Accessing a machine through a firewall..


Recommended Posts

Hey guys, I was just wondering if anyone had any opinions on how to do this. We're putting our machine (Webserver + Postgresql) inside of a corporate network and need to be able to access it remotely. The solutions that I can think of are,

- Opening up a port to allow access to the device. Isn't a great solution since anyone can connect and try and brute force their way in.

- VPN access to the device. I'm not sure what kind of restrictions you can place upon VPN (ie make it so that that you can only access the device), but the companies IT may think its too much effort to setup / not possible with the current hardware.

- The final option was an SSH tunnel (again, not sure if this is possible) where we basically have a single server out in the world which clients connect to (assuming things on the network can dial out), and then we would run a seperate copy of the website on that machine, and it would simply access the database via the SSH tunnel. This is a pretty crazy solution though since we'd need to be managing a whole heap of SSH tunnels, and atm they would likely be connecting to our main website's server.. so security would be an issue... plus it means having multiple copies of the devices website on the server to handle machines which haven't been updated.

I dunno, all of the above solutions aren't exactly great. It needs to be an IT friendly solution that won't **** off network admins too much. Does anyone have any suggestions? :p

Is this website for public consumption or for employee's to access while outside the company network?

As to your final option -- you lost me.. Why would you need to manage multiple ssh tunnels?

If for public access.. Place the box in the DMZ of your network - and open up the port(s) required to the general public. If the box is compromised it will not have access into your company network, since it sits in the DMZ.

If only for employee access - setup a VPN into your network. How is it you do not already have one for your employees to access company resources while on the road? There are many ways to do this - OpenVPN is a nobrainer solution for even the brain dead IT people. You could just download a virtual appliance to setup if really brain dead. If your running windows network, 2k3 or 2k8 provide for VPN access into your network out of the box.

http://technet.microsoft.com/en-us/library/bb726931.aspx

Connecting Remote Users to Your Network with Windows Server 2003

This is just one example of the many appliances available

http://www.rpath.org/rbuilder/project/phonehome/

PhoneHome is an OpenVPN appliance. It comes with a default config which allows the end user to boot the appliance and start using the VPN right away - no config required (beyond client key generation).

Or you could always go the poor/lazy man's vpn and setup a SSH server.. Users ssh into your network, and then tunnel anything they need to access thru that connection. You can setup putty with the everything already configured for the end user, etc.

Yes once you put a ssh server open to the public - it will be open to bruteforce, which is why you should only allow public key auth to the server. I have a blog post about this;

https://www.neowin.net/forum/index.php?auto...;showentry=1661

Why you should Secure your SSH Server!

It really comes down to who exactly will need access to this website when it comes to how you can best provide secure access to it.. Another option is you could setup the http server to require a cert to access, so only those users that have been issued a cert would be able to access the website. This would prevent bots and or would be hackers from attempting anything on the box. But can be a bit of logistics issue depending on how many users there are, and if they are John Q. Public or employee's, etc.

Some more details of who needs access to this website will help determine best way to allow for access to it.

  BudMan said:
Is this website for public consumption or for employee's to access while outside the company network?

As to your final option -- you lost me.. Why would you need to manage multiple ssh tunnels?

Its a website for the company to manage the device. But we'd also like to be able to manage the device remotely (we as in the makers of the device). So no, not for the general public to access. Atm, we have many little machines hidden in crazy places inside of say a hotel, and the distributor has to goto each one to make changes to the settings. The idea is which this device is to manage it all remotely.. but its going to suck if they have to come in to the company just to change a few settings and then leave. (bloody hell its hard to be specific without revealing what exactly it is that I'm doing :p)

I would need to maintain multiple SSH tunnels because we'll be selling this device to more than one customer. :p (not alot mind...about 30 to begin with). I spose my hope was VPN is the main solution, and for those where its not possible we might do a SSH solution.. or something else.. depends upon the suggestions.

And I'm honestly not sure about VPN's... but I think we need to assume that they may not be able to setup a VPN. Like... say this device was placed in an apartment complex.. they really don't have any need for sophisticated networking gear and may well just be a simple home router. Blimey that is going to suck if we have to give instructions on how to setup VPN's on every device known to man... particularly when people doing the installations are complete newbs. :\

Edited by Pc_Madness
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Download The Inclusion Equation: Leveraging Data & AI (worth $21) for free by Steven Parker Claim your complimentary eBook worth $21 for free, before the offer ends on June 24. The Inclusion Equation is a comprehensive, one-of-a-kind guide to merging DEI and employee wellbeing concepts with data analytics and AI. In this book, renowned thought leader and professional keynote speaker Dr. Serena Huang explains exactly how to quantify the effectiveness of new talent strategies by connecting them to a firm ROI estimate, enabling readers to approach and win the favor of higher-ups in any organization with the same effectiveness that marketing and financial departments do. This book is written in a style that is appealing and accessible to all readers regardless of technical background, but with enough depth to provide real insight and strategies. Dr. Serena H. Huang distills her 10 years of Fortune 500 people analytics leadership experience into tools and framework you can leverage to measure and improve DEI and wellbeing in your workplace. Some of the topics explored in this book include: Attract and retain top talent, including Gen Z and Millennials, with tailored DEI and wellbeing strategies Quantifying not only a talent strategy's perceived initial effect on an organization, but also its improvement and expansion over time Turning DEI and wellbeing from illusive corporate concepts to quantifiable metrics Harness the power of AI to create synchronized DEI and wellbeing strategies that maximize ROI Getting serious attention from your CEO and CFO by quantifying HR initiatives Using data storytelling to demonstrate the business impact of DEI and wellbeing Preparing for the future by understanding the role of AI in creating an inclusive and healthy workplace The Inclusion Equation is a complete guide for DEI and wellbeing, covering getting started in measurement to using storytelling to influence leadership. This is the contemporary playbook for any organization intending to substantially improve their diversity, equity, inclusion, and employee wellbeing by leveraging data & AI. This book is also perfect for any data analytics professionals who want to understand how to apply analytics to issues that keep their CEOs up at night. Whether you are a data expert or data novice, as long as you are serious about improving DEI and wellbeing, this book is for you. This free to download offer expires June 24. How to get it Please ensure you read the terms and conditions to claim this offer. Complete and verifiable information is required in order to receive this free offer. If you have previously made use of these free offers, you will not need to re-register. While supplies last! Download The Inclusion Equation: Leveraging Data & AI (worth $21) for free Offered by Wiley, view other free resources The below offers are also available for free in exchange for your (work) email: AI and Innovation ($21 Value) FREE – Expires 6/11 Unruly: Fighting Back when Politics, AI, and Law Upend [...] ($18 Value) FREE - Expires 6/17 SQL Essentials For Dummies ($10 Value) FREE – Expires 6/17 Continuous Testing, Quality, Security, and Feedback ($27.99 Value) FREE – Expires 6/18 VideoProc Converter AI v7.5 for FREE (worth $78.90) – Expires 6/18 Macxvideo AI ($39.95 Value) Free for a Limited Time – Expires 6/22 Excel Quick and Easy ($12 Value) FREE – Expires 6/24 The Inclusion Equation: Leveraging Data & AI ($21 Value) FREE – Expires 6/24 Microsoft 365 Copilot At Work ($60 Value) FREE – Expires 6/25 Natural Language Processing with Python ($39.99 Value) FREE – Expires 6/25 How to Engage Buyers and Drive Growth in the Age of AI ($22.95 Value) FREE – Expires 7/1 Using Artificial Intelligence to Save the World ($30.00 Value) FREE – Expires 7/1 Essential: How Distributed Teams, Generative AI, [...] ($18.00 Value) FREE – Expires 7/2 The Chief AI Officer's Handbook: Master AI leadership with strategies to innovate, overcome challenges, and drive business growth ($9.99 Value) FREE for a Limited Time – Expires 7/2 The Ultimate Linux Newbie Guide – Featured Free content Python Notes for Professionals – Featured Free content Learn Linux in 5 Days – Featured Free content Quick Reference Guide for Cybersecurity – Featured Free content We post these because we earn commission on each lead so as not to rely solely on advertising, which many of our readers block. It all helps toward paying staff reporters, servers and hosting costs. Other ways to support Neowin The above deal not doing it for you, but still want to help? Check out the links below. Check out our partner software in the Neowin Store Buy a T-shirt at Neowin's Threadsquad Subscribe to Neowin - for $14 a year, or $28 a year for an ad-free experience Disclosure: An account at Neowin Deals is required to participate in any deals powered by our affiliate, StackCommerce. For a full description of StackCommerce's privacy guidelines, go here. Neowin benefits from shared revenue of each sale made through the branded deals site.
    • It's basically been a rite of passage to blow up your first WSUS server by trying to sync the drivers database. Anyone who has done this has certainly seen the tens of thousands of driver packages and asked "what is all of this literal garbage?". Seems Microsoft is asking the same question. I do hope they won't take it too far and start removing drivers needed to run legacy systems, but there's definitely a happy medium to be found between "only the latest versions for actively supported hardware" and "every version of every driver ever for all time".
    • Stable..... No, he isn't..
    • Of course the sales are bad. Who even asked for a thinner phone with way less battery? Lightness? It's still a giant brick, it's just a thinner giant brick. It makes no sense at all. Making folding phones thinner, now that does make sense. Because when folded, the thinner it is unfolded, the more usable and pocketable it is when folded. You already expect worse battery at expense of actually being more pocketable. Galaxy Flip, when folded is half the size of S Ultra models and about as thick. That does make a big difference when fitting it in a pocket. But the phone that's as big as Ultra, making it thinner, you don't really solve anything, it's still a giant slab that barely fits into a pocket. All the "Mini" phones made way more sense than this thin crap. Especially now that it's literally impossible to find a phone smaller than 6.5". My dad only needs phone for calls and SMS and he doesn't want to go with smartphone because they are all so massive. Especially cheaper ones. Like, he'd be fine with Galaxy A06 for all he cares in terms of hardware, but it only comes in giant 6.7" format. It's useless. Or is he suppose to find a 800€ old gen iPhone Mini or Zenfone? He doesn't even need those stupid specs and such stupid price. And then you see old people fumbling around with giant smartphones and they don't even need 3/4 of features on them.
  • Recent Achievements

    • First Post
      emptyother earned a badge
      First Post
    • Week One Done
      Crunchy6 earned a badge
      Week One Done
    • One Month Later
      KynanSEIT earned a badge
      One Month Later
    • One Month Later
      gowtham07 earned a badge
      One Month Later
    • Collaborator
      lethalman went up a rank
      Collaborator
  • Popular Contributors

    1. 1
      +primortal
      664
    2. 2
      ATLien_0
      270
    3. 3
      Michael Scrip
      218
    4. 4
      Steven P.
      161
    5. 5
      +FloatingFatMan
      157
  • Tell a friend

    Love Neowin? Tell a friend!