Securing a Windows lab environment.

scottalanmiller

LogMeIn?

scottalanmiller

You can use Pertino if you want but that will expose all of the lab users to each other.

gjacobse

@scottalanmiller said:

LogMeIn?

Didn't LMI go fee based? Not even the basic services are available now unless you pay for it.

scottalanmiller

@g.jacobse said:

@scottalanmiller said:

LogMeIn?

Didn't LMI go fee based? Not even the basic services are available now unless you pay for it.

Correct. Contant @Minion-Queen if you are looking to do LMI on a budget.

scottalanmiller

I don't know of any hosted service with user security that is free anymore.

Carnival Boy

LMI Hamachi is $29 per year per network, so still pretty cheap.

scottalanmiller

@Carnival-Boy said:

LMI Hamachi is $29 per year per network, so still pretty cheap.

That's Hamachi, not LMI itself. Hamachi is like Pertino - you'd be completely exposing all of the end users to each other.

Carnival Boy

I know. I didn't know you'd be exposing all of the end users though. I thought that happened with a mesh network, but not a hub and spoke? I'm a VPN noob though. How are they exposed in a hub and spoke configuration?

Reid Cooper

I would use a "glass pane" solution like LMI, TeamViewer or something based on VNC or whatever. Using a VPN solution seems overly risky if you don't control the desktops of the end users.

scottalanmiller

@Carnival-Boy said:

I know. I didn't know you'd be exposing all of the end users though. I thought that happened with a mesh network, but not a hub and spoke? I'm a VPN noob though. How are they exposed in a hub and spoke configuration?

Hamachi does both methods. In the hub and spoke mode there is still a single network and all nodes are exposed to each other. It just makes data transfers slower and more cumbersome since they have to flow through the spoke.

Technically Pertino is a hub and spoke, it just presents itself as a mesh.

Carnival Boy

@scottalanmiller said:

Hamachi does both methods.

I know. What I obviously don't understand is the difference between the two and the advantages of hub and spoke (given that it is slower and offers no extra security).

scottalanmiller

@Carnival-Boy said:

I know. What I obviously don't understand is the difference between the two and the advantages of hub and spoke (given that it is slower and offers no extra security).

It's really just impressions. Hub and spoke is needed to manage any sizable VPN. Since hub and spoke can masquerade as mesh and since mesh doesn't scale past a few nodes, hub and spoke is really the only way that it is done. Pertino and Hamachi both use hub and spoke and both make it look like a mesh.

The benefit to a true mesh (Pertino doesn't do this) is that you can connect directly between end points. But every end point has to maintain a continuous channel to every other end point. If you have three end points, no big deal, that's only two connections per node. Go to four and you have three. Start getting much bigger and that is a lot of VPN channels being set up and torn down and keys being managed and potentially communications failures on a node by node basis. So, realistically, true mesh doesn't actually exist.

The benefit to hub and spoke is that it actually works plus you can have network management and monitoring in the hub.

Carnival Boy

Cheers. So in what way are the end users exposed to each other? What could an attack on one to another look like?

scottalanmiller

@Carnival-Boy said:

Cheers. So in what way are the end users exposed to each other? What could an attack on one to another look like?

The exposure is the same as being on the same LAN because, effectively, they are. Any attack that can happen in an office can happen on a VPN. Hopefully everyone has a local firewall on their machines, often those get disabled on a VPN connection, but not necessarily. But you lack a true firewall between you and the others on the network.

If you have a VPN only to provide access to use tools like RDP and all nodes are well locked down you can be reasonably secure. But the assumption of using a tool like this rather than one like LMI, TV, VNC, RDP directly is that you are going to do other things and that's where the danger really comes in.

Bill Kindle

@IRJ said:

I'm considering building a Windows lab environment on my network. I was thinking I could allow friends and colleagues access to help with training and testing. I was thinking I could I could have a vhdx drive with a clean image u could use to quickly restore the servers back to a fresh install state. I could even schedule this nightly or every few days depending on need. If it goes well eventually clients.

Network security would have to be locked down on its own network. What would be the best way to insure a secure network?

Here's what I've done. Pair up pFsense in a VM and also utilize Pertino. That combination has been working extremely well for me for about two months.

scottalanmiller

@Bill-Kindle said:

Here's what I've done. Pair up pFsense in a VM and also utilize Pertino. That combination has been working extremely well for me for about two months.

How many outsiders do you have utilizing your lab?

Bill Kindle

@scottalanmiller said:

@Bill-Kindle said:

Here's what I've done. Pair up pFsense in a VM and also utilize Pertino. That combination has been working extremely well for me for about two months.

How many outsiders do you have utilizing your lab?

Just myself right now. I fire up the lab in virtualbox when I want to use it, and remote into the guests using Pertino and RDP. pFsense is used to completely seperate the network from the host machine using a virtual router.

I guess I could give access to 6 more people with my personal Pertino account.

scottalanmiller

@Bill-Kindle said:

I guess I could give access to 6 more people with my personal Pertino account.

yes, they would all get access to each other too.

Bill Kindle

@scottalanmiller said:

@Bill-Kindle said:

I guess I could give access to 6 more people with my personal Pertino account.

yes, they would all get access to each other too.

True. Which is one thing I've asked Pertino in the past if they were coming up with a way to prevent that and only allow the client to access a particular set of machines through the use of ACL's. Last I checked that wasn't possible yet.

scottalanmiller

@Bill-Kindle said:

True. Which is one thing I've asked Pertino in the past if they were coming up with a way to prevent that and only allow the client to access a particular set of machines through the use of ACL's. Last I checked that wasn't possible yet.

Definitely not something on their short term roadmap. It's a VPN solution, not meant for how you are using it. They have a lot of stuff, like enterprise class VLANs, to address for core customers long before they look at something like that. Considering it is designed to be a LAN, that goes against a lot of their core design.