Restricting VPN access

[Dunamis]

Hi guys, need help with setting up VPN connection on the server at the office (WinServer 2003). Not connecting to the server but setting up the server so it can receive VPN connection.

My main concern is that people who connects to the server are not from our company but from other companies that deals with us. Basically we want to restrict the access they have to most of the server's resources except for a few shared folders and connecting to the server's database service.

So the question is how about do I set this up?
The only experiences I had with VPN is setting up VPN at home using WinXP (so I can connect from anywhere to my home network).

Any pointers / feedback will be great

Edit:
And which one would you choose Linksys WAG325N or Netgear DG834PN?

 

[MorfiusX]

I would first recommend you use a real VPN/Firewall device instead of Win2003. (Not counting ISA Server). In the Cisco (or any other business class firewall) world, you would create a different client access policy for your users and third parties. You would restrict the IPs and protocols the the third party rule would allow.

 

[Dunamis]

Thanks MorfiusX.

I'm a bit of a noob here in the networking world, I've never had any experience with Cisco routers or any corporate networking in this matter.

For a dedicated VPN device, what sort of router/networking device and software (if any) do I need to achive this? And how hard are these things to setup? I'm only networking literate as far as punching a port hole thru a router firewall and do some forwarding.

And say that they wouldn't want to spend that much for a real VPN device, is that mean Win2003 can't be setup to what I'm trying to do?

 

[Sinclair]

My main concern is that people who connects to the server are not from our company but from other companies that deals with us. Basically we want to restrict the access they have to most of the server's resources except for a few shared folders and connecting to the server's database service.

If your talking about only allowing certain users to be able to VPN into the server, thats easy. Double check that the two default policy rules RRAS comes with are something you want (generally yes, but you can configure them a bit if you want to go that route) and control user VPN access via the Dial-in tab on the user's object in AD, either allow or deny or control via the RRAS policies. If your talking more about having multiple people VPN and being restricted to only certain things, thats beyond what I've done with it, so you'll have to wait for someone else or do some googling . Don't believe thats even possible from a RRAS standpoint tho, that would be beyond its control.

 

[swatbat]

I would first recommend you use a real VPN/Firewall device instead of Win2003. (Not counting ISA Server). In the Cisco (or any other business class firewall) world, you would create a different client access policy for your users and third parties. You would restrict the IPs and protocols the the third party rule would allow.

Generaly speaking I would agree with this.

That being said you could create a new user group(I'd make a new container for them to make it easy to manage) and tie them to there own group policy which is locked down like crazy. Then just give them rights to the folders they need to access. Hell even with a real vpn device I would do this.

As far as a cisco router goes unless you have experience with one I would prob go with the server solution. The cisco would end up giving you more trouble unless you had someone set it up for you.

 

[Dunamis]

Generaly speaking I would agree with this.

That being said you could create a new user group(I'd make a new container for them to make it easy to manage) and tie them to there own group policy which is locked down like crazy. Then just give them rights to the folders they need to access. Hell even with a real vpn device I would do this.

As far as a cisco router goes unless you have experience with one I would prob go with the server solution. The cisco would end up giving you more trouble unless you had someone set it up for you.

Ok, I think I'll go ahead with the server solutions and play around with the RRAS.
Hopefully it will be "relatively" secure when all is setup.

Any comments on whether I should go for Linksys WAG325N or Netgear DG834PN?
This will be used for the setup I mentioned above.

 

[swatbat]

Do you need wireless? Also where is the router going to sit vs where the wireless should be?

Generaly speaking I prefer a hardwired router and will throw an access point somewhere where it will work better for signal. Hell for the price of those you can almost get a business grade router(entry level for business)

 

[Dunamis]

Do you need wireless? Also where is the router going to sit vs where the wireless should be?

Generaly speaking I prefer a hardwired router and will throw an access point somewhere where it will work better for signal. Hell for the price of those you can almost get a business grade router(entry level for business)

Pretty much for future proofing, initally the wireless part is prolly be deactivated.

The server room is pretty much in the in the center of the office, so location wise its ok.

They only have < 10 workstation and will be so in the foreseeable future so there is not much concern to get a more serious router.
But out of curiousity, what advantages are the business grade router other than better performance in terms of functionality and features?

 

[YeOldeStonecat]

Pretty much for future proofing, initally the wireless part is prolly be deactivated.

The server room is pretty much in the in the center of the office, so location wise its ok.

They only have < 10 workstation and will be so in the foreseeable future so there is not much concern to get a more serious router.
But out of curiousity, what advantages are the business grade router other than better performance in terms of functionality and features?

Somewhere near 10x workstations running wirelessly?

Homegrade wireless routers will crumble when you try to run a bunch of clients through them...you'll see throughput plummet, occasional reboots, and if you're running applications through this...well, you'll have problems. And depending on the software..if you have any sensitive programs, possible corruption with them.

Business grade routers, switches, access points...well...anything "business grade" having to do with computers...is generally designed to run under higher loads, with higher stability, better compatibility. Overall better quality, beefier components.

 

[swatbat]

Somewhere near 10x workstations running wirelessly?

Homegrade wireless routers will crumble when you try to run a bunch of clients through them...you'll see throughput plummet, occasional reboots, and if you're running applications through this...well, you'll have problems. And depending on the software..if you have any sensitive programs, possible corruption with them.

Business grade routers, switches, access points...well...anything "business grade" having to do with computers...is generally designed to run under higher loads, with higher stability, better compatibility. Overall better quality, beefier components.

Nah sounds like he has around 10 workstations and is not using wireless.

Anyway I would skip the wireless and spend a little bit more and get a better router. I've seen cisco 871 routers go for 300 if they are refurb units. You could prob find a sonicwall or something in that range as well.

The business grade routers are generally more secure as well.