Accessing a machine through a firewall..

[Pc_Madness]

Hey guys, I was just wondering if anyone had any opinions on how to do this. We're putting our machine (Webserver + Postgresql) inside of a corporate network and need to be able to access it remotely. The solutions that I can think of are,

- Opening up a port to allow access to the device. Isn't a great solution since anyone can connect and try and brute force their way in.

- VPN access to the device. I'm not sure what kind of restrictions you can place upon VPN (ie make it so that that you can only access the device), but the companies IT may think its too much effort to setup / not possible with the current hardware.

- The final option was an SSH tunnel (again, not sure if this is possible) where we basically have a single server out in the world which clients connect to (assuming things on the network can dial out), and then we would run a seperate copy of the website on that machine, and it would simply access the database via the SSH tunnel. This is a pretty crazy solution though since we'd need to be managing a whole heap of SSH tunnels, and atm they would likely be connecting to our main website's server.. so security would be an issue... plus it means having multiple copies of the devices website on the server to handle machines which haven't been updated.

I dunno, all of the above solutions aren't exactly great. It needs to be an IT friendly solution that won't **** off network admins too much. Does anyone have any suggestions? :p

[+BudMan MVC]

Is this website for public consumption or for employee's to access while outside the company network?

As to your final option -- you lost me.. Why would you need to manage multiple ssh tunnels?

If for public access.. Place the box in the DMZ of your network - and open up the port(s) required to the general public. If the box is compromised it will not have access into your company network, since it sits in the DMZ.

If only for employee access - setup a VPN into your network. How is it you do not already have one for your employees to access company resources while on the road? There are many ways to do this - OpenVPN is a nobrainer solution for even the brain dead IT people. You could just download a virtual appliance to setup if really brain dead. If your running windows network, 2k3 or 2k8 provide for VPN access into your network out of the box.

http://technet.microsoft.com/en-us/library/bb726931.aspx

Connecting Remote Users to Your Network with Windows Server 2003

This is just one example of the many appliances available

http://www.rpath.org/rbuilder/project/phonehome/

PhoneHome is an OpenVPN appliance. It comes with a default config which allows the end user to boot the appliance and start using the VPN right away - no config required (beyond client key generation).

Or you could always go the poor/lazy man's vpn and setup a SSH server.. Users ssh into your network, and then tunnel anything they need to access thru that connection. You can setup putty with the everything already configured for the end user, etc.

Yes once you put a ssh server open to the public - it will be open to bruteforce, which is why you should only allow public key auth to the server. I have a blog post about this;

https://www.neowin.net/forum/index.php?auto...;showentry=1661

Why you should Secure your SSH Server!

It really comes down to who exactly will need access to this website when it comes to how you can best provide secure access to it.. Another option is you could setup the http server to require a cert to access, so only those users that have been issued a cert would be able to access the website. This would prevent bots and or would be hackers from attempting anything on the box. But can be a bit of logistics issue depending on how many users there are, and if they are John Q. Public or employee's, etc.

Some more details of who needs access to this website will help determine best way to allow for access to it.

[Pc_Madness]

  BudMan said:

Is this website for public consumption or for employee's to access while outside the company network?

As to your final option -- you lost me.. Why would you need to manage multiple ssh tunnels?

Its a website for the company to manage the device. But we'd also like to be able to manage the device remotely (we as in the makers of the device). So no, not for the general public to access. Atm, we have many little machines hidden in crazy places inside of say a hotel, and the distributor has to goto each one to make changes to the settings. The idea is which this device is to manage it all remotely.. but its going to suck if they have to come in to the company just to change a few settings and then leave. (bloody hell its hard to be specific without revealing what exactly it is that I'm doing :p)

I would need to maintain multiple SSH tunnels because we'll be selling this device to more than one customer. :p (not alot mind...about 30 to begin with). I spose my hope was VPN is the main solution, and for those where its not possible we might do a SSH solution.. or something else.. depends upon the suggestions.

And I'm honestly not sure about VPN's... but I think we need to assume that they may not be able to setup a VPN. Like... say this device was placed in an apartment complex.. they really don't have any need for sophisticated networking gear and may well just be a simple home router. Blimey that is going to suck if we have to give instructions on how to setup VPN's on every device known to man... particularly when people doing the installations are complete newbs. :\

Edited August 5, 2008 by Pc_Madness