Secure encrypted connection via the internet

[sram]

Hi folks.

Say that I want to utilize the internet cloud to pass somewhat secret data (VoIP, files, instant messaging.....etc) between two geographically distant locations, how can that be done exactly?

I understand that a VPN can be used somehow to achieve this, right? Or maybe use two hardware firewalls in each site to let traffic pass through them?

Or maybe there is a software I can install in each of the sites' PC's ?

Can you please provide me with some options so that I can look into them?

Thanks.

 

[Lain542]

You're probably looking for a VPN. Firewalls wont achieve what you're talking about and the software you'd use is a VPN client. Private Internet Access, I hear, is a pretty good VPN and it only costs $40/year.

 

[schnell]

Firewalls wont achieve what you're talking about and the software you'd use is a VPN client.

Not completely true. You could get 2 firewalls that have VPN services built in and set up a point to point VPN between the two sites.

The problem however is unless these are all services you own and run yourself the IM and VOIP traffic will eventually have to cross outside the encrypted VPN tunnel so you can't hide anyways.

You could also look into software solutions like LogMeIn Hamachi, but it will have the same problems. Eventually the traffic will have to cross outside the encryption unless all you are looking to do is share files.

 

[sram]

I hear you.

Thanks a million. I'll investigate more and probably come with more questions.

 

[sram]

You're probably looking for a VPN. Firewalls wont achieve what you're talking about and the software you'd use is a VPN client. Private Internet Access, I hear, is a pretty good VPN and it only costs $40/year.

Now if I want to exchange traffic between 4 PC's, I still need to pay for one VPN client? Or each PC will have to have its own and I'll end up paying 40 * 4 = $160/year ?

Thanks.

 

[Skripka]

Now if I want to exchange traffic between 4 PC's, I still need to pay for one VPN client? Or each PC will have to have its own and I'll end up paying 40 * 4 = $160/year ?

Thanks.

Entirely depends on how you have it set up and the ToS of the VPN service. Some VPN providers limit the number of simultaneous logins.

 

[sram]

Entirely depends on how you have it set up and the ToS of the VPN service. Some VPN providers limit the number of simultaneous logins.

Can you recommend me a good provider that will allow me to use simultaneous logins? I don't think I'll require more than three terminals anyways but that might change.

Also, how does it really work? I get to install the VPN client software in the PC's in question and just make sure the rent is paid?

Is there a VPN software built in into windows? Windows 7 will be the most likely OS I'll use.

Thanks.

 

[TCM]

Why trust a third party or even pay them? Wasn't the question how to VPN two of your own locations?

VPN doesn't automatically mean you pay someone for cloaked Internet access.

It would also help if the OP understood his traffic flows and what he actually wants.

 

[sram]

Why trust a third party or even pay them? Wasn't the question how to VPN two of your own locations?

VPN doesn't automatically mean you pay someone for cloaked Internet access.

It would also help if the OP understood his traffic flows and what he actually wants.

It is good that you brought this up. Please take it easy on me. I'm a noob when it comes to VPN's. I already gave you the big picture and that's what you should use to guide me.

I'll explain it again. There will be an x number of PC's in x different geographic locations. Let's say there is one in California, one in D.C, one in Florida, and one in Texas. 4 Locations. What needs to be done is to allow or give those PC's the ability to exchange traffic(Computer files) between them securely across the internet. That is all I need. Is it clear?

It was also mentioned in Lain542's post above that I need to pay...........That's why I asked about paying!

 

[Jay_2]

Then either a VPN between the PCs or maybe a SFTP clents to transfer the files.

 

[XOR != OR]

It is good that you brought this up. Please take it easy on me. I'm a noob when it comes to VPN's. I already gave you the big picture and that's what you should use to guide me.

I'll explain it again. There will be an x number of PC's in x different geographic locations. Let's say there is one in California, one in D.C, one in Florida, and one in Texas. 4 Locations. What needs to be done is to allow or give those PC's the ability to exchange traffic(Computer files) between them securely across the internet. That is all I need. Is it clear?

It was also mentioned in Lain542's post above that I need to pay...........That's why I asked about paying!

Depending on your budget, you can use something like openvpn to do this. Have your VPN server at the same location as your file server, then have dedicated openvpn clients at each site ( typically the router for the site ). VPN achieved. The clients can browse the files as if they were local ( although how fast will largely depend on your connection ), and it's secure.

 

[Dark Shade]

If it's just for transferring files and not regular 'traffic', running tunneled sftp would work. With traffic, site-to-site or remote access VPNs are easy to setup

 

[klank]

Why not try out LogMeIn Hamachi

https://secure.logmein.com/products/hamachi/

 

[beersykins]

I'll explain it again. There will be an x number of PC's in x different geographic locations. Let's say there is one in California, one in D.C, one in Florida, and one in Texas. 4 Locations. What needs to be done is to allow or give those PC's the ability to exchange traffic(Computer files) between them securely across the internet. That is all I need. Is it clear?

For that large of a deployment I'd be using some IPsec site-to-site VPNs.
A firewall appliance like an ASA 5505 at each location should be able to fulfill this requirement.

 

[sram]

Hmmmmmm. You guys are flooding me with options and now i'm kinda of lost. I will try my best to look into and understand each one and then see.


Thanks.

 

[klank]

Hmmmmmm. You guys are flooding me with options and now i'm kinda of lost. I will try my best to look into and understand each one and then see.


Thanks.

Ultimately that is what you are going to need to do. Only you can determine if a solution is fit for you.

 

[sram]

Then either a VPN between the PCs or maybe a SFTP clents to transfer the files.

That's secure file transfer protocol you talking about? Something like CuteFTP but secure? And what do you do? Install it on each of the machines? As easy as that?

 

[sram]

Why not try out LogMeIn Hamachi

https://secure.logmein.com/products/hamachi/

Wouldn't this be like trusting a third party ?

 

[sram]

By the way, is VPN's level of security suitable for military use? I'm asking to get an idea of how secure VPNs are. Or maybe special VPNs are used so that they can meet the security requirements of Military?

 

[tinyme]

I would use one central linuxserver with sshaccess.
Then you can take an sshfs client and map a folder on each windowscomputer with following software:
http://code.google.com/p/win-sshfs/

 

[Blackjack]

By the way, is VPN's level of security suitable for military use? I'm asking to get an idea of how secure VPNs are. Or maybe special VPNs are used so that they can meet the security requirements of Military?

That depends solely on the VPN software/hardware and how they are implemented. Any VPN software may work for the military if it is using the correct encryption algorithms and is implemented with the proper security controls. Are you trying to send files securely between these computers? By files, I mean simple, flat files that contain a fixed amount of data? Or, are you trying to have users at each site communicate securely with users of each other site? If so, what chat/communication method are you planning on using.

Setting up an encrypted tunnel between all your computers is useless if you're trying to secure Google Chat sessions.

 

[goodcooper]

lol what is wrong with everyone in this thread... op wants a simple site to site VPN for 4 sites..


can't be any simpler....

is this for home/very small company use?

grab a tomato router for each location and follow a guide like this one:
http://www.wasagacomputers.com/home...te-vpn-using-tomato-firmware-and-openvpn.html

is this for a real business?

you should probably hire a professional, if you're feeling adventurous though, look into pfsense and ipsec/openvpn site to site (or look into some bleeding edge stuff like Ubiquiti's Edgerouter... i just got one delivered on friday have yet to mess with it, but i expect it to be simple to set up site to site vpns...)

http://blog.stefcho.eu/?p=611



internet's filled with tutorials on doing what you want to do OP.... won't cost you anything monthly....


at that point you just need to make sure all of your traffic stays on your network.... for VOIP that generally means a PBX on site... for IM that means running your own jabber type server... files naturally can stay on file servers

 

[sram]

That depends solely on the VPN software/hardware and how they are implemented. Any VPN software may work for the military if it is using the correct encryption algorithms and is implemented with the proper security controls. Are you trying to send files securely between these computers? By files, I mean simple, flat files that contain a fixed amount of data? Or, are you trying to have users at each site communicate securely with users of each other site? If so, what chat/communication method are you planning on using.

Setting up an encrypted tunnel between all your computers is useless if you're trying to secure Google Chat sessions.

Not if you use ip to ip or peer to peer chat software, that's what I have been told.

 

[Blackjack]

Not if you use ip to ip or peer to peer chat software, that's what I have been told.

You are correct, which is why I wanted to make sure that you weren't trying to secure Google Chat or Skype traffic or something similar to that. In that case VPN would be the best solution.

 

[sram]

lol what is wrong with everyone in this thread... op wants a simple site to site VPN for 4 sites..


can't be any simpler....

is this for home/very small company use?

grab a tomato router for each location and follow a guide like this one:
http://www.wasagacomputers.com/home...te-vpn-using-tomato-firmware-and-openvpn.html

is this for a real business?

you should probably hire a professional, if you're feeling adventurous though, look into pfsense and ipsec/openvpn site to site (or look into some bleeding edge stuff like Ubiquiti's Edgerouter... i just got one delivered on friday have yet to mess with it, but i expect it to be simple to set up site to site vpns...)

http://blog.stefcho.eu/?p=611



internet's filled with tutorials on doing what you want to do OP.... won't cost you anything monthly....


at that point you just need to make sure all of your traffic stays on your network.... for VOIP that generally means a PBX on site... for IM that means running your own jabber type server... files naturally can stay on file servers

Hey man, I love your answer/post. Please don't leave this thread until I finish all my work.

When it comes to whether this is for home or for business: I'll just put it this way: If i'm behind 256-bit AES encryption, then that's good enough.

I haven't done this before and yes i'm not competent when it comes to networking and security although I have good knowledge in other IT fields. I feel confident in doing this and I'm willing to learn.

Will go into what you suggested and come back.

Many thanks.

 

[goodcooper]

Hey man, I love your answer/post. Please don't leave this thread until I finish all my work.

When it comes to whether this is for home or for business: I'll just put it this way: If i'm behind 256-bit AES encryption, then that's good enough.

I haven't done this before and yes i'm not competent when it comes to networking and security although I have good knowledge in other IT fields. I feel confident in doing this and I'm willing to learn.

Will go into what you suggested and come back.

Many thanks.

well, how many users per site and what are your uptime requirements? trying to find out if tomato on a consumer grade device would be appropriate for your uses...

feel like i'm giving IT advice to a terrorist cell or something


welp, if this thread wasn't already flagged by NSA, it is now!

 

[tinyme]

for DD-WRT you can follow this guide
http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_routed_VPN_between_two_routers

 

[Lain542]

By the way, is VPN's level of security suitable for military use? I'm asking to get an idea of how secure VPNs are. Or maybe special VPNs are used so that they can meet the security requirements of Military?

This depends on the VPN service you use. Some are more heavily encrypted then others. To have something at the military level you would probably need a specialty personal VPN or something like that. However, I think for you, after looking through this thread, that the build in VPN service in windows 7 will suffice. Check these links:
http://www.diaryofaninja.com/blog/2...s-8-ndash-secure-your-internet-use-while-away

http://www.dummies.com/how-to/content/how-to-connect-to-a-vpn-in-windows-7.html

http://technet.microsoft.com/en-us/library/gg252621(v=ws.10).aspx

My recommendation would be the first link & build from there. I mean, get the initial VPN set up and then add security features(see last link).

 

[sram]

well, how many users per site and what are your uptime requirements? trying to find out if tomato on a consumer grade device would be appropriate for your uses...

feel like i'm giving IT advice to a terrorist cell or something


welp, if this thread wasn't already flagged by NSA, it is now!

Hehe......terro cell! Come on man. You are just helping a noob do his work.

I can't be more grateful to this forum. It helped me in so many different fields of IT related stuff. YES, I'm in love. I'll even pay to keep this forum up if needed.


That aside:

How many users per site? Just one. I don't think we will need more than that.

Up time requirements? Hmmm. How does this work exactly? We will of course be using an always on internet connection. So, other than the internet connection being active all the time, what else will need to be active? I would say I'll need it 24/7 !

 

[sram]

for DD-WRT you can follow this guide
http://www.dd-wrt.com/wiki/index.php/OpenVPN_-_Site-to-Site_routed_VPN_between_two_routers

This depends on the VPN service you use. Some are more heavily encrypted then others. To have something at the military level you would probably need a specialty personal VPN or something like that. However, I think for you, after looking through this thread, that the build in VPN service in windows 7 will suffice. Check these links:
http://www.diaryofaninja.com/blog/2...s-8-ndash-secure-your-internet-use-while-away

http://www.dummies.com/how-to/content/how-to-connect-to-a-vpn-in-windows-7.html

http://technet.microsoft.com/en-us/library/gg252621(v=ws.10).aspx

My recommendation would be the first link & build from there. I mean, get the initial VPN set up and then add security features(see last link).

I'll look into these and come back. Lots of reading I need to do ! This dd-wrt looks hard though.

 

[sram]

By the way, since Skype page says this:

https://support.skype.com/en/faq/FA31/does-skype-use-encryption

How can this be utilized in my situation ? Will it just be like trusting a third party ? Or does skype do peer to peer voice/video chat?

 

[Grentz]

You are asking very blanket questions so it is not easy to answer.

You are ALWAYS trusting a third party when dealing with the internet, as nothing is 100% secure.

 

[Lain542]

I wouldn't suggest the DD-WRT because, by the looks of it, that guide assumes that you have a background in this stuff and you already know what you're doing.

 

[Lain542]

I'll look into these and come back. Lots of reading I need to do ! This dd-wrt looks hard though.

I wouldn't suggest the DD-WRT because by the looks of that guide you should have a background in this stuff and know what you're doing.

 

[sram]

You are asking very blanket questions so it is not easy to answer.

You are ALWAYS trusting a third party when dealing with the internet, as nothing is 100% secure.

Blanket questions? Sometimes I can't be specific because I'm still learning here. But I think the big picture is clear.

Always trusting a third party? Even if I use site to site VPN ? I don't really think so. And if by 100% you mean not penetrable at all then that's the case with all encryption and with computer networks. We have seen big entities get hacked into in more than one occasion.

It is not like the whole world is after me. I don't want the absolute best/state of the art/most expensive solution there is, I just want something decent since I'm going to utilize the public network.

Thanks man.

 

[Blackjack]

Blanket questions? Sometimes I can't be specific because I'm still learning here. But I think the big picture is clear.

Always trusting a third party? Even if I use site to site VPN ? I don't really think so. And if by 100% you mean not penetrable at all then that's the case with all encryption and with computer networks. We have seen big entities get hacked into in more than one occasion.

It is not like the whole world is after me. I don't want the absolute best/state of the art/most expensive solution there is, I just want something decent since I'm going to utilize the public network.

Thanks man.

The biggest problem I think we are having giving you straight answers is the fact that you still haven't given us a straight answer as to the purpose behind this hypothetical system. The kind of data you are transmitting is one of the biggest factors when considering a system to be "secure."

For example, if you're trying to sync up personal files (school work, pictures, videos, pron etc.), you would you a completely different setup than if you were sending extremely sensitive information (Patient Information, banking information, state secrets). For personal files, the above-mentioned DD-WRT or home-grown VPN solutions would work just fine, if you're trying to network a series of remote doctor's offices using those solutions and don't them implemented 100% correctly using industry-standard software and hardware you're gonna get fined.

 

[Grentz]

Blanket questions? Sometimes I can't be specific because I'm still learning here. But I think the big picture is clear.

Always trusting a third party? Even if I use site to site VPN ? I don't really think so. And if by 100% you mean not penetrable at all then that's the case with all encryption and with computer networks. We have seen big entities get hacked into in more than one occasion.

It is not like the whole world is after me. I don't want the absolute best/state of the art/most expensive solution there is, I just want something decent since I'm going to utilize the public network.

Thanks man.

You are always trusting a third party on the internet because someone is routing your traffic. Trust me, when you deal with some levels of regulation that makes you not in compliance.

The biggest problem I think we are having giving you straight answers is the fact that you still haven't given us a straight answer as to the purpose behind this hypothetical system. The kind of data you are transmitting is one of the biggest factors when considering a system to be "secure."

For example, if you're trying to sync up personal files (school work, pictures, videos, pron etc.), you would you a completely different setup than if you were sending extremely sensitive information (Patient Information, banking information, state secrets). For personal files, the above-mentioned DD-WRT or home-grown VPN solutions would work just fine, if you're trying to network a series of remote doctor's offices using those solutions and don't them implemented 100% correctly using industry-standard software and hardware you're gonna get fined.

Exactly. Being someone who has worked on projects dealing with regulatory compliance/etc. it is never as easy as "Oh its AES 256, done".

 

[sram]

The biggest problem I think we are having giving you straight answers is the fact that you still haven't given us a straight answer as to the purpose behind this hypothetical system. The kind of data you are transmitting is one of the biggest factors when considering a system to be "secure."

For example, if you're trying to sync up personal files (school work, pictures, videos, pron etc.), you would you a completely different setup than if you were sending extremely sensitive information (Patient Information, banking information, state secrets). For personal files, the above-mentioned DD-WRT or home-grown VPN solutions would work just fine, if you're trying to network a series of remote doctor's offices using those solutions and don't them implemented 100% correctly using industry-standard software and hardware you're gonna get fined.

I would say the data I want to exchange is similar to the second type you mentioned(Banking info, some secrets....etc. So what should that tell me to do?

 

[sram]

You are always trusting a third party on the internet because someone is routing your traffic. Trust me, when you deal with some levels of regulation that makes you not in compliance.

Can this third party be made somebody belonging to my entity? This way, I can trust him all I can?

Exactly. Being someone who has worked on projects dealing with regulatory compliance/etc. it is never as easy as "Oh its AES 256, done".

I don't quite get this.

[COLOR=". [/COLOR]

 

[Blackjack]

I would say the data I want to exchange is similar to the second type you mentioned(Banking info, some secrets....etc. So what should that tell me to do?

Is it your personal banking data? I think you mentioned this was a work project earlier in the thread. If this is for a bank or other financial entity?