NA server security while on wifi

Let'sgoflying!

Let'sgoflying!

Touchdown! Greaser!
Joined
Feb 23, 2005
Messages
20,316
Location
west Texas
Display Name
Display name:
Dave Taylor
My server is protected with firewall, antivirus etc.
My laptop has the same antivirus.
I can connect my laptop to the server remotely - ie when I am traveling the laptop is connected via hotel or private residence wifi to the server.

Just wondering if there is risk, if I am connected to the internet via wifi (no firewall) and also to the server at the same time on this laptop? Do I need avoid surfing while also talking to the server? Or maybe the server firewall does all I need.
 
I believe you told me you had a Sonicwall; Sonicwall has a very good VPN built in, so if you set up your connection to the server through the Sonicwall VPN, you'll be pretty well-protected.
 
What Spike said. Sonicwall has several types of VPN built in. The SSL VPN (Netextender) has free software for your laptop - the unit will already be licensed for one or two simultaneous connections depending on model of firewall.

Highly recommended.
 
When you say "connected to the server", what do you mean? Doing what exactly?

A VPN connection to the office will only be a part of properly securing the server at the office. If that dude you were talking to left the server on a public IP and you don't have to use a VPN to connect to the office, adding one won't help.

If you're connecting to a VPN to get to the server, the next question you're asking is "can the server be hurt by anything on the laptop?" Yes. It can.

Same as if you walked the laptop into the office with a virus or malware on it and plugged it into the Ethernet.

Some habits that will help...

- Don't surf questionable websites on work machines. Ever.
- Always have virus and malware protection on everything.
- The SonicWall can be provisioned with web filtering for really bad sites. Consider paying for it and setting up all machines at the office to use it.
- If you VPN into the office consider that some VPNs only send office network traffic to the office, others send everything including Internet requests. Where this applies is if the above is done (web filtering) on the office network. If it's not, it makes no difference at all.
- Backups backups backups. It's not a matter of if, it's a matter of when you'll need to restore every machine in the place eventually. Including the server. And a backup not tested isn't a backup at all. Make sure they work.
- Never log into a Windows server as an Admin user to do normal things. If you have admin rights with your normal username and password the protection stuff that asks you if hi really want to do things is a bare minimum for safety. Do not turn it off. Better, don't use the admin login for anything but things that require admin rights.
- Same thing with your laptop. No admin users in a business environment. Work as a non-admin 99% of the time. Only use admin rights on a desktop/laptop when necessary.

Probably more. That's just off the top of my head.
 
This is definitely a case of me learning wth all these confusing configurations and connections are. Being a visual person I will draw what I think is happening, why I'm looking for confirmation of security. Give me a few...
 
No worries. It takes years to figure this stuff out sometimes and nothing other than unplugging the thing from the wall, is 100% secure. You're shooting for "good enough" when dealing with modern software. Every month is a new pile of security patches. This stuff isn't high quality code anymore. If it ever was.
 
If the server is behind a properly configured firewall, and you're accessing it via remote/virtual desktop, then the risk from the laptop should be minimal. If you're connecting to your trusted network via VPN, the risk from the laptop could be much greater depending on the client/firewall configuration for the VPN.

If you're using VPN with a client which supports client-side split tunneling, you may be able to disable that feature. Client-side split tunneling would permit the laptop to connect to the unfiltered Internet at the same time that it's connected to your trusted network via VPN. Disabling that feature would force Internet-bound traffic through the VPN tunnel and back out through your firewall.


JKG
 
(Sigh).
 
SCCutler said:
(Sigh).
Click to expand...

Now you know how I'm generally feeling about IT these days. The idea that the very OSs we use aren't secure enough to put them on untrusted networks, is ludicrous and should be gross negligence and REALLY big lawsuits against OS makers... but the industry has carefully taught people that software is SUPPOSED to suck.
 
denverpilot said:
Now you know how I'm generally feeling about IT these days. The idea that the very OSs we use aren't secure enough to put them on untrusted networks, is ludicrous and should be gross negligence and REALLY big lawsuits against OS makers... but the industry has carefully taught people that software is SUPPOSED to suck.
Click to expand...

And written licensing agreements that limit the ability to sue. One reason that MS is pushing 10 so hard is that the license (for 7) permitted lawsuits, while the license (for 10) only permits arbitration. This despite the fact that the "upgrade" to 10 has caused many machines to stop working properly.
 
My entire operation runs on RDP sessions, and it has been heavenly. Cheap-ass desktops, easily configured and quickly replaced, remote access from anywhere with minimal effort, especially gratifying when using poor connections (I'm looking at you, in-flight wifi). No need for streaming video or music (though it actually works kinda). Software deployment trivially simple -load once on server, done.

It seems, though, that there are many "experts" who have not a clue about implementing this. Odd.
 
These days, I'm seriously considering just buying a pre-configured firewall and plugging it in before any WIFI network I even hop on. Sorta like a network condom...

The cesspools that are the public networks out there today are just horrible.

It is rather amusing to go to the airport and turn on wifi and see like 20 unprotected cellphones with the person's name on them. Joe's iPhone, Mary's Phone, Bob's Android...
 
SCCutler said:
My entire operation runs on RDP sessions, and it has been heavenly. Cheap-ass desktops, easily configured and quickly replaced, remote access from anywhere with minimal effort, especially gratifying when using poor connections (I'm looking at you, in-flight wifi). No need for streaming video or music (though it actually works kinda). Software deployment trivially simple -load once on server, done.

It seems, though, that there are many "experts" who have not a clue about implementing this. Odd.
Click to expand...

That's how "we" handled 3800 users at the last place I was working for. Only problem with it is, it doesn't scale well, and it gets really really expensive at that scale. Of course with 3800 people making money, that budgeting wasn't too bad.

The Windows engineers had a LOT of hardware and patching to maintain to do that. And they still had 3800 Windows desktops/laptops to secure anyway because PCI demanded it. It didn't get them off the hook on desktop security just by moving where the desktop apps ran. It just made upgrading the apps easier. Not the OS. They had three staff that all they did all day long was shipping/receiving for machines coming and going (employee churn) and flattening them and re-loading them with an image for shipping to the next new hire. It took about 15 people in all.

The Linux side of the house handled all email and telecom for those 3800 people, and we had 3 staff. We scaled up a lot easier than they did, but it wasn't really their fault -- our OS lent itself better to true server duty.

Putting ten to twenty users on an RDP server was the biggest baddest hardware they could afford. Just one of their servers out of about 120 of them, was enough horsepower to handle all 3800 email accounts. We had two for redundancy and they were load balanced active/active. Those machines were relatively expensive. The shared storage for them was immensely so.

It's basically the 1970s-80s mainframe plus dumb terminal model of desktop deployment but with a whole lot less efficiency.

Sorry. OT for the OP's post, but interesting to me. "How to scale the desktop in a world where the desktop is no longer trusted and can't be." I trusted that a Wyse 60 wasn't going to be a malware attack vector back in the day. Heh.
 
You must log in or register to reply here.
Back
Top