Server with an external IP

By ginjammer
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

+John Teacake MVC

Posted
  • MVC
Posted

I work for an ISP in the UK and was responsible for the testing environments which replicated and scrubbed over 700GB of live databases. I face these scenarios a lot day to day. I recently did a night shift to re-work all our encryption techniques and VPNs based on the security audit of 3rd party contractors.

 

In the OPs scenario, he has a small cisco router with unspecified amount of traffic flowing through it. If the server is accessed a lot, the VPN aspect of it could really add a lot of load onto the box and with the aspect of the VPN, it'll add a lot of overhead with added latency. With the details he specified I'd definitely recommend either plugging it in directly to the router with IP table restrictions or a DMZ which only forwards on one port. With that, you can restrict on to one listening port. If there's any flaw in the software which grants access into the server then the software needs to be looked at. That could happen on a VPN with intent, and of course it can happen with a public facing server. Without the VPN, it's less hassle, less load and easier for the users internally to access the server.

 

Don't want to argue about this, I just personally feel like its the best solution. There's obviously a lot of variables which could change that though.

 

Its a good job that I remembered I was just given my MVC status, Maybe a little drunk but that's besides the point. :blush:

 

There is a lot up for debate here, But if you value your security of ANY data then that isn't exactly best practice in the industry. It really is a trade off over how easy you want to make it and how secure you make your data  :shifty:

Grand Master

Anibal P

Posted
Posted

OP is dealing with PHI/PII, that alone IMMEDIATELY requires that they use a VPN or some other secure method of communication, which usually still involves VPN at some point, so based on what we currently know VPN would be the safest thing to do. 

 

There are other methods, we use em all at work, but the most cost effective option is VPN 

Mentor

JonnyLH

Posted
Posted

Its a good job that I remembered I was just given my MVC status, Maybe a little drunk but that's besides the point. :blush:

 

There is a lot up for debate here, But if you value your security of ANY data then that isn't exactly best practice in the industry. It really is a trade off over how easy you want to make it and how secure you make your data  :shifty:

If they valued it, they shouldn't give you a public IP and say make this public please. If they gave you an IP, they obviously don't want to run it through a VPN as this can be done without another IP, which are expensive these days.

 

Most threats in this nature are from internal employees anyway, people love to over complicate things.

Grand Master

+John Teacake MVC

Posted
  • MVC
Posted

OP is dealing with PHI/PII, that alone IMMEDIATELY requires that they use a VPN or some other secure method of communication, which usually still involves VPN at some point, so based on what we currently know VPN would be the safest thing to do. 

 

There are other methods, we use em all at work, but the most cost effective option is VPN 

 

Finally someone with some sense!!! 

 

 

If they valued it, they shouldn't give you a public IP and say make this public please. If they gave you an IP, they obviously don't want to run it through a VPN as this can be done without another IP, which are expensive these days.

 

Most threats in this nature are from internal employees anyway, people love to over complicate things.

 

I can tell you the threats from external sources are quite real be it people just trawling for any vulnerable infrastructure for whatever reason to targeted attacks!  :shiftyninja:  :shifty:

Mentor

JonnyLH

Posted
Posted

I can tell you the threats from external sources are quite real be it people just trawling for any vulnerable infrastructure for whatever reason to targeted attacks!  :shiftyninja:  :shifty:

Trawling to attack one port, needing auth to get anywhere, on a web interface.

 

Jesus christ. You guys really need to know how to attack before discussing how to secure against them. The most plausible threat would be internal/disgruntled employees leaking the data. He's going to put load onto his network and increase overhead for a threat that doesn't exist. Nice advice.

 

You could even put MAC filtering on the network for external access if you're that bothered about it. There's so many other solutions rather than degrading performance. 

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

"You could even put MAC filtering"

 

How is that going to work exactly on a routed connection across the internet?

 

Who said it was a web interface?  I did not get that impression from the OP.  He stated some application running on 2k12 - if web based that changes quite a bit.  But the risk of it being hipaa data seems likely.  But if this is a web interface, then its quite possible to secure it with https and say cert auth, etc.

Mentor

JonnyLH

Posted
Posted

"You could even put MAC filtering"

 

How is that going to work exactly on a routed connection across the internet?

 

Who said it was a web interface?  I did not get that impression from the OP.  He stated some application running on 2k12 - if web based that changes quite a bit.  But the risk of it being hipaa data seems likely.  But if this is a web interface, then its quite possible to secure it with https and say cert auth, etc.

Dumb suggestion on my part, it wouldn't.

 

Everything like this is going to be a web interface. 2k12 IIS instance, like I've said previously, a lot of assumptions without enough information to make a suitable recommendation. I presume HTTPS would be enabled by default externally with this sort of data. I'd like to think it was running HTTPS internally. 

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Dude you know what happens when you assume ;) Nowhere did I see the OP state anything about what interface this application was.  He was clearly asked for details, and as quite common complete lack of any useful info missing in the response.

 

Pretty sure its not on purpose - just quite often people get tasked in the business world with IT stuff they are not familiar with - hey billy your good with computers right, your the one that gets my mouse working when it fails.  Could you make sure people can access this from the internet please ;)

 

This is self evident because of the create of the thread asking the question in the first place ;)  If they had the proper skill set to do what was ask, they normally wouldn't be asking for help on a forum with no details of what actual was asked.

 

I am curious where this IP came from - did they actually give him a public one?  Or did they give him the IP of this 2k12 box and ask him to make it public.

 

There is no where close to details required to actually help the OP given as of yet.  We can discuss and debate security practices vpn or not, etc but there is no details to base the discussion on.  If its a web application, and the proper device is at the edge to allow for locking down to specific IP as source, and you have say cert auth to a https site - that may be good enough for hipaa??  Not up on the laws since really haven't work in that area for years.  This would be maybe even overkill depending on what the data is, etc.

 

But then again if only being accessed from a company other site - I would have to ask why does this company not already have either point to point, mpls, or just site to site vpn setup?  Something that allows the company to talk between their locations without the whole public internet being able to see view the traffic.

 

What I think we have here is an OP that is way over his head, and asking for help - lets make sure we give him advice that is not going to get him fired when something happens to the server because its not secure enough for the data being presented in some sort of interface, etc.

  • +theblazingangel
  • Like 1
Grand Master

+John Teacake MVC

Posted
  • MVC
Posted

Trawling to attack one port, needing auth to get anywhere, on a web interface.

 

Jesus christ. You guys really need to know how to attack before discussing how to secure against them. The most plausible threat would be internal/disgruntled employees leaking the data. He's going to put load onto his network and increase overhead for a threat that doesn't exist. Nice advice.

 

You could even put MAC filtering on the network for external access if you're that bothered about it. There's so many other solutions rather than degrading performance. 

 

 

Ok fair enough, MAC filtering on a Layer 3 ROUTED network. I suggest that the OP does that. :huh:  :rolleyes:  :rofl:

 

There is NO reason to bring load into this. If you cannot handle the load you have more major problems on the network to deal with than that. Most systems have no issue with "Load" as you put it.  

 

Back to lunch......

Neowinian

ginjammer

Posted
  • Author
Posted

So I set the server up with VPN and got the software installed. Now I'm trying to get the external clients to access it and can't seem to get there. On the small cisco router should I forward port 1723 to the server for VPN and then set up the connection as xxx.xxx.xxx.xxx:1723? I've set up VPN connections before but always was given the info to set it up. Sorry if I sound like a noob but I really am one at this VPN setup. Thanks. 

Veteran

nabz0r Veteran

Posted
  • Veteran
Posted

Is your external clients accessing this server with VPN or without? What is the error you get? Can you post your logs, error message on your VPN software? Give us a little more info so we can help you more :)

This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • FastStone Image Viewer 8.5

      By Copernic · Posted

      FastStone Image Viewer 8.5 by Razvan Serea FastStone Image Viewer is a fast, stable, user-friendly image browser, converter and editor. It has a nice array of features that include image viewing, management, comparison, red-eye removal, emailing, resizing, cropping, retouching and color adjustments. Its innovative but intuitive full-screen mode provides quick access to EXIF information, thumbnail browser and major functionalities via hidden toolbars that pop up when your mouse touches the four edges of the screen. Other features include a high quality magnifier and a musical slideshow with 150+ transitional effects, as well as lossless JPEG transitions, drop shadow effects, image annotation, scanner support, histogram and much more. It supports all major graphic formats (BMP, JPEG, JPEG 2000, animated GIF, PNG, PCX, PSD, EPS, TIFF, WMF, ICO and TGA) and popular digital camera RAW formats (CRW, CR2, NEF, PEF, RAF, MRW, ORF, SRF, ARW, SR2, RW2 and DNG). FastStone Image Viewer features: Image browser and viewer with a familiar Windows Explorer-like user interface Support for many popular image formats and PDF viewing True Full Screen viewer with convenient image zoom support and unique fly-out menu panels Crystal-clear and customizable one-click image magnifier Powerful image editing tools: Resize/resample, rotate/flip, crop, sharpen/blur, adjust lighting/colors/curves/levels etc. Eleven re-sampling algorithms to choose from when resizing images Image color effects: gray scale, sepia, negative, Red/Green/Blue adjustment Image special effects: drop shadow, framing, bump map, sketch, oil painting, lens Draw texts, lines, highlights, rectangles, ovals and callout objects on images Clone Stamp and Healing Brush Superior red-eye effect removal/reduction with completely natural looking end result Multi-level Undo/Redo capability Single click to switch between best fit and actual size mode Image management, including file tagging, rating and drag-and-drop to copy/move/re-arrange files Histogram display with color counter feature Compare images side-by-side (up to 4 at a time) to easily cull those forgettable shots Image EXIF metadata support (plus comment editing for JPEGs) Configurable batch processing to convert/rename large or small collections of images Slideshow with 150+ transition effects and music support (MP3, WMA, WAV...) Create efficient image attachments for emailing to family and friends Print images with full page-layout control Create fully configurable contact sheets Create memorable artistic image montages from your family photos for personalized desktop wallpapers (Wallpaper Anywhere) Acquire images from scanners. Support batch scanning to PDF, TIFF, JPEG and PNG Versatile screen capture capability Powerful Save As interface to compare image quality and control generated file size Run favorite external editors with one keystroke from within Image Viewer Offer portable version of the program which can be run from a removable storage device Configurable mouse wheel support Support themes (bright, gray and dark) Support dual-monitor configurations Support touch interface (tap, swipe, pinch) Support dual instances Play video and audio files (Third party codecs may be required for old versions of Windows) And much more... FastStone Image Viewer 8.5 changelog: Added support for SVG format Added Start importing automatically and Handle duplicate file names automatically options to the Import Photos and Videos tool WebP files can now be rotated and saved with a single click Enhanced dark theme support in the PDF viewer Fixed a bug where some links in PDF files were not clickable Other improvements and bug fixes Download: FastStone Image Viewer 8.5 | Portable | ~15.0 MB (Freeware) View: FastStone Image Viewer Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • AMD confirms 26.6.2 FSR driver breaks on many Windows PCs

      By noobient · Posted

      Yup, broke my comp… again. its times like this when I regret AMD. This just never happens on NV.
    • Valve finally confirms Steam Machine prices, starts at $1049 for 512GB option

      By matthiew · Posted

      Huh? You're delusional calling the Steam Deck dead. It is so successful that it has sold out multiple times. Even after the price hike this year it sold out again with 24 hours of being back in stock. The demand is real and has not died down even after four years.
    • Valve finally confirms Steam Machine prices, starts at $1049 for 512GB option

      By branfont · Posted

      Same place "Unreal III" is, in everyone's thoughts!
    • Microsoft is building an AI datacenter that "uses less water than a fast food restaurant"

      By matthiew · Posted

      So how much water is used in that "initial charge" and how often will it need to be recharged?

  • Recent Achievements

    • Rookie
      DaviKar went up a rank
      Rookie
    • Dedicated
      HidekoYamamoto94 earned a badge
      Dedicated
    • One Month Later
      timbobit earned a badge
      One Month Later
    • One Month Later
      nates earned a badge
      One Month Later
    • Week One Done
      Almohandis earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      460
    2. 2
      +Edouard
      160
    3. 3
      PsYcHoKiLLa
      110
    4. 4
      Michael Scrip
      85
    5. 5
      Steven P.
      69
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!