Jump to content



Photo

Server with an external IP

external ip

  • Please log in to reply
37 replies to this topic

#31 JonnyLH

JonnyLH

    I say things.

  • Joined: 15-February 13
  • Location: UK
  • OS: W8, W7, WP8, iOS, Ubuntu
  • Phone: Nokia Lumia 920

Posted 10 July 2014 - 08:33

I can tell you the threats from external sources are quite real be it people just trawling for any vulnerable infrastructure for whatever reason to targeted attacks!  :shiftyninja:  :shifty:

Trawling to attack one port, needing auth to get anywhere, on a web interface.

 

Jesus christ. You guys really need to know how to attack before discussing how to secure against them. The most plausible threat would be internal/disgruntled employees leaking the data. He's going to put load onto his network and increase overhead for a threat that doesn't exist. Nice advice.

 

You could even put MAC filtering on the network for external access if you're that bothered about it. There's so many other solutions rather than degrading performance. 




#32 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 96
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 10 July 2014 - 10:34

"You could even put MAC filtering"

 

How is that going to work exactly on a routed connection across the internet?

 

Who said it was a web interface?  I did not get that impression from the OP.  He stated some application running on 2k12 - if web based that changes quite a bit.  But the risk of it being hipaa data seems likely.  But if this is a web interface, then its quite possible to secure it with https and say cert auth, etc.



#33 JonnyLH

JonnyLH

    I say things.

  • Joined: 15-February 13
  • Location: UK
  • OS: W8, W7, WP8, iOS, Ubuntu
  • Phone: Nokia Lumia 920

Posted 10 July 2014 - 10:55

"You could even put MAC filtering"

 

How is that going to work exactly on a routed connection across the internet?

 

Who said it was a web interface?  I did not get that impression from the OP.  He stated some application running on 2k12 - if web based that changes quite a bit.  But the risk of it being hipaa data seems likely.  But if this is a web interface, then its quite possible to secure it with https and say cert auth, etc.

Dumb suggestion on my part, it wouldn't.

 

Everything like this is going to be a web interface. 2k12 IIS instance, like I've said previously, a lot of assumptions without enough information to make a suitable recommendation. I presume HTTPS would be enabled by default externally with this sort of data. I'd like to think it was running HTTPS internally. 



#34 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 96
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 10 July 2014 - 11:13

Dude you know what happens when you assume ;) Nowhere did I see the OP state anything about what interface this application was.  He was clearly asked for details, and as quite common complete lack of any useful info missing in the response.

 

Pretty sure its not on purpose - just quite often people get tasked in the business world with IT stuff they are not familiar with - hey billy your good with computers right, your the one that gets my mouse working when it fails.  Could you make sure people can access this from the internet please ;)

 

This is self evident because of the create of the thread asking the question in the first place ;)  If they had the proper skill set to do what was ask, they normally wouldn't be asking for help on a forum with no details of what actual was asked.

 

I am curious where this IP came from - did they actually give him a public one?  Or did they give him the IP of this 2k12 box and ask him to make it public.

 

There is no where close to details required to actually help the OP given as of yet.  We can discuss and debate security practices vpn or not, etc but there is no details to base the discussion on.  If its a web application, and the proper device is at the edge to allow for locking down to specific IP as source, and you have say cert auth to a https site - that may be good enough for hipaa??  Not up on the laws since really haven't work in that area for years.  This would be maybe even overkill depending on what the data is, etc.

 

But then again if only being accessed from a company other site - I would have to ask why does this company not already have either point to point, mpls, or just site to site vpn setup?  Something that allows the company to talk between their locations without the whole public internet being able to see view the traffic.

 

What I think we have here is an OP that is way over his head, and asking for help - lets make sure we give him advice that is not going to get him fired when something happens to the server because its not secure enough for the data being presented in some sort of interface, etc.



#35 +ChuckFinley

ChuckFinley

    member_id=28229

  • Joined: 14-May 03

Posted 10 July 2014 - 11:51

Trawling to attack one port, needing auth to get anywhere, on a web interface.

 

Jesus christ. You guys really need to know how to attack before discussing how to secure against them. The most plausible threat would be internal/disgruntled employees leaking the data. He's going to put load onto his network and increase overhead for a threat that doesn't exist. Nice advice.

 

You could even put MAC filtering on the network for external access if you're that bothered about it. There's so many other solutions rather than degrading performance. 

 

 

Ok fair enough, MAC filtering on a Layer 3 ROUTED network. I suggest that the OP does that. :huh:  :rolleyes:  :rofl:

 

There is NO reason to bring load into this. If you cannot handle the load you have more major problems on the network to deal with than that. Most systems have no issue with "Load" as you put it.  

 

Back to lunch......



#36 OP ginjammer

ginjammer

    Neowinian

  • Joined: 08-July 14

Posted 17 July 2014 - 01:02

So I set the server up with VPN and got the software installed. Now I'm trying to get the external clients to access it and can't seem to get there. On the small cisco router should I forward port 1723 to the server for VPN and then set up the connection as xxx.xxx.xxx.xxx:1723? I've set up VPN connections before but always was given the info to set it up. Sorry if I sound like a noob but I really am one at this VPN setup. Thanks. 



#37 Walid W.

Walid W.

    I love Orcinus Orca

  • Tech Issues Solved: 3
  • Joined: 19-July 08
  • Location: Lost somewhere in Sweden
  • OS: Ubuntu, Debian, Backtrack 5r, Windows 7 & XP
  • Phone: iPhone 3GS, iPhone 4s & HTC One

Posted 17 July 2014 - 01:20

Is your external clients accessing this server with VPN or without? What is the error you get? Can you post your logs, error message on your VPN software? Give us a little more info so we can help you more :)



#38 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 17 July 2014 - 01:36

What Cisco router? What is your vpn host?