Accessing a machine through a firewall..


Recommended Posts

Hey guys, I was just wondering if anyone had any opinions on how to do this. We're putting our machine (Webserver + Postgresql) inside of a corporate network and need to be able to access it remotely. The solutions that I can think of are,

- Opening up a port to allow access to the device. Isn't a great solution since anyone can connect and try and brute force their way in.

- VPN access to the device. I'm not sure what kind of restrictions you can place upon VPN (ie make it so that that you can only access the device), but the companies IT may think its too much effort to setup / not possible with the current hardware.

- The final option was an SSH tunnel (again, not sure if this is possible) where we basically have a single server out in the world which clients connect to (assuming things on the network can dial out), and then we would run a seperate copy of the website on that machine, and it would simply access the database via the SSH tunnel. This is a pretty crazy solution though since we'd need to be managing a whole heap of SSH tunnels, and atm they would likely be connecting to our main website's server.. so security would be an issue... plus it means having multiple copies of the devices website on the server to handle machines which haven't been updated.

I dunno, all of the above solutions aren't exactly great. It needs to be an IT friendly solution that won't **** off network admins too much. Does anyone have any suggestions? :p

Is this website for public consumption or for employee's to access while outside the company network?

As to your final option -- you lost me.. Why would you need to manage multiple ssh tunnels?

If for public access.. Place the box in the DMZ of your network - and open up the port(s) required to the general public. If the box is compromised it will not have access into your company network, since it sits in the DMZ.

If only for employee access - setup a VPN into your network. How is it you do not already have one for your employees to access company resources while on the road? There are many ways to do this - OpenVPN is a nobrainer solution for even the brain dead IT people. You could just download a virtual appliance to setup if really brain dead. If your running windows network, 2k3 or 2k8 provide for VPN access into your network out of the box.

http://technet.microsoft.com/en-us/library/bb726931.aspx

Connecting Remote Users to Your Network with Windows Server 2003

This is just one example of the many appliances available

http://www.rpath.org/rbuilder/project/phonehome/

PhoneHome is an OpenVPN appliance. It comes with a default config which allows the end user to boot the appliance and start using the VPN right away - no config required (beyond client key generation).

Or you could always go the poor/lazy man's vpn and setup a SSH server.. Users ssh into your network, and then tunnel anything they need to access thru that connection. You can setup putty with the everything already configured for the end user, etc.

Yes once you put a ssh server open to the public - it will be open to bruteforce, which is why you should only allow public key auth to the server. I have a blog post about this;

https://www.neowin.net/forum/index.php?auto...;showentry=1661

Why you should Secure your SSH Server!

It really comes down to who exactly will need access to this website when it comes to how you can best provide secure access to it.. Another option is you could setup the http server to require a cert to access, so only those users that have been issued a cert would be able to access the website. This would prevent bots and or would be hackers from attempting anything on the box. But can be a bit of logistics issue depending on how many users there are, and if they are John Q. Public or employee's, etc.

Some more details of who needs access to this website will help determine best way to allow for access to it.

  BudMan said:
Is this website for public consumption or for employee's to access while outside the company network?

As to your final option -- you lost me.. Why would you need to manage multiple ssh tunnels?

Its a website for the company to manage the device. But we'd also like to be able to manage the device remotely (we as in the makers of the device). So no, not for the general public to access. Atm, we have many little machines hidden in crazy places inside of say a hotel, and the distributor has to goto each one to make changes to the settings. The idea is which this device is to manage it all remotely.. but its going to suck if they have to come in to the company just to change a few settings and then leave. (bloody hell its hard to be specific without revealing what exactly it is that I'm doing :p)

I would need to maintain multiple SSH tunnels because we'll be selling this device to more than one customer. :p (not alot mind...about 30 to begin with). I spose my hope was VPN is the main solution, and for those where its not possible we might do a SSH solution.. or something else.. depends upon the suggestions.

And I'm honestly not sure about VPN's... but I think we need to assume that they may not be able to setup a VPN. Like... say this device was placed in an apartment complex.. they really don't have any need for sophisticated networking gear and may well just be a simple home router. Blimey that is going to suck if we have to give instructions on how to setup VPN's on every device known to man... particularly when people doing the installations are complete newbs. :\

Edited by Pc_Madness
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Nvidia App gets light theme, bug fixes, and support for more games by Taras Buria Nvidia has released a new update for the Nvidia App on Windows. Version 11.0.4 is now available with a few changes, such as automatic theme switching with light mode support, Windows Narrator support, fixed bugs, and optimal settings for 12 new games. With today's update, Nvidia App now supports light mode. You can switch between modes in settings or let the app follow the system settings (Windows still does not support automatic theme switching). To change the mode, go to Settings > Features > Theme. In addition, Nvidia App now supports Windows Narrator. The system's native screen reader can now properly read aloud on-screen content to improve accessibility for those relying on assistive technologies. Next, the list of games that Nvidia App can tune for optimal performance has been extended with 12 new titles: Assassin's Creed: Shadows Clair Obscur: Expedition 33 Deadlock ELDEN RING NIGHTREIGN Grand Theft Auto V Enhanced Half-Life 2 with RTX Indiana Jones And The Great Circle inZOI Monster Hunter Wilds Split Fiction The Last of Us Part II Remastered The Elder Scrolls IV: Oblivion Remastered Finally, Nvidia App 11.0.4 fixes the following bugs: Fixed an issue where DLSS-FG defaults to 2x irrespective of in-game setting when DLSS override model is set to "Latest” and Frame generation is set to “Use the 3D application setting". Fixed an issue where the driver download could not be completed. Fixed an issue where the recording bitrate setting was not saved. Fixed an issue where HDR video colors were not encoded properly for HEVC and AV1 playback. Fixed a bug where the in-game overlay was not accessible on the GeForce RTX 5070. Fixed an issue where a PC reboot would reset microphone boost to an incorrect value. Fixed an issue where Highlights summary window could not be disabled. Various stability fixes. You can download the Nvidia App from the official website. Full release notes are available here.
    • Ai is terrible at showing us existing knowledge. Hallucinating s**t is not exactly "discovering".
    • You know, this is mostly Edge related? It also affects just EU people.
  • Recent Achievements

    • Conversation Starter
      lilyandrew11 earned a badge
      Conversation Starter
    • Contributor
      Ed B went up a rank
      Contributor
    • One Month Later
      moporcho earned a badge
      One Month Later
    • One Month Later
      Parotel earned a badge
      One Month Later
    • Reacting Well
      Cryptecks earned a badge
      Reacting Well
  • Popular Contributors

    1. 1
      +primortal
      188
    2. 2
      snowy owl
      135
    3. 3
      ATLien_0
      131
    4. 4
      Xenon
      120
    5. 5
      +FloatingFatMan
      100
  • Tell a friend

    Love Neowin? Tell a friend!