Server with an external IP

[ginjammer]

Hello,

 

I've been asked to help set up a server with an external IP address so that users in another location can access it. I'm not entirely sure how to go about this. I've been given the external IP address that their Internet provider supplied. Should I install another switch before the internal network switch in order to have the server on the "outside". I've not done much router configuration and am not sure if there is a way to route these users to this server if it is behind their current router. Since it would have a different address would this even be possible? Any advice would be greatly appreciated.

[episode]

Normally, you should assign the static IP to the router/firewall and use port forwarding for the services the external users need.

 

You can assign the IP directly to the server and then put the server in the router's DMZ as well.

 

Or like you said, deploy a switch and then assign the statics to the router and server. This will basically completely separate the two networks, but leaves the server fully out 'in the wild'.

[+BudMan MVC]

keep in mind exposing a server that is on your network to the public internet for inbound traffic is risk. Normally servers that allow inbound traffic from the internet would be in a dmz (isolated from your normal network) Where there would be a firewall between this dmz and the local network.

You could mitigate risk by only allowing the IP address from this remote location to talk to your server.

What exactly are they going to access on this server? Http, ftp, what?

A switch would not isolate anything to be honest, what hardware are you working with? What is your router that connects you to the internet?

[+John Teacake MVC]

What equipment are you working with currently? Or plan on working with? 

[sc302 Veteran]

What type of server is this?  Is this a web server?  Is this a file server?  If it is a file server you are better off setting up a vpn for access as it could open up a can of worms that you would not want open to the outside world.  If you have a corporate firewall you can make specific rules as to what outside IPs have access to this, but it still is highly not recommended to do so. 

[fusi0n]

Yeah, what are they needing to access? You have to be very careful with this kinda stuff.. 

[ginjammer]

This will be just a standard server running Server 2012 Essentials. They have a program that they want everyone to be able to get to. Basically this program is a medical type scheduling program. They enter notes about patients into the database. I'm guessing the setup I originally suggested is definitely not the way to go. They have cable for internet service and just a small cisco router connected to that for the local network. I wasn't sure if I could utilize the external IP address within the local network and have the router access it some way? Thanks for all of the input!

[fusi0n]

This will be just a standard server running Server 2012 Essentials. They have a program that they want everyone to be able to get to. Basically this program is a medical type scheduling program. They enter notes about patients into the database. I'm guessing the setup I originally suggested is definitely not the way to go. They have cable for internet service and just a small cisco router connected to that for the local network. I wasn't sure if I could utilize the external IP address within the local network and have the router access it some way? Thanks for all of the input!

Then you would have to open port 3389 and forward that port to the hosting server.. Which is horrible to expose to the internet. I would just keep the server local, and add a VPN, then they can use remote desktop to access the app..  What model is the Cisco Router? Also, does your company use any Citrix or VMware? There might be a better and safer way to do this.. 

[+John Teacake MVC]

I hope its nothing medical related when you said this....

 

http://ico.org.uk/enforcement/fines

[fusi0n]

You also mentioned "users in another location".. There already might be a dedicated VPN link setup between the two offices.. 

[sc302 Veteran]

You can do the same as citrix with a microsoft server with remote app (there are licensing fees on top of the microsoft server license to enable this).  This will allow you to publish the app on a website through secure ports, similar to citrix xenapp server.  the citrix protocol is nicer and has more features and has an associated cost with these nicer and more features option on top of a windows server, which you need the license mentioned before on top of the citrix licensing to be properly licensed and working...unless in recent years they have changed their license model.

[fusi0n]

Hello,

 

I've been asked to help set up a server with an external IP address so that users in another location can access it. I'm not entirely sure how to go about this. I've been given the external IP address that their Internet provider supplied. Should I install another switch before the internal network switch in order to have the server on the "outside". I've not done much router configuration and am not sure if there is a way to route these users to this server if it is behind their current router. Since it would have a different address would this even be possible? Any advice would be greatly appreciated.

Any updates on this? I was actually curious to see where this was going?

[JonnyLH]

This will be just a standard server running Server 2012 Essentials. They have a program that they want everyone to be able to get to. Basically this program is a medical type scheduling program. They enter notes about patients into the database. I'm guessing the setup I originally suggested is definitely not the way to go. They have cable for internet service and just a small cisco router connected to that for the local network. I wasn't sure if I could utilize the external IP address within the local network and have the router access it some way? Thanks for all of the input!

Is there a free interface on the small router? Or if not, you could make an argument to buy a cheap one. Plug it in there and depending if there's any protocol running on the links between offices/ISP then you can advertise the server out of it.

 

Always stay simple. Depending on how much the router is utilised, adding port-forwarding or DMZ's through NAT can add quite a lot of load on those small things.   

[ginjammer]

I'm thinking a VPN will be the way to go. Thanks for all of your input! Setting up the VPN would the server have an internal IP address and then just forward the correct ports to that address?

[JonnyLH]

I'm thinking a VPN will be the way to go. Thanks for all of your input! Setting up the VPN would the server have an internal IP address and then just forward the correct ports to that address?

Personally, I don't think its the right way to go. It's over complicating something thats simple. Even putting it on a DMZ would be better than a VPN.

[sc302 Veteran]

I'm thinking a VPN will be the way to go. Thanks for all of your input! Setting up the VPN would the server have an internal IP address and then just forward the correct ports to that address?

Yes.  No need to open ports being that the network or computers are trusted on the network level, as if they were on site. 

[sc302 Veteran]

Personally, I don't think its the right way to go. It's over complicating something thats simple. Even putting it on a DMZ would be better than a VPN.

Please explain to me how putting a file server in a DMZ would be "better" than a VPN.  The whole security thing becomes an issue, esp if the other site has a dynamic address or if the existing site has a basic router that has no way to create access control lists.  There is more headache and capable of a large security breech by putting a server with extremely sensitive data directly on the internet, how are you securing said server?  How are you protecting the data or contents of the server?  This isn't a remote access or citrix server, it is a file server/db server that would have direct access from the internet with no safety measures in place. He wants to share an application on that server that has access to medical records and such.  putting that server in a dmz and giving direct access would be a large security no no.  If anything vpn, then remote desktop to it.  VPN in many cases is secured by a few things, not only your user and password but also a PSK or a certificate that could be private for more security which you would have to manually install.  I wouldn't want my records running across a server that is insecure. 

[JonnyLH]

Yes.  No need to open ports being that the network or computers are trusted on the network level, as if they were on site. 

But adding plenty of overhead on packets and load onto the box is the way to go?

Please explain to me how putting a file server in a DMZ would be "better" than a VPN.  The whole security thing becomes an issue, esp if the other site has a dynamic address or if the existing site has a basic router that has no way to create access control lists.  There is more headache and capable of a large security breech by putting a server with extremely sensitive data directly on the internet, how are you securing said server?  How are you protecting the data or contents of the server?  This isn't a remote access or citrix server, it is a file server/db server that would have direct access from the internet with no safety measures in place. 

Plug it directly into the router, only allow traffic in-bound on the port in question through IP Tables with stateful firewalling if security is that much of a concern. In addition, only allow the company IP address ranges. Simples. 

[sc302 Veteran]

IPs can't be spoofed easily.  Oh wait they are easy to trick.

 

limits of stateful packet inspection

http://linux-ip.net/html/pf-shortcomings.html

 

ip spoofing

https://sandilands.info/sgordon/address-spoofing-with-iptables-in-linux

 

Best thing to do would be to not open yourself up to attack and secure it with other more secure means.

[JonnyLH]

IPs can't be spoofed easily.  Oh wait they are easy to trick.

 

limits of stateful packet inspection

http://linux-ip.net/html/pf-shortcomings.html

 

ip spoofing

https://sandilands.info/sgordon/address-spoofing-with-iptables-in-linux

 

Best thing to do would be to not open yourself up to attack and secure it with other more secure means.

Anyone can pull up a URL with some blabber about spoofing with security worries.

 

If there's multiple offices running over a Layer 3 VPN link as part of their office WAN, enjoy trying to spoof a 10.0.0.0 from over the internet. If it's in their requirements to have external public access from outside their offices, only allowing the traffic on that port will stop any worry. Any security issues past there lie with the software and rather the network implementation.

[sc302 Veteran]

10.0.0.0 is a private address and secured with a vpn, yea that isn't exactly putting the server in a dmz and giving them direct access through outside internet connection via an outside IP now is it?

 

My recommendation was to put in behind a vpn, you said to put it in a dmz and give direct access to it.  what you have just wrote is just confirming what I said in the first place, nothing to do with putting the server in a dmz and giving direct access to that server through the internet without any further security measures.

[JonnyLH]

10.0.0.0 is a private address and secured with a vpn, yea that isn't exactly putting the server in a dmz and giving them direct access through outside internet connection via an outside IP now is it?

 

My recommendation was to put in behind a vpn, you said to put it in a dmz and give direct access to it.  what you have just wrote is just confirming what I said in the first place, nothing to do with putting the server in a dmz and giving direct access to that server through the internet without any further security measures.

There's no issue with having a DMZ which only accepts traffic on that one port. VPN is over complicating something and putting extra load on the network for something which simply doesn't need to be there. 

[sc302 Veteran]

I would never ever put a server on the net with direct file access...I have been burned too many times, you can think you are protected all you want....until the day you get burned, cost your company a ton of money, or better yet jail time. 

 

What is the best way to secure it so that you 1. don't lose your job, 2. don't lose the company money, 3. don't go to jail.  If any of these sound great to you, by all means put it out there with no other security than a dmz and a access rule...walls haven't been broken before and they won't now right? 

 

If anything I would employ a system that also could do IPS in addition to SPI in your scenario.  I would seriously be considering Xenapp or Remote App with your scenerio...I'd be damned if I give a user direct access to a server.

[JonnyLH]

I would never ever put a server on the net with direct file access...I have been burned too many times, you can think you are protected all you want....until the day you get burned, cost your company a ton of money, or better yet jail time. 

 

What is the best way to secure it so that you 1. don't lose your job, 2. don't lose the company money, 3. don't go to jail.  If any of these sound great to you, by all means put it out there with no other security than a dmz and a access rule...walls haven't been broken before and they won't now right? 

 

If anything I would employ a system that also could do IPS in addition to SPI in your scenario.  I would seriously be considering Xenapp or Remote App with your scenerio...I'd be damned if I give a user direct access to a server.

I work for an ISP in the UK and was responsible for the testing environments which replicated and scrubbed over 700GB of live databases. I face these scenarios a lot day to day. I recently did a night shift to re-work all our encryption techniques and VPNs based on the security audit of 3rd party contractors.

 

In the OPs scenario, he has a small cisco router with unspecified amount of traffic flowing through it. If the server is accessed a lot, the VPN aspect of it could really add a lot of load onto the box and with the aspect of the VPN, it'll add a lot of overhead with added latency. With the details he specified I'd definitely recommend either plugging it in directly to the router with IP table restrictions or a DMZ which only forwards on one port. With that, you can restrict on to one listening port. If there's any flaw in the software which grants access into the server then the software needs to be looked at. That could happen on a VPN with intent, and of course it can happen with a public facing server. Without the VPN, it's less hassle, less load and easier for the users internally to access the server.

 

Don't want to argue about this, I just personally feel like its the best solution. There's obviously a lot of variables which could change that though.

[+John Teacake MVC]

There's no issue with having a DMZ which only accepts traffic on that one port. VPN is over complicating something and putting extra load on the network for something which simply doesn't need to be there. 

 

Seriously??? And your publishing what data? lol  :laugh: