Basic Vpn Setup/layout Question

[skipples]

hi guys,

i am hoping you can help me out with your opinions.

so i recently starting to help maintain a network for this very small business. it's very basic. 1 DC/server & 3 workstations. they are all hooked up to 3Com Baseline Switch 2126-G. due to the way it was setup, not by me, the boss + 1 other employee (of the only 3 employees there are) remote desktop into the server directly from outside the lan sometimes. as no vpn was setup for them to securely get into the network, i was thinking of setting up something basic on a headless workstation. i've really enjoyed using Adito as an ssl vpn to rdp over, ever since i heard of it in season 6. the comcast business modem has a built in firewall that we use. for the mean time, i had at least changed the default rdp port to something more obscure. as we all know, that's a no no to leave any port open directly to a server in a network for a business, despite it not passing any login info in cleartext over the connection in windows server 2008's rdp.

so my question is: i want to implement a small adito vpn server. i can easily set it up, but will this be better than what is currently setup...?

(layout below)

isp ---> modem(built-in firewall) ---> switch ---> workstations + vpn server.

if i were to leave the only 1 open port to the network pointing to the vpn/adito server, that would still be better than the way it's currently setup, right? let me know if i need to make myself a bit more clear

thanks!

[Sparda]

despite it not passing any login info in cleartext over the connection in windows server 2008's rdp.

The easiest most flexible solution would probably be to use SSH server, a 'traditional' VPN would require virtual network adapters and similar, and, tbh, there is no need to go to that hassle unless there is a good reason for the computer to virtually be on the network.

[skipples]

thanks for your reply, sparda. well, i was going to setup the adito on a linux box of course. i guess im confused on your ssh server comment. how would the ssh server, despite for my personal use, be beneficial to the end user in this case? i guess another reason i'd like to use linux+adito to initiate that secure connection is so i can monitor incoming connections to that port/box better. i haven't had the best of luck setting up filters on 2k8's built-in firewall.

crap, now you have me second guessing myself. i thought i was on the right track closing off the open port directly to that production server, which houses confidential info at times. it's a necessity for those 2 other people to have direct RD access into it from outside the network, due to the current setup.

Edited October 1, 2010 by skipples

[Sparda]

Well, you can setup port tunneling from the client, then have remote desktop through the tunnel.

Example of this can be find here: http://theillustratednetwork.mvps.org/Ssh/...DesktopSSH.html

[skipples]

oh, i'm sorry. i guess i misread what you were saying about all that. although that is a simple alternative too, it's not the easiest way to the end user maybe? you'd have to setup putty for them, etc. yes, one of them uses xp at home, but the boss uses a mac.

i'm a huge user of ssh for all kinds of things so i love that option, but is there any real advantage over that compared to using the web based ssl/vpn adito?

[Sparda]

is there any real advantage over that compared to using the web based ssl/vpn adito?

Not really. It's just another option.

[Infiltrator]

I think Adito would be a good option, for a VPN set up. Since you can allocate local resources and access them over the internet, without having to open too many port forwarding on the firewall, a good practice from a security standpoint.

But on the other hand SSH would be a bit more secure than the SSL VPN itself.

Just my option, by the way.

Edited October 2, 2010 by Infiltrator

[skipples]

Cool. Thanks again for the replies and opinions on this.