MY GOAL I am currently helping my Uncle's business by creating a server in his office and I am looking into making a VPN.

THE PROBLEM My uncle is extremely paranoid about data security. He is a Forensic Engineer that gives his expert opinions during Criminal and Civil trials. His main line of work is investigating car accidents , and analyzing mechanical failures to determine the faulty party. Needless to say, his data is extremely sensitive and some of his cases have been against large car manufacturers; "Million Dollar" cases. He recently had a mechanical failure of his hard drive, which cost him a lot of "reputation". He does NOT want this to happen again. He wants me to protect against: THEFT, FIRE, VIRUS'S, INTRUDERS, MECHANICAL FAILURE, POWER SURGE, POWER FAILURE etc..

MY SOLUTION I have created a data server using Debian Linux. The server has a RAID 1 array with mirror drives so that if one drive has a failure, the other one is backed up. The server has been modified with a special power supply that can handle circuitry failure, voltage damage etc.. and prevent certain things. I have outfitted it with the necessary cooling pracitices; extra fans and heatsinks. The Server is locked in a tight metal cover and has a padlock on the back. I have installed dust filters over all of the intake fans to insure a dust-free environment. I am still debating whether to implement error correcting RAM... (any opinions? would I have to change my mother board?). The server will be housed in a fire resistant cabinet with a back up power supply. (Does debian have power failure shutdown software?? I am using APC) There is just enough holes, to let some cabling through. Every night the server data will be backed up via VPN to an external server site (his lakeshore home) where he will have the same paranoid thing implemented.

QUESTIONS

I am thinking of implementing a wireless network. The only problem is that he uses 2.4 GHZ wireless phones for his office. So far my attempts at wireless (switching channels) have failed. The phone system costed several thousand dollars, and ethernet cables costs a lot less, so we have returned to ethernet. I was going to implement a RADIUS server if he were to get wireless.. but right now I am not sure if wireless is possible. Any suggestions besides changing the channel? (This only changes the frequency slightly, and I get too much interference from the phones on every channel)

I have ordered a static IP address to be put in (hasnt been implemented yet). He has a website that he has to pay for data storage. He wants a VPN, and he want the external server back up. Do I need a static IP? Or will a dynamic DNS service like www.no-ip.com work? The reason I ask is because we are using SBC for our internet services. They are a terrible company, and the fastest they can make our internet in our 'remote location' (Oakland, CA) is 348 kbps. Having the static IP would be nice, because the server could also act as a web server and allow us to move his website to our own server and stop paying for web storage.The cable company offers MUCH faster service, but they cannot provide a static IP !!! Opinions? Comments?

I am planning on using OpenVPN and freeradius and openssl etc... Any better options? I am creating certificates on a computer rarely connected to the network. Where are the holes in my plan? I have only gotten as far as creating the server and mirror drives. The External server hasnt happened yet, does it need its own static IP?

Questions, comments, answers please!

If you want to keep that DATA safe..........don't use wireless at all..........any cracker/script kiddie scum can go around in a car ("war driving") and with the right equipment do a search for wireless networks to access and screw things up for you and your uncle............

I second that! PLEASE don't use wireless!!! It's asking for trouble (Due Diligence?) as you may not notice when someone switches off the encryption because "it's so slow, man"!

If you are going to host a web site, keep it 100% separate from you confidential data. It would be like keeping a spare key under the door mat, just waiting for the next bug to be found on Apache, or BIND or sendmail, or... you get the idea.

VPN does not like NAT firewalls or dynamic IPs - it was developed before they became widespread. There are work-arounds but that's all they are, dropping and re-making connections when something changes. If your VPN connections are infrequent and fairly short you may get away with a dynamic IP address and a friendly DynDNS service.

If you ISP is no good, shop around.

Have you considered FTP over SSL? I think it's part of the OpenSSH package. You'll need that for remote management anyway, but pick a random port - port 22 attracts plenty of script kiddies. You could even consider a simple SSL/TLS tunnel rather than a full VPN.

I'd suggest keeping an eye on the temperature inside your boxes too. And set up a schedule to CLEAN THE FILTERS REGULARLY!!! (Guilty of this one myself)

ECC DRAM is a good idea. The cost is minimal so long as the motherboard supports it. I've had ECC RAM in my server (Shuttle XPC) for about a year now, no errors detected.

Before going too far, try to estimate your bandwidth and data transfer requirements. Check out tools like rsync that just perform "incremental" transfers.

Also verify that you can restore data from your remote data store before going live.

As for certificates, all you need to keep safe is the private keys. For automated operations it's not worth encrypting them, but the root CA key should be WELL protected with a good passphrase and, preferably, kept on secure, removable media. The unencrypted keys should be well protected by the filesystem, read-only by root, no other access. OpenSSH doen't use certificates, just binary keys. Use a good passphrase and protect the private keys. Don't worry too much about the public keys, but set up the server "fingerprints" personally.

One other suggestion: What about Apache HTTP, forced SSL/TLS with WebDAV (mod_dav)? That would give you a simple, managable, file server at each site with access controlled by SSL certificates. Might even work with Windows "Web Folders".

Final thought: SELinux?

Have you looked into a radius server? I think I am going to discard the wireless (not cost effective) However, I think they can fairly secure if you really watch yourself. Plus, my Uncle has a large property, and a small office. I would lower the intensity to only the necessary speed. But then again, why not just use ethernet. Have a look at these articles www.linuxjournal.com/article/8095 and www.linuxjournal.com/article/8151 . I think it would be difficult to break into, but definitely not fail safe! As for the webserver/file server. I think your absolutely right! Looks like I am going to have to continue paying for hosting, and invest in a static Ip. I will look around for other companies that offer the services. I tried the cable, but they don't offer static.. hmm. Ill get back to this. Any more suggestions anyone? I appreciate the input so far!