Securing FileMaker Server from intruders.

[micgla]

I need some advice please. I am using FM Server v5.5 on an Xserver running OS10.2.1. We are on a firewall protected NT4 LAN. We have 2 remote sites that want to be able to access the server's databases through our fire wall. We currently do not allow any ports through our firewall(other than our website). We have a sonic firewall. I have read some posts here that specify opening port 5003 and setting up NAT on the router on the network. What I am hazy on is what to do at the client end which is located in other cities. Do I need to set up a VPN to our site. Also, how do I make this a secure connection? One site has a DSL connection and the other uses a cable modem. We have 120 databases currently being used on our server. We have the main databases password protected. Do we need to password protect all the databases? How can I secure the databases from INTRUDERS???

[Kurt Knippel]

If you are only serving 2 remote users, I would suggest NOT haveing them connect in via Filemaker. Security aside, it would take a dedicated T3 connection to even come close to LAN performance.

I would suggest that you setup a couple of machines on your LAN with the Timbuktu remote access/control software and have your users connect to them. There are also security advantages to this, look at Netopia's website for more information.

Even on a dialup 56k connection the user experience is nearly that of LAN, since only mouse, keyboard and screen redraws are sent back and forth.

I would password protect both Timbuktu as well as all of your databases, just as a general course of action. A VPN will also give you additional security, although I am not sure that it is worth it for those 2 users.

Once you setup Timbuktu, someone needs to know your IP address, needs to know the Timbuktu password and still needs to know the Filemaker password, in order to break in. Pretty unlikely.

[LiveOak]

There are many aspects to security from physically securing a server to the elements of data security. For a good start, take a look at the FileMaker Advisor September/October and November 2002 issues.

Much depends upon how secure you want the data to be. Networks which need the greatest security and remote access (classified military networks, for instance) don't use the Internet, they use dedicated links and very secure encription that doesn't use any of the established commercial standards.

For most common uses there are two levels of protection you might want consider:

1) Allowing remove internet access with passwords on each of the files. This is reasonable secure as long an there is no ability to remotely access the FM server itself (file sharing, remote administration, etc.) Data passing over the internet is not encripted and can be read by a determined hacker. This requires almost no setup at the client end. Just make sure the client copy of FM is using TCP/IP as the network protocol (Edit Menu -> Preferences -> Application), setup your router to map port 5003 access to the FM Server, and on the client machine open the file via Open --> Hosts --> enter the router IP address and select the file to open.

2) A more secure method is to provide access across the internet via a VPN (Virtual Private Network). This approach is "virtual" because it sends data over the internet using one of a number of types of encription. This capability is available in a number of routers. Even using this approach, it is wise to password protect all the file. Data protected using this method is probably only vunerable to very sophisticated hackers sponsored by corporations or governments with methods to break encription.

-bd

[Anatoli]

We have very large installation with 40+ remote users on Terminal Server and it works just great. It is 10-100 times faster than pcAnywhere on the same T1.

[IdealData]

The number of users at each remote site will effectively determine the network method.

More users = More bandwidth (if you deploy via local sessions)

I've read much about Terminal Services - but it's not cheap.

Timbuktu is not such a bad option, but it would require enough machines to satisy the peak demand - but these would effectively be idle when the remote site is asleep. Still, probably cheaper than Terminal Server.

I run a 2 site WAN with a 128k lease line. Anything above 4 users and the performance is dire (mind you, I'm also shipping email and file server services there too !). We have routers at both ends and no port restrictions (we have a private line) - but you are right about 5003.

Bear in mind that delivery performance at the client is most likely influenced by the upload capacity of the server site. It's unusual to have anything above 256kb upload without significant cost increase.

[micgla]

Thanks for all the responses. I have much to consider here. I will talk with the execs. to see what they want to do. I think the Terminal Server option is good but what about the cost? A VPN into a 2nd computer located on our LAN and then use FM client to gain access to the server. I think this might be the cheapest way to go.

Thanks again for the help

Mike

[Kurt Knippel]

Terminal Services sounds good on paper, but for limited amounts of users it is grossly expensive. Look for something on the order of $15,000 - $20,000 for a basic installation.

For anything less than 10 remote users, I cannot see how this is worth it. VPN/Remote Access into a LAN connected computer is gonna cost way less than $2000 per user.

[Anatoli]

Another option is separation of data and presentation code.

We are running 7 users over 128k and it is fast.

The whole presentation code sits on local computer and only data are transported to and from portals.

[Kurt Knippel]

That is a valid option that is actually employed by a few and advocated by many, but it can be a big change for an existing system and is best done with a new development.

[Jay G.]

To add to the part of this discussion brainstorming ideas for efficient & secure remote "access":

A distributed database system using replication with SyncDeK is another option. (Disclaimer: I'm referring to my company's technology, http://www.syncdek.com/).

More simply, remote sites or remote users get a full copy of the database, which synchronizes changes between it and the master database. If it's a remote site with multiple users, they can even run FileMaker Server to serve the database locally.

This whole process can be done efficiently with only changes being replicated, with data security enhanced by encryption. You can even enhance system security by eliminating the need to put the database directly online at all (via FM Client, Web, VPN, Citrix, or wireless).

There are development costs involved, but this potentially gets around bandwidth limitations, firewall restrictions, security issues and can be implemented with your existing database.

Anyway, I like the other suggestions, too--Timbuktu works great, and Citrix or separating the presentation & data layers can do wonders when encrypted direct connectivity is necessary.

-Jay-

[email protected]

[Anatoli]

From Microsoft site:

Windows 2000 Terminal Services CAL 5-pack $749

5 Terminal Services CALs

Not that expensive I think

[jagoldst]

Barring a redesign of our system running under fast dsl will I get better results with Tibuktu or Terminal services.

Filemaker Server running 10 clients on Lan and 2 remotely(Hopefully)

I am concerned with performance.. Anyone have any bench marks

Jeff

[Anatoli]

I vote for Terminal services. It is like working locally on my DSL.

[jagoldst]

Does Terminal services require static IP's.

If I get the 5 user license and FM server resides on XP do I need any other software besides FM5.5 for the client machines on XP

[Anatoli]

Does Terminal services require static IP's.

It's up to you.

If I get the 5 user license and FM server resides on XP do I need any other software besides FM5.5 for the client machines on XP

I do not understand that Q or you do not understand how TS are working.

TS are running any licensed application for any user.

I guess FM Large Volume Licensing Client works OK on TS. For the remote machines you need only TS client.

HTH

[Will]

Jeff -

Terminal Services will be overkill if you only have two remote clients that need to access the network. What exactly are you trying to accomplish? How will the remote users be connecting to your network (e.g., dial-up etc.)? What O/S is FileMaker Server running on?

Will

[Kurt Knippel]

For that little of users, I would suggest a remote access system such as Timbuktu connected to a couple of unused workstations in the office. The remote users will connect via Timbuktu software from thier remote locations to the workstations in the office, and then control those systems as if they were sitting there.