VPN Security Questions/Help

User avatar
lou1z
Posts: 206
Joined: Fri Jul 17, 2009 1:58 am

Re: Adito Security Help

Postby lou1z » Tue Nov 17, 2009 1:12 am

i'm a bit confused as to where your DC, Adito & clients are going to be. perhaps a diagram would help?

GStress
Posts: 11
Joined: Sun Nov 08, 2009 11:15 pm

Re: Adito Security Help

Postby GStress » Tue Nov 17, 2009 6:35 pm

I'll put together a diagram soon, been meaning to do that anyway, but setup will be as follows.


Modem 22 down 5 up
Linksys RVS4000 GB VPN Router providing DHCP 10.10.0.x/24
Domain Controller 10.10.0.x/24
Media Server running Vista Ultimate 32-bit, hosting adito, jinzora and web server 10.10.0.x/24

hmm, I hope that gives you a general idea of the layout, I know this is going to be a bit complicated as adito runs as it's own service, but I'm thinking once I join the media server to the domain I should be able to set permissions possibly on the service itself or in active directory I can possibly add client pc's, actually yea that should work. What do you think.

Join media server to the domain, in adito set the ip restrictions to a private range only 192.168.0.x/24. I already have PPTP VPN setup, but I'm about to setup IPSec VPN connections now so I can have all clients setup connection also, so they have to VPN and join the domain and once they join I add the joining pc to active directory and allow somehow only that pc permission to access addito?

I hope all this makes sense to you, I got it plotted out in my head, but explaining it sometimes can be tough. Thanks alot for all your input so far. If your curious about anymore info on setup feel free to ask.

User avatar
lou1z
Posts: 206
Joined: Fri Jul 17, 2009 1:58 am

Re: Adito Security Help

Postby lou1z » Wed Nov 18, 2009 12:58 am

now that is confusing.....
1. firstly you have a mix of M$ & linux in your domain.
2. that will serverly limit your GP's and what can be achieved with AD
3. where actually is the vpn endpoint?
4. vista hosting adito? is this a vm?
5. adito is meant to be ip restricted using public ip's on the perimetre network
6. still unsure what your use for adito is. users are meant to use adito as a gateway to your network, not from your network as you describe. if they have vpn'd into your network, they are already there.
7. vpn to join the domain? users need elevated access to do that eg admin and prior to that, you will have to set the client up

GStress
Posts: 11
Joined: Sun Nov 08, 2009 11:15 pm

Re: Adito Security Help

Postby GStress » Thu Nov 19, 2009 10:50 am

hmmm... ok this is more complicated then I thought to explain. Let's see if I can do a better job. Ok to break it down I've established quite a variety of genre's from iTunes. This is the main purpose for adito.

Adito serves as basically a file server that I use to stream, upload or download files for when I'm on the go. My clients also download, stream or upload files via adito as well. That's pretty much the main purpose for adito. I like it much better than ftp because it uses SSL, it's user friendly and nicely secure.

So what I thought about doing is setting up a private ip range 192.168.10.x only that can access adito, have the user's remote into the 2k3 server via a PPTP VPN Connection or L2TP Connection at that point they will be assigned a private ip in the class C range above and are able to access adito.

Problem with that is they can always setup a vpn connection on their friends pc and then their friends can vpn in using their account and have access. Problem with public ip restrictions is they can always say their ip changed and give me a friends IP temporarily.

In a nutt shell I want to restrict access to a clients home lan only, so if they are to goto a friend's house, coffee shop, etc. they aren't able to access it, well as long as they have their own pc's they could, but not beyond that.
I'm thinking certificate's, but couldn't they just be exported to disk and imported on a different pc?

bsk
Posts: 280
Joined: Sun May 03, 2009 7:18 pm
Location: Tennessee
Contact:

Re: Adito Security Help

Postby bsk » Thu Nov 19, 2009 11:11 am

I honestly don't think there is a way to do this without public IPs. Also, if the people accessing your network are going to lie to get it switched to a friends house, are you sure you want them in your network in the first place? Certificates, if I remember correctly, can just be exported and transferred. So I would not go that route.

Best bet would be to let the users know, there will be no changing of IP addresses at random unless I know that your IP has changed (ping the old one and see if its still up or however you might do that, do a lookup of it and see if the lookup info has changed). If you want to keep it this secure, you might want to look at the people accessing your network and not the network itself.

I would go with public IPs, and let them know this only works at your house on your network.

You can also try doing MAC addresses only for their PCs? If they are going to download them anyways, whose to say they wont just burn them to a CD and give them to their friends? Make it harder on them to do so. Although im not sure MAC addresses can be accomplished this way, but I have also never tried.
Having problems with connecting to the internet? Try the Network Troubleshooter.

Not sure what your Gateway IP? Head on over to the Find Your Gateway IP page to find out easily.

Image

GStress
Posts: 11
Joined: Sun Nov 08, 2009 11:15 pm

Re: Adito Security Help

Postby GStress » Thu Nov 19, 2009 4:04 pm

@ BrandonK1989,

You understand exactly what I'm trying to do which is great. Also MAC Addresses is something I did have in mind, which can also just be cloned, but it wouldn't hurt to have it added to the list. I'm not sure myself how to set that up either. I've done and still do alot of pentesting, so I know alot of the in's and out's, now going the "whitehat" way trying to protect the network this project has giving me alot to think about and been a great experience from a sys admin's pov you could say.

Public IP's would be the best way I agree, but their not all going to pay for that. They all have dynamic IP's which works, because the lease ususally lasts a couple months. If I could think of a way to implement some sort of token that says yes to their pc's or router and no to any other if they knew how or tried to export it to another system I think that would work.

Hopefully I'll come up with something. Thanks alot for the advice. :mrgreen:

User avatar
lou1z
Posts: 206
Joined: Fri Jul 17, 2009 1:58 am

Re: Adito Security Help

Postby lou1z » Fri Nov 20, 2009 1:20 am

So what I thought about doing is setting up a private ip range 192.168.10.x only that can access adito, have the user's remote into the 2k3 server via a PPTP VPN Connection or L2TP Connection at that point they will be assigned a private ip in the class C range above and are able to access adito.
i must be imagining things here......

why on earth would you use adito for that? you are double vpn'ing! why can your users not just pptp or ipsec into your desired directory on your file server or use amapche or jinzora to stream from there? why use the overhead and complication of adito?
they should also not be able to setup their own ipsec connection unless you have give them the psk.

if i was seting this up, i would:
1. preferably use public ip's and ssl with ampache or jinzora.
2. preferably use public ip's and adito direct.
3. If the above isn't possible (no public ip's), use an ipsec client with an entered ipsec key. Restrict the content entering the tunnel via the firewall and set the file access on the server accordingally eg RO for directory A, RW for directory B

i just can't undserstand why you would want to tunnel ssl via pptp/ipsec for streaming.....

GStress
Posts: 11
Joined: Sun Nov 08, 2009 11:15 pm

Re: Adito Security Help

Postby GStress » Fri Nov 20, 2009 2:18 am

It's not used so much for streaming as it is for downloads, uploads. I don't have the double VPN set yet and the only reason for that was when they connect in their permissions can be set via GP, permissions that adito doesn't offer. Instead of setting directory access as you mentioned I use adito, because I like the nice user friendly ssl interface.

I know it sounds like alot of overhead and more complicated then it should be, I'm just trying to keep it as secure and safe as possible. As far as Jinzora I get that setup and failed to get the video streaming working properly, it seems as if it's a real pain to get it working on windows. The forums weren't to active on the topic so after a week's worth of searching I stumbled across Adito and then this site here.

I've not used or heard of ampache until I came here. Since then I haven't really messed with Jinzora for awhile. I looked all over for a good way to setup a "youtube" like media server found quite a bit, but just about every forum I read was mentioning how much of a pain it is to get video streaming working on windows.

I haven't really looked into ampache yet I'll check it out.

bsk
Posts: 280
Joined: Sun May 03, 2009 7:18 pm
Location: Tennessee
Contact:

Re: Adito Security Help

Postby bsk » Fri Nov 20, 2009 7:04 am

I am renaming this thread to VPN Security Questions/Help instead of Adito since it has strayed away from that. :)

Back to the topic at hand, are you planning to run Amahi on this server? There is a reason I ask, related to users accessing your HDA.
Having problems with connecting to the internet? Try the Network Troubleshooter.

Not sure what your Gateway IP? Head on over to the Find Your Gateway IP page to find out easily.

Image

GStress
Posts: 11
Joined: Sun Nov 08, 2009 11:15 pm

Re: VPN Security Questions/Help

Postby GStress » Fri Nov 20, 2009 10:07 am

I may, I haven't really looked into or read much about Amahi yet. I'm looking for a good windows variant of a web based media server. I really like Jinzora's interface, but as I mentioned the video streaming seems to only want to play well with *nix.

Why do you ask?

Who is online

Users browsing this forum: No registered users and 16 guests