Securing a Windows lab environment.
-
@Carnival-Boy said:
LMI Hamachi is $29 per year per network, so still pretty cheap.
That's Hamachi, not LMI itself. Hamachi is like Pertino - you'd be completely exposing all of the end users to each other.
-
I know. I didn't know you'd be exposing all of the end users though. I thought that happened with a mesh network, but not a hub and spoke? I'm a VPN noob though. How are they exposed in a hub and spoke configuration?
-
I would use a "glass pane" solution like LMI, TeamViewer or something based on VNC or whatever. Using a VPN solution seems overly risky if you don't control the desktops of the end users.
-
@Carnival-Boy said:
I know. I didn't know you'd be exposing all of the end users though. I thought that happened with a mesh network, but not a hub and spoke? I'm a VPN noob though. How are they exposed in a hub and spoke configuration?
Hamachi does both methods. In the hub and spoke mode there is still a single network and all nodes are exposed to each other. It just makes data transfers slower and more cumbersome since they have to flow through the spoke.
Technically Pertino is a hub and spoke, it just presents itself as a mesh.
-
@scottalanmiller said:
Hamachi does both methods.
I know. What I obviously don't understand is the difference between the two and the advantages of hub and spoke (given that it is slower and offers no extra security).
-
@Carnival-Boy said:
I know. What I obviously don't understand is the difference between the two and the advantages of hub and spoke (given that it is slower and offers no extra security).
It's really just impressions. Hub and spoke is needed to manage any sizable VPN. Since hub and spoke can masquerade as mesh and since mesh doesn't scale past a few nodes, hub and spoke is really the only way that it is done. Pertino and Hamachi both use hub and spoke and both make it look like a mesh.
The benefit to a true mesh (Pertino doesn't do this) is that you can connect directly between end points. But every end point has to maintain a continuous channel to every other end point. If you have three end points, no big deal, that's only two connections per node. Go to four and you have three. Start getting much bigger and that is a lot of VPN channels being set up and torn down and keys being managed and potentially communications failures on a node by node basis. So, realistically, true mesh doesn't actually exist.
The benefit to hub and spoke is that it actually works plus you can have network management and monitoring in the hub.
-
Cheers. So in what way are the end users exposed to each other? What could an attack on one to another look like?
-
@Carnival-Boy said:
Cheers. So in what way are the end users exposed to each other? What could an attack on one to another look like?
The exposure is the same as being on the same LAN because, effectively, they are. Any attack that can happen in an office can happen on a VPN. Hopefully everyone has a local firewall on their machines, often those get disabled on a VPN connection, but not necessarily. But you lack a true firewall between you and the others on the network.
If you have a VPN only to provide access to use tools like RDP and all nodes are well locked down you can be reasonably secure. But the assumption of using a tool like this rather than one like LMI, TV, VNC, RDP directly is that you are going to do other things and that's where the danger really comes in.
-
@IRJ said:
I'm considering building a Windows lab environment on my network. I was thinking I could allow friends and colleagues access to help with training and testing. I was thinking I could I could have a vhdx drive with a clean image u could use to quickly restore the servers back to a fresh install state. I could even schedule this nightly or every few days depending on need. If it goes well eventually clients.
Network security would have to be locked down on its own network. What would be the best way to insure a secure network?
Here's what I've done. Pair up pFsense in a VM and also utilize Pertino. That combination has been working extremely well for me for about two months.
-
@Bill-Kindle said:
Here's what I've done. Pair up pFsense in a VM and also utilize Pertino. That combination has been working extremely well for me for about two months.
How many outsiders do you have utilizing your lab?
-
@scottalanmiller said:
@Bill-Kindle said:
Here's what I've done. Pair up pFsense in a VM and also utilize Pertino. That combination has been working extremely well for me for about two months.
How many outsiders do you have utilizing your lab?
Just myself right now. I fire up the lab in virtualbox when I want to use it, and remote into the guests using Pertino and RDP. pFsense is used to completely seperate the network from the host machine using a virtual router.
I guess I could give access to 6 more people with my personal Pertino account.
-
@Bill-Kindle said:
I guess I could give access to 6 more people with my personal Pertino account.
yes, they would all get access to each other too.
-
@scottalanmiller said:
@Bill-Kindle said:
I guess I could give access to 6 more people with my personal Pertino account.
yes, they would all get access to each other too.
True. Which is one thing I've asked Pertino in the past if they were coming up with a way to prevent that and only allow the client to access a particular set of machines through the use of ACL's. Last I checked that wasn't possible yet.
-
@Bill-Kindle said:
True. Which is one thing I've asked Pertino in the past if they were coming up with a way to prevent that and only allow the client to access a particular set of machines through the use of ACL's. Last I checked that wasn't possible yet.
Definitely not something on their short term roadmap. It's a VPN solution, not meant for how you are using it. They have a lot of stuff, like enterprise class VLANs, to address for core customers long before they look at something like that. Considering it is designed to be a LAN, that goes against a lot of their core design.
-
@scottalanmiller said:
@Bill-Kindle said:
True. Which is one thing I've asked Pertino in the past if they were coming up with a way to prevent that and only allow the client to access a particular set of machines through the use of ACL's. Last I checked that wasn't possible yet.
Definitely not something on their short term roadmap. It's a VPN solution, not meant for how you are using it. They have a lot of stuff, like enterprise class VLANs, to address for core customers long before they look at something like that. Considering it is designed to be a LAN, that goes against a lot of their core design.
Still, for what I'm using it for at the moment it works.
-
@Bill-Kindle said:
Still, for what I'm using it for at the moment it works.
Yes, but as a single user it's very different than how the OP is looking to use it.
-
@scottalanmiller said:
@Carnival-Boy said:
Cheers. So in what way are the end users exposed to each other? What could an attack on one to another look like?
The exposure is the same as being on the same LAN because, effectively, they are.
So fundamentally Pertino works the same as Hamachi? There is nothing particularly insecure about Hamachi compared with other VPNs? I ask because a couple of times now people have told me on Spiceworks I shouldn't use Hamachi for security reasons without explaining why they think that.
-
@Carnival-Boy said:
So fundamentally Pertino works the same as Hamachi? There is nothing particularly insecure about Hamachi compared with other VPNs? I ask because a couple of times now people have told me on Spiceworks I shouldn't use Hamachi for security reasons without explaining why they think that.
Pertino is a modern Hamachi, yes. Hamachi hasn't been developed in many years, maybe close to a decade. Pertino is a far more powerful, currently developed direct Hamachi competitor. Pertino only has one model because they have extra tooling that sits in the hubs that you don't see (you don't host your own hubs like Hamachi) that provide monitoring, information, security, features, etc.
Any VPN is insecure if you don't control the end points. It's the same as letting random people walk into your office and attach to your switches. It's not that they are less secure than other VPNs, no idea why people would say that. It's just that VPNs themselves expose end users to the LAN, the LAN to end users and the end users to each other. Even VPNs that don't appear to do that, do that in the end.
But if you would allow the end points in question to directly attach to your LAN, then the VPN is no less secure than that.
This particular thread, though, is about allowing arbitrary outsiders to access a lab. Using a VPN to do that means that arbitrary outsiders, not employees on company equipment, are being exposed to each other and to the OP via the VPN. That's where the insecurity is. It's like having a lab that allows people to bring their own equipment and plug into the switch.
-
Yeah, sorry, didn't mean to hijack the thread. As you were....
-
Sorry for abandoning this thread. My fiance is having some complications with her pregnancy and its been keeping us busy. She is doing much better today, though.