The attached document is a review of different Virtual Private Networking (VPN) technologies. This document is intended to provide guidance to organizations considering or planning to implement a VPN.
This review focuses on solutions appropriate to small or medium sized organizations.
PC Software
All NPO staff should use computers running a secure and reliable operating system and fully functioning application software appropriate to the organization’s needs.
Operating Systems
An operating system (OS) is the core software that controls a computer. All other software interacts with the OS to access the computers resources and the network. A secure and stable operating systems is one of the keys for a HSC implementation.
The following operating systems will run on the HSC hardware minimum and are secure and reliable:
Windows 2000 Professional
Local Area Network technologies
Computers are useful on their own, but their real potential is as a communication and collaboration tool, and for this they need to be networked together so that data can be passed between them easily.
Cabling and network hardware
An Ethernet-based local area network is the basic technology that NPO’s should implement for setting up a network. This technology is often referred to as 100baseT or twisted-pair technology. This technology is mature and low cost. It requires cabling attaching all computers to a switch or hub, a device that regulates traffic between them. All computers should have compatible network interface cards.
Internet technologies
This category covers Internet technologies, including Internet access, routers, email, web services, and domain names.
The Internet is a key tool for enabling many of the transformative technologies that can allow non-profit organization to greatly increase their program effectiveness. The Internet is a communications medium with global reach and can enable a wide variety of communication channels, allowing NPO's to communicate with staff, clients, partners, funders, and other stakeholders.
Internet access
Security and privacy
This category includes guidelines on firewalls, VPNs, data backups, anti-virus, anti-spam, anti-spyware, physical security, and associated best practices.
Computer security is a complicated topic, as it involves a great many different things, including network design, technology usage, user education and training. This section of the guidelines covers the common technological precautions that organizations should take. These recommendations are appropriate for most organizations, but may not be adequate for organizations with special or heightened security concerns.
Staff training
The first line of defense in computer security is user education. Organizations need to make sure that its computers users are aware of safe computing practices. This means that users know what to do in case they receive a suspected virus email, know what a social hack is and how to respond, know how to pick strong passwords, and know how to use the security features of their computer. Users without basic training in computer security can easily compromise network security. The organizational cost of one avoidable virus outbreak can easily exceed the cost of providing basic security training to your staff.
(Link to safe computing curriculum)
FirewallAny computer with Internet access needs to have some form of firewall set up on its Internet connection to shield it from unauthorized external access. A firewall is the first line of defense against malicious hackers and rogue software. A firewall, at it’s most basic, is a filter that only allows authorized traffic through to the network or computer. For network installations, we recommend a basic NAT firewall. This technology is included in almost all routers, and provides strong protection against external threats. From outside the local net, a NAT firewall appears as a single, non-responsive computer, shielding computers on the network from external probing and manipulation. Computers with direct connections to the Internet should use software firewalls, which are integrated into OS X and Windows XP SP2, and are available as standalone products, such as ZoneAlarm, for Windows 2000.
Organizations with special security concerns may want to look into a more robust firewall that can filter out outbound connections as well. These filters can be programmed to allow only specific connections and content into and out of a network. These firewalls are more expensive then “consumer� NAT firewalls, and often require a properly trained consultant to setup securely.
Virtual private networks
Virtual private networks (VPNs) are a technology that can allow secure access to a network from the public Internet. A VPN creates a secure encrypted tunnel between two points, allowing remote computers to access the local network. We recommend using hardware-based VPNs, which are often available integrated with an Internet router. These are easier to use and maintain than software based VPNs. We recommend VPN’s using the PPTP protocol, which is easier to setup than other protocols, and has clients integrated within the HSC recommended OS.
VPNs can be setup between to set points on the Internet, for instance between two offices, or can be open ended, allowing any device to access the VPN, assuming it has the right credentials, which is useful for home users accessing a work network.
Data backups
Perhaps the most important security precaution an organization can take is reliable data backups. All computers need access to some form of backup system so that important data can be securely and reliably backed-up. We recommend that organizations use a centralized, network-based backup solution.
Though manual backups can be effective for very small networks or home offices, we recommend using a dedicated backup application, such as Dantz Retrospect, wherever possible. Retrospect is effective, easy-to-use, cross-platform software that allows administrators to manage the backup system from a server or a peer computer. Properly configured, an automated system is more reliable, easier to manage and maintain, and easier to recover data from.
We recommend hard-drive based backup systems, as opposed to more traditional tape-based backup systems. The cost of tape drives and tape media has been relatively stable, while the cost of hard drives has plummeted while the capacity has greatly increased. For most networks, hard drives are a cheaper, quicker, and easier to use option for backup then tape.
One drawback of a hard drive system is that they are not suitable for archiving data. Increasingly organizations are facing reporting requirements that involve archiving and retaining data. For these purposes we recommend the use of CD-R or DVD-R technology to make archival copies of important data. Again, this is a lower cost and easier to use option (at least for modest amounts of data) than tape.
One key aspect of a reliable network is centralizing data. In additions to centralized file shares, it is also possible to centralize users home directories (where users documents folder, desktop folder, and other data is kept). Organization with client server based networks should investigate this option. For organizations that don’t have a server or centralized user accounts, be sure that the backup system backs up users home directories on their computers. Dantz Retrospect has this feature built-in.
One thing to be aware of when setting up a backup system is the security of the media. Your backup hard drive or tape will contain all your organizations vital information. Be sure that this media is properly protected, both on-site and off-site.
(Link to backup procedures recommendations and details.)
Anti-virus
All computers need to have up-to-date anti-virus software installed and running. Symantec has donated their anti-virus software to the NPO sector through TSS. Buy it, install it, keep it up-to-date. For organizations with a server-based network, we strongly recommend using SAV Corporate Edition, which provides centralized management and update services, as well as providing AV protection to file servers.
For organizations hosting their own email server, we strongly recommend using a server based anti-virus program. Many viruses transmit themselves via email, and catching them at the server, before they enter users mailboxes, is key to eliminating these viruses from your network.
Anti-spyware and Anti-malware
In addition to anti-virus software, organizations should install anti-spyware/malware applications. Malware is software that disrupts the regular functioning of computers, monitors or spies on users, often inserting ads into or on top of web pages. This kind of software is often bundled with free programs or is installed by unscrupulous websites. Unlike viruses and worms, malware is not capable of propagating itself from computer to computer.
There are a large number of anti-malware programs available, and with the release of Microsoft’s beta anti-spyware product, there is a lot of uncertainty around spyware tools. At this time, we recommend Lavasoft’s Adaware and Spybot – Search & Destroy, both of which are free desktop tools. For larger networks, a centrally managed “enterprise� product, such as PestPatrol Anti-Spyware Corporate or Spy Sweeper Enterprise, may be more appropriate.
Malware prevention requires more user intervention and training than many other aspects of computer security. Users need to be aware of the implications of installing software on their computers, as most spyware piggy backs on “legitimate� software.
(Link to reviews of anti-spyware products)
Anti-spam
Email spam is a resource drain on NPO staff, and organizations should put in place anti-spam filters. Spam, though a serious issue, is becoming increasingly easy to limit to a minor distraction. Many anti-spam tools are effective, filtering out most spam with very few “false positives�.
If possible, use email server based anti-spam tools. Look for an ISP that provides spam filtering. If your organization operates an email server of it’s own, setup a spam filter on the server. There are a number of good free and low-cost tools available. To effectively use server-side filtering, you may need to train email users how to setup a simple filter in their email client to separate out the email the server tags as spam.
For organizations unable to use server-side filtering, there is a number of client-side spam filtering products available. Many email reading applications include reasonably effective spam filters, including the lastest version of MS Outlook, Eudora Pro in paid mode, Thunderbird, and Apple Mail. For other mail readers, there are add-on filter products, such as Mailshell, available from TSS.
http://www.techsoup.org/howto/articlepage.cfm?ArticleId=542&cg=searchter...
Physical security
The most overlooked aspect of data security is physical security. All the security measures put in place on a network won’t help you if someone steals the server. Organizations should make sure that servers and other key network components such as backup tapes and drives are secured, preferably in a locked cabinet.
Laptop computers are an extremely vulnerable to theft. They should be locked down at all times, usually with a cable lock. Also be wary of leaving laptops in cars, as thieves are very adept at stealing them.
Confidentiality and Privacy
Many organizations have significant confidentiality and privacy responsibilities. In any case, organizations should have well defined data handling, privacy, and retention policies.
Data handling policies should address what data is retained, how long the data will be retained, how it will be transmitted and stored, and how it will be deleted / destroyed at the end of the retention period.
Privacy policies should address what data on clients, staff, and others are kept, how that data is handled, and who has access to that data.
A key aspect of privacy and confidentiality is keeping a only the minimum necessary data.
Email insecurity
Email, for the most part, is an insecure medium, open to easy and undetectable interception. Email should not be used for transferring confidential or sensitive information, if at all possible.
Screen savers
Though screen savers are no longer needed for technical reasons (the screen burn-in problem has mostly been solved by CRT manufacturers), there are good security reasons for implementing password protected screen savers, so that when staff leave a computer, it will automatically lock, preventing unauthorized access. All the recommended OS’s include this feature.
Contributors
Michael Schrecker, CompuMentor (authored content)
Ergonomic Guidelines
Server Technologies
Most networks should have some form of file service. This technology allows for easy access to shared files, and can simplify the data backup needs of the organization. For small networks (less than 10 computers), the built in peer-to-peer networking of the recommended operating systems is adequate for most needs. For larger networks a central file server running a “network operating system� is recommended. The decision about which server environment to use depends on a lot of things.
   Staff size – the more active computer users your organization has, the more likely you are to need a dedicated server.
Support and Documentation materials
This category covers support and documentation materials for HSC guidelines, adoption, implementation, support, and maintenance. Once in place, technology needs to be maintained or it will degenerate. The healthy and secure computing guidelines include support procedures and resources for the technologies included in the guidelines.
Helpdesk / end-user support
Any organization that uses computers needs to have some form of end-user support. This can be provided in a number of different ways, but this support needs to be available. Lack of this first-level support is almost certain to result in significantly more costs, in staff time and data loss, than it will cost to provide.
PC Hardware
All NPO staff should have access to a functioning personal computer capable of running HSC recommended software. Almost all new computers and a great many older computers can meet the hardware requirements set out below. Each guideline has two parts, a specification for existing machines, and one for new purchases. These specifications are a minimum below which computers are too resource constrained to participate in an HSC environment. Computers that fall below the base recommendation should be replaced as soon as possible.
Desktop computers
A PC-compatible desktop computer should have at least the following minimum specifications.
The following pages contain a first pass of a set of guidelines for commonly used technologies in the following areas:
PC hardware
PC software
LAN technologies
Server technologies
Internet technologies
Security and privacy
Ergonomics
