Jump to content



Photo

Server with an external IP

external ip

  • Please log in to reply
37 replies to this topic

#16 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 31
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 09 July 2014 - 14:33

I'm thinking a VPN will be the way to go. Thanks for all of your input! Setting up the VPN would the server have an internal IP address and then just forward the correct ports to that address?

Yes.  No need to open ports being that the network or computers are trusted on the network level, as if they were on site. 




#17 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 31
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 09 July 2014 - 14:36

Personally, I don't think its the right way to go. It's over complicating something thats simple. Even putting it on a DMZ would be better than a VPN.

Please explain to me how putting a file server in a DMZ would be "better" than a VPN.  The whole security thing becomes an issue, esp if the other site has a dynamic address or if the existing site has a basic router that has no way to create access control lists.  There is more headache and capable of a large security breech by putting a server with extremely sensitive data directly on the internet, how are you securing said server?  How are you protecting the data or contents of the server?  This isn't a remote access or citrix server, it is a file server/db server that would have direct access from the internet with no safety measures in place. He wants to share an application on that server that has access to medical records and such.  putting that server in a dmz and giving direct access would be a large security no no.  If anything vpn, then remote desktop to it.  VPN in many cases is secured by a few things, not only your user and password but also a PSK or a certificate that could be private for more security which you would have to manually install.  I wouldn't want my records running across a server that is insecure. 



#18 JonnyLH

JonnyLH

    I say things.

  • Joined: 15-February 13
  • Location: UK
  • OS: W8, W7, WP8, iOS, Ubuntu
  • Phone: Nokia Lumia 920

Posted 09 July 2014 - 14:39

Yes.  No need to open ports being that the network or computers are trusted on the network level, as if they were on site. 

But adding plenty of overhead on packets and load onto the box is the way to go?


Please explain to me how putting a file server in a DMZ would be "better" than a VPN.  The whole security thing becomes an issue, esp if the other site has a dynamic address or if the existing site has a basic router that has no way to create access control lists.  There is more headache and capable of a large security breech by putting a server with extremely sensitive data directly on the internet, how are you securing said server?  How are you protecting the data or contents of the server?  This isn't a remote access or citrix server, it is a file server/db server that would have direct access from the internet with no safety measures in place. 

Plug it directly into the router, only allow traffic in-bound on the port in question through IP Tables with stateful firewalling if security is that much of a concern. In addition, only allow the company IP address ranges. Simples. 



#19 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 31
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 09 July 2014 - 14:42

IPs can't be spoofed easily.  Oh wait they are easy to trick.

 

limits of stateful packet inspection

http://linux-ip.net/...ortcomings.html

 

ip spoofing

https://sandilands.i...tables-in-linux

 

Best thing to do would be to not open yourself up to attack and secure it with other more secure means.



#20 JonnyLH

JonnyLH

    I say things.

  • Joined: 15-February 13
  • Location: UK
  • OS: W8, W7, WP8, iOS, Ubuntu
  • Phone: Nokia Lumia 920

Posted 09 July 2014 - 14:58

IPs can't be spoofed easily.  Oh wait they are easy to trick.

 

limits of stateful packet inspection

http://linux-ip.net/...ortcomings.html

 

ip spoofing

https://sandilands.i...tables-in-linux

 

Best thing to do would be to not open yourself up to attack and secure it with other more secure means.

Anyone can pull up a URL with some blabber about spoofing with security worries.

 

If there's multiple offices running over a Layer 3 VPN link as part of their office WAN, enjoy trying to spoof a 10.0.0.0 from over the internet. If it's in their requirements to have external public access from outside their offices, only allowing the traffic on that port will stop any worry. Any security issues past there lie with the software and rather the network implementation.



#21 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 31
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 09 July 2014 - 15:03

10.0.0.0 is a private address and secured with a vpn, yea that isn't exactly putting the server in a dmz and giving them direct access through outside internet connection via an outside IP now is it?

 

My recommendation was to put in behind a vpn, you said to put it in a dmz and give direct access to it.  what you have just wrote is just confirming what I said in the first place, nothing to do with putting the server in a dmz and giving direct access to that server through the internet without any further security measures.



#22 JonnyLH

JonnyLH

    I say things.

  • Joined: 15-February 13
  • Location: UK
  • OS: W8, W7, WP8, iOS, Ubuntu
  • Phone: Nokia Lumia 920

Posted 09 July 2014 - 15:46

10.0.0.0 is a private address and secured with a vpn, yea that isn't exactly putting the server in a dmz and giving them direct access through outside internet connection via an outside IP now is it?

 

My recommendation was to put in behind a vpn, you said to put it in a dmz and give direct access to it.  what you have just wrote is just confirming what I said in the first place, nothing to do with putting the server in a dmz and giving direct access to that server through the internet without any further security measures.

There's no issue with having a DMZ which only accepts traffic on that one port. VPN is over complicating something and putting extra load on the network for something which simply doesn't need to be there. 



#23 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 31
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 09 July 2014 - 16:06

I would never ever put a server on the net with direct file access...I have been burned too many times, you can think you are protected all you want....until the day you get burned, cost your company a ton of money, or better yet jail time. 

 

What is the best way to secure it so that you 1. don't lose your job, 2. don't lose the company money, 3. don't go to jail.  If any of these sound great to you, by all means put it out there with no other security than a dmz and a access rule...walls haven't been broken before and they won't now right? 

 

If anything I would employ a system that also could do IPS in addition to SPI in your scenario.  I would seriously be considering Xenapp or Remote App with your scenerio...I'd be damned if I give a user direct access to a server.



#24 JonnyLH

JonnyLH

    I say things.

  • Joined: 15-February 13
  • Location: UK
  • OS: W8, W7, WP8, iOS, Ubuntu
  • Phone: Nokia Lumia 920

Posted 09 July 2014 - 18:11

I would never ever put a server on the net with direct file access...I have been burned too many times, you can think you are protected all you want....until the day you get burned, cost your company a ton of money, or better yet jail time. 

 

What is the best way to secure it so that you 1. don't lose your job, 2. don't lose the company money, 3. don't go to jail.  If any of these sound great to you, by all means put it out there with no other security than a dmz and a access rule...walls haven't been broken before and they won't now right? 

 

If anything I would employ a system that also could do IPS in addition to SPI in your scenario.  I would seriously be considering Xenapp or Remote App with your scenerio...I'd be damned if I give a user direct access to a server.

I work for an ISP in the UK and was responsible for the testing environments which replicated and scrubbed over 700GB of live databases. I face these scenarios a lot day to day. I recently did a night shift to re-work all our encryption techniques and VPNs based on the security audit of 3rd party contractors.

 

In the OPs scenario, he has a small cisco router with unspecified amount of traffic flowing through it. If the server is accessed a lot, the VPN aspect of it could really add a lot of load onto the box and with the aspect of the VPN, it'll add a lot of overhead with added latency. With the details he specified I'd definitely recommend either plugging it in directly to the router with IP table restrictions or a DMZ which only forwards on one port. With that, you can restrict on to one listening port. If there's any flaw in the software which grants access into the server then the software needs to be looked at. That could happen on a VPN with intent, and of course it can happen with a public facing server. Without the VPN, it's less hassle, less load and easier for the users internally to access the server.

 

Don't want to argue about this, I just personally feel like its the best solution. There's obviously a lot of variables which could change that though.



#25 +ChuckFinley

ChuckFinley

    member_id=28229

  • Joined: 14-May 03

Posted 09 July 2014 - 19:53

There's no issue with having a DMZ which only accepts traffic on that one port. VPN is over complicating something and putting extra load on the network for something which simply doesn't need to be there. 

 

Seriously??? And your publishing what data? lol  :laugh:



#26 +ChuckFinley

ChuckFinley

    member_id=28229

  • Joined: 14-May 03

Posted 09 July 2014 - 19:57

I work for an ISP in the UK and was responsible for the testing environments which replicated and scrubbed over 700GB of live databases. I face these scenarios a lot day to day. I recently did a night shift to re-work all our encryption techniques and VPNs based on the security audit of 3rd party contractors.

 

In the OPs scenario, he has a small cisco router with unspecified amount of traffic flowing through it. If the server is accessed a lot, the VPN aspect of it could really add a lot of load onto the box and with the aspect of the VPN, it'll add a lot of overhead with added latency. With the details he specified I'd definitely recommend either plugging it in directly to the router with IP table restrictions or a DMZ which only forwards on one port. With that, you can restrict on to one listening port. If there's any flaw in the software which grants access into the server then the software needs to be looked at. That could happen on a VPN with intent, and of course it can happen with a public facing server. Without the VPN, it's less hassle, less load and easier for the users internally to access the server.

 

Don't want to argue about this, I just personally feel like its the best solution. There's obviously a lot of variables which could change that though.

 

Its a good job that I remembered I was just given my MVC status, Maybe a little drunk but that's besides the point. :blush:

 

There is a lot up for debate here, But if you value your security of ANY data then that isn't exactly best practice in the industry. It really is a trade off over how easy you want to make it and how secure you make your data  :shifty:



#27 Anibal P

Anibal P

    Neowinian

  • Tech Issues Solved: 1
  • Joined: 11-June 02
  • Location: Waterbury CT
  • OS: Win 8.1
  • Phone: Android

Posted 10 July 2014 - 02:37

OP is dealing with PHI/PII, that alone IMMEDIATELY requires that they use a VPN or some other secure method of communication, which usually still involves VPN at some point, so based on what we currently know VPN would be the safest thing to do. 

 

There are other methods, we use em all at work, but the most cost effective option is VPN 



#28 Shiranui

Shiranui

    Iconoclast

  • Tech Issues Solved: 3
  • Joined: 24-December 03

Posted 10 July 2014 - 06:01

Just get some professionals in to do it; it's not worth the bother of being blamed if anything goes wrong.



#29 JonnyLH

JonnyLH

    I say things.

  • Joined: 15-February 13
  • Location: UK
  • OS: W8, W7, WP8, iOS, Ubuntu
  • Phone: Nokia Lumia 920

Posted 10 July 2014 - 08:11

Its a good job that I remembered I was just given my MVC status, Maybe a little drunk but that's besides the point. :blush:

 

There is a lot up for debate here, But if you value your security of ANY data then that isn't exactly best practice in the industry. It really is a trade off over how easy you want to make it and how secure you make your data  :shifty:

If they valued it, they shouldn't give you a public IP and say make this public please. If they gave you an IP, they obviously don't want to run it through a VPN as this can be done without another IP, which are expensive these days.

 

Most threats in this nature are from internal employees anyway, people love to over complicate things.



#30 +ChuckFinley

ChuckFinley

    member_id=28229

  • Joined: 14-May 03

Posted 10 July 2014 - 08:20

OP is dealing with PHI/PII, that alone IMMEDIATELY requires that they use a VPN or some other secure method of communication, which usually still involves VPN at some point, so based on what we currently know VPN would be the safest thing to do. 

 

There are other methods, we use em all at work, but the most cost effective option is VPN 

 

Finally someone with some sense!!! 

 

 

If they valued it, they shouldn't give you a public IP and say make this public please. If they gave you an IP, they obviously don't want to run it through a VPN as this can be done without another IP, which are expensive these days.

 

Most threats in this nature are from internal employees anyway, people love to over complicate things.

 

I can tell you the threats from external sources are quite real be it people just trawling for any vulnerable infrastructure for whatever reason to targeted attacks!  :shiftyninja:  :shifty: