unless you are using access as a front end for mssql) A vpn of any flavour is not going to be useful (or reliable) for having files open over it (ie: a spreadsheet) You can do it...but it's slow, you risk corruption and it's just a bad idea.

    If you just need transfer capability you might look at setting up a ssh server. You can do this on a winbox without too much trouble http://pigtail.net/LRP/printsrv/cygwin-sshd.html

    I use this to communicate with my webserver. I have disabled ftp and use ssh to transfer files. Works nicely. One thing I noticed was I was getting a ton of login attempts on the ssh port so I retricted ssh accessthrough the firewall to my ip addy for added security. You could do the same to each of your BO's.

    One final idea, especially if you need to run common apps over the BO's, is to set up a Terminal Server at HO. Then users can log in and all data and apps are local to HO, the BO machines are just thin clients. With TS you don't need a vpn (and they can actually be a problem) http://www.sessioncomputing.com/security.htm for additional TS security you could look at an ssl gateway http://www.watchguard.com/products/fb-ssl.asp
    I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson

  7. #7
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    To build on zigar's ssh suggestion, why not set up a sftp server?

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  8. #8
    Senior Member
    Join Date
    Jul 2001
    Posts
    343
    Use www.ipcop.org and www.openvpn.se
    as your VPN tunnel....
    You can bridge this as well.....

    Works for me.....
    Franklin Werren at www.bagpipes.net
    Yes I do play the Bagpipes!

    And learning to Play the Bugle

  9. #9
    Junior Member
    Join Date
    Jan 2006
    Posts
    2
    perhaps you could try installing an SSH server on each of the borders of your network. the ssh sending server will encrypt the outgoing data... and the receiiving server would be able to interpret it.
    rz14

  10. #10
    Senior Member
    Join Date
    Mar 2004
    Posts
    119
    For compliance purposes ( mainly HIPAA) I would stick with commercial off the shelf gear as its security has been proven. If the gear isnt certified, its alot harder to merely verify the configuration.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •