Home page logo
/

basics logo Security Basics mailing list archives

Re: remote access to server
From: "Tim A." <security-basics () lists goldenpath org>
Date: Thu, 06 Dec 2007 10:12:23 -0500

Jonathan Askew JBASKEW wrote:
What is the industry standard or best practice in setting up remote access
to a 2003 server? What are the security implications associated with
setting up remote access? I am looking for a solution that would preferably
not require the purchase of any hardware and would allow me to perform
basic administrative tasks such as setting up new users, changing
permissions, etc. Sorry if this is double posted as I am having some
trouble with my email.

Thanks,
Blake

I suppose that depends who you ask. Any vendor would have you believe
their "solution" is "the industry standard".
While there are attractive (and expensive) products out there,
I'd say "industry standard" for remote access is key based SSH + Port
Forwarding.
(Keep your keys in a TrueCrypt volume for key security.)

I use variations of the attached minor example in production use.
If your not familiar with SSH + Port Forwarding, you'll want to get up
to speed.
man ssh

Of course, OpenVPN and IPSec are more useful for site-site permanent
tunnels.
But, you just can't beat portable instant and secure socks proxy -D




         Big Bad Internet
   ---------------------------
                |
                |
                |
                V
      ----------------------
      |     1.2.3.4/24     | Any old Pentium 3 box, 128+ MB ram
      |  Router / Firewall | Running pfsense for the lazy,
      |    10.0.0.1/24     | FreeBSD for the adventurous,
      |   192.168.0.1/24   | or OpenBSD (for real men!)
      ----------------------
     NAT       Port Forwarding
192.168.0.0    ---------------
-----------    Ext Port 65432 -> 10.0.0.2:22
 |              ------------------------------------------------------------------------------->
 |                                                                                             |
 |                                                                                             |
 |                                                              -------------                  |
 |       --------------             Extra Credit!               |           | FreeBSD 6-STABLE |
 \------>|            |-------Span Port of Firewall Port------->|           |   Snort + Squil  |
 /------>|   Switch   |                                         |  NSM Box  |                  |
 |       |____________|---------------------------------------->|           |                  |
 |              |                                               |___________|  192.168.0.4/24  |
 |              |                                                                              |
 |              V                                                                              |
 |   _______________________________                                                           |
 |  /                               \ 1.5 GHz Pentium M, 1 GB Ram, 4 NICS                      |
 |  |   Lex Twister CI852A-4UN10    |        Lots of potential                                 |
 |  \_______________________________/                                                          |
 |    Host:    Linux + VMWare Server                                                           |
 |             192.168.0.5/24                                                                  |
 |      Guest 1: Windows Server 2003, Domain Controller                                        |
 \------------>  192.168.0.3/24                                                                |
                                                                                               |
        Guest 2: FreeBSD 6-STABLE, SSH, Webmin, LAMP, +Ports                                   |
                 10.0.0.2/24    <--------------------------------------------------------------V
                 192.168.0.2/24


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]