Server with an external IP

[+John Teacake MVC]

I work for an ISP in the UK and was responsible for the testing environments which replicated and scrubbed over 700GB of live databases. I face these scenarios a lot day to day. I recently did a night shift to re-work all our encryption techniques and VPNs based on the security audit of 3rd party contractors.

 

In the OPs scenario, he has a small cisco router with unspecified amount of traffic flowing through it. If the server is accessed a lot, the VPN aspect of it could really add a lot of load onto the box and with the aspect of the VPN, it'll add a lot of overhead with added latency. With the details he specified I'd definitely recommend either plugging it in directly to the router with IP table restrictions or a DMZ which only forwards on one port. With that, you can restrict on to one listening port. If there's any flaw in the software which grants access into the server then the software needs to be looked at. That could happen on a VPN with intent, and of course it can happen with a public facing server. Without the VPN, it's less hassle, less load and easier for the users internally to access the server.

 

Don't want to argue about this, I just personally feel like its the best solution. There's obviously a lot of variables which could change that though.

 

Its a good job that I remembered I was just given my MVC status, Maybe a little drunk but that's besides the point. :blush:

 

There is a lot up for debate here, But if you value your security of ANY data then that isn't exactly best practice in the industry. It really is a trade off over how easy you want to make it and how secure you make your data  :shifty:

[Anibal P]

OP is dealing with PHI/PII, that alone IMMEDIATELY requires that they use a VPN or some other secure method of communication, which usually still involves VPN at some point, so based on what we currently know VPN would be the safest thing to do. 

 

There are other methods, we use em all at work, but the most cost effective option is VPN 

[Shiranui]

Just get some professionals in to do it; it's not worth the bother of being blamed if anything goes wrong.

[JonnyLH]

Its a good job that I remembered I was just given my MVC status, Maybe a little drunk but that's besides the point. :blush:

 

There is a lot up for debate here, But if you value your security of ANY data then that isn't exactly best practice in the industry. It really is a trade off over how easy you want to make it and how secure you make your data  :shifty:

If they valued it, they shouldn't give you a public IP and say make this public please. If they gave you an IP, they obviously don't want to run it through a VPN as this can be done without another IP, which are expensive these days.

 

Most threats in this nature are from internal employees anyway, people love to over complicate things.

[+John Teacake MVC]

OP is dealing with PHI/PII, that alone IMMEDIATELY requires that they use a VPN or some other secure method of communication, which usually still involves VPN at some point, so based on what we currently know VPN would be the safest thing to do. 

 

There are other methods, we use em all at work, but the most cost effective option is VPN 

 

Finally someone with some sense!!! 

 

 

If they valued it, they shouldn't give you a public IP and say make this public please. If they gave you an IP, they obviously don't want to run it through a VPN as this can be done without another IP, which are expensive these days.

 

Most threats in this nature are from internal employees anyway, people love to over complicate things.

 

I can tell you the threats from external sources are quite real be it people just trawling for any vulnerable infrastructure for whatever reason to targeted attacks!  :shiftyninja:  :shifty:

[JonnyLH]

I can tell you the threats from external sources are quite real be it people just trawling for any vulnerable infrastructure for whatever reason to targeted attacks!  :shiftyninja:  :shifty:

Trawling to attack one port, needing auth to get anywhere, on a web interface.

 

Jesus christ. You guys really need to know how to attack before discussing how to secure against them. The most plausible threat would be internal/disgruntled employees leaking the data. He's going to put load onto his network and increase overhead for a threat that doesn't exist. Nice advice.

 

You could even put MAC filtering on the network for external access if you're that bothered about it. There's so many other solutions rather than degrading performance. 

[+BudMan MVC]

"You could even put MAC filtering"

 

How is that going to work exactly on a routed connection across the internet?

 

Who said it was a web interface?  I did not get that impression from the OP.  He stated some application running on 2k12 - if web based that changes quite a bit.  But the risk of it being hipaa data seems likely.  But if this is a web interface, then its quite possible to secure it with https and say cert auth, etc.

[JonnyLH]

"You could even put MAC filtering"

 

How is that going to work exactly on a routed connection across the internet?

 

Who said it was a web interface?  I did not get that impression from the OP.  He stated some application running on 2k12 - if web based that changes quite a bit.  But the risk of it being hipaa data seems likely.  But if this is a web interface, then its quite possible to secure it with https and say cert auth, etc.

Dumb suggestion on my part, it wouldn't.

 

Everything like this is going to be a web interface. 2k12 IIS instance, like I've said previously, a lot of assumptions without enough information to make a suitable recommendation. I presume HTTPS would be enabled by default externally with this sort of data. I'd like to think it was running HTTPS internally. 

[+BudMan MVC]

Dude you know what happens when you assume ;) Nowhere did I see the OP state anything about what interface this application was.  He was clearly asked for details, and as quite common complete lack of any useful info missing in the response.

 

Pretty sure its not on purpose - just quite often people get tasked in the business world with IT stuff they are not familiar with - hey billy your good with computers right, your the one that gets my mouse working when it fails.  Could you make sure people can access this from the internet please ;)

 

This is self evident because of the create of the thread asking the question in the first place ;)  If they had the proper skill set to do what was ask, they normally wouldn't be asking for help on a forum with no details of what actual was asked.

 

I am curious where this IP came from - did they actually give him a public one?  Or did they give him the IP of this 2k12 box and ask him to make it public.

 

There is no where close to details required to actually help the OP given as of yet.  We can discuss and debate security practices vpn or not, etc but there is no details to base the discussion on.  If its a web application, and the proper device is at the edge to allow for locking down to specific IP as source, and you have say cert auth to a https site - that may be good enough for hipaa??  Not up on the laws since really haven't work in that area for years.  This would be maybe even overkill depending on what the data is, etc.

 

But then again if only being accessed from a company other site - I would have to ask why does this company not already have either point to point, mpls, or just site to site vpn setup?  Something that allows the company to talk between their locations without the whole public internet being able to see view the traffic.

 

What I think we have here is an OP that is way over his head, and asking for help - lets make sure we give him advice that is not going to get him fired when something happens to the server because its not secure enough for the data being presented in some sort of interface, etc.

[+John Teacake MVC]

Trawling to attack one port, needing auth to get anywhere, on a web interface.

 

Jesus christ. You guys really need to know how to attack before discussing how to secure against them. The most plausible threat would be internal/disgruntled employees leaking the data. He's going to put load onto his network and increase overhead for a threat that doesn't exist. Nice advice.

 

You could even put MAC filtering on the network for external access if you're that bothered about it. There's so many other solutions rather than degrading performance. 

 

 

Ok fair enough, MAC filtering on a Layer 3 ROUTED network. I suggest that the OP does that. :huh:  :rolleyes:  :rofl:

 

There is NO reason to bring load into this. If you cannot handle the load you have more major problems on the network to deal with than that. Most systems have no issue with "Load" as you put it.  

 

Back to lunch......

[ginjammer]

So I set the server up with VPN and got the software installed. Now I'm trying to get the external clients to access it and can't seem to get there. On the small cisco router should I forward port 1723 to the server for VPN and then set up the connection as xxx.xxx.xxx.xxx:1723? I've set up VPN connections before but always was given the info to set it up. Sorry if I sound like a noob but I really am one at this VPN setup. Thanks. 

[nabz0r Veteran]

Is your external clients accessing this server with VPN or without? What is the error you get? Can you post your logs, error message on your VPN software? Give us a little more info so we can help you more :)

[sc302 Veteran]

What Cisco router? What is your vpn host?