asked on
How do we mitigate security risk if we open ports on PCs and enable port forwarding on our router?
Hello Experts,
Our office Windows 2008 server and Windows XP workstations are connected to the internet through FiOS using the Verizon issued Actiontec MI424WR router. If we add some port forwarding rules to enable remote desktop sessions with certain workstations, what steps need to be taken on the router and/or workstations to prevent rogue connections to our network? What type of security (encryption/authentication
We also want to open a particular port for an application on our server to communicate with client laptops through the internet. What steps should we take to mitigate risk to our server and prevent port/vulnerability scanning? Do we need to purchase a security appliance?
Thank you so much for your help with this matter.
Sincerely,
Mike
Our office Windows 2008 server and Windows XP workstations are connected to the internet through FiOS using the Verizon issued Actiontec MI424WR router. If we add some port forwarding rules to enable remote desktop sessions with certain workstations, what steps need to be taken on the router and/or workstations to prevent rogue connections to our network? What type of security (encryption/authentication
We also want to open a particular port for an application on our server to communicate with client laptops through the internet. What steps should we take to mitigate risk to our server and prevent port/vulnerability scanning? Do we need to purchase a security appliance?
Thank you so much for your help with this matter.
Sincerely,
Mike
VulnerabilitiesEncryptionHardware Firewalls
Last Comment
jumptohigh
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks everyone for helping out this IT neophyte.
HTH, if I obtain a separate device to perform router / firewall / VPN functionality, where does the router that FiOS issued me come into play? Do we even need it or must it be setup differently in order to pass "control" to the new device?
We have about 25 folks that would like to "VPN" in, which particular brand/model would you recommend for this purpose?
Once a client has logged into the VPN device, how does it "know" to connect via RDP to the appropriate PC on the work's internal network? Is the user presented with a list of clients it can connect to?
Rich, the FiOS address is not static... since we have had it though it has only changed twice. Will this be a problem? How can this be remedied/circumvented?
Thanks,
Mike
HTH, if I obtain a separate device to perform router / firewall / VPN functionality, where does the router that FiOS issued me come into play? Do we even need it or must it be setup differently in order to pass "control" to the new device?
We have about 25 folks that would like to "VPN" in, which particular brand/model would you recommend for this purpose?
Once a client has logged into the VPN device, how does it "know" to connect via RDP to the appropriate PC on the work's internal network? Is the user presented with a list of clients it can connect to?
Rich, the FiOS address is not static... since we have had it though it has only changed twice. Will this be a problem? How can this be remedied/circumvented?
Thanks,
Mike
moving to a business FiOS plan would help, perhaps you can call and ask for a static without much fuss? The product I linked to provides VPN tunnels for 25 clients.
A VPN is a virtual private network, it operates much like the network, just with a different IP address. Most VPN's are set up to Split tunnel, meaning that traffic going to the internet (non rfc 1918 IP's 10.x.x.x/192.168.x.x/172.1
Having a DHCP IP makes it tough to create a DNS entry your clients can use to find the router to VPN to. A public record would need to be updated as soon as possible for a VPN to work, same if your users were to simply use the port fwd'ing you planed on before, they'd have to know where to go. DNS is the best way, remembering your domain name is east, then add VPN or Remote to the front (remote.example.com) if much easier than 109.213.17.144 or what have you. There are way to use a script to detect when the IP has changed, and then update DNS but that is tricky on a few levels and I don't recommend it. Once you do VPN in, the uses can RDP to their machine name and or ip address using the RDP client, the VPN should route them right to where they need to be.
-rich
A VPN is a virtual private network, it operates much like the network, just with a different IP address. Most VPN's are set up to Split tunnel, meaning that traffic going to the internet (non rfc 1918 IP's 10.x.x.x/192.168.x.x/172.1
Having a DHCP IP makes it tough to create a DNS entry your clients can use to find the router to VPN to. A public record would need to be updated as soon as possible for a VPN to work, same if your users were to simply use the port fwd'ing you planed on before, they'd have to know where to go. DNS is the best way, remembering your domain name is east, then add VPN or Remote to the front (remote.example.com) if much easier than 109.213.17.144 or what have you. There are way to use a script to detect when the IP has changed, and then update DNS but that is tricky on a few levels and I don't recommend it. Once you do VPN in, the uses can RDP to their machine name and or ip address using the RDP client, the VPN should route them right to where they need to be.
-rich
>> If I obtain a separate device to perform router / firewall / VPN functionality, where does the router that FiOS issued me come into play? Do we even need it or must it be setup differently in order to pass "control" to the new device?
The new device would replace the FiOS router entirely
>> We have about 25 folks that would like to "VPN" in, which particular brand/model would you recommend for this purpose?
This is really a question of budget. As I mentioned before, the Checkpoint Edge or Juniper SRX are good stable offerings, however they are very license-oriented and can be too expensive for small - medium companies to implement. I have found Draytek to be a good solution here, you can view their product matrix here: http://www.draytek.com/user/SupportDLProductMatrix.php.
The 2910G model will allow for 32 site-to-site or remote worker VPN tunnels for example and is good stable kit.
>> Once a client has logged into the VPN device, how does it "know" to connect via RDP to the appropriate PC on the work's internal network? Is the user presented with a list of clients it can connect to?
Once a client has logged in, they are effectively on the local LAN at the office and can then communicate normally as they would if they were there at a desk, i.e. open up the remote desktop client and enter the private IP of the server.
>> Rich, the FiOS address is not static... since we have had it though it has only changed twice. Will this be a problem? How can this be remedied/circumvented?
You can use dynamic DNS here - there are many companies who offer this, I have used dyndns.org in the past and found them to be very reliable. Basically a machine on the network has a small client installed which updates dyndns.org if your IP changes, you are therefore always reachable under "mycompany.mydyndns.org". As an aside, Draytek and many other routers also support this functionality in their firmware meaning that you do not have to install the client on another machine in the network.
HTH
The new device would replace the FiOS router entirely
>> We have about 25 folks that would like to "VPN" in, which particular brand/model would you recommend for this purpose?
This is really a question of budget. As I mentioned before, the Checkpoint Edge or Juniper SRX are good stable offerings, however they are very license-oriented and can be too expensive for small - medium companies to implement. I have found Draytek to be a good solution here, you can view their product matrix here: http://www.draytek.com/user/SupportDLProductMatrix.php.
The 2910G model will allow for 32 site-to-site or remote worker VPN tunnels for example and is good stable kit.
>> Once a client has logged into the VPN device, how does it "know" to connect via RDP to the appropriate PC on the work's internal network? Is the user presented with a list of clients it can connect to?
Once a client has logged in, they are effectively on the local LAN at the office and can then communicate normally as they would if they were there at a desk, i.e. open up the remote desktop client and enter the private IP of the server.
>> Rich, the FiOS address is not static... since we have had it though it has only changed twice. Will this be a problem? How can this be remedied/circumvented?
You can use dynamic DNS here - there are many companies who offer this, I have used dyndns.org in the past and found them to be very reliable. Basically a machine on the network has a small client installed which updates dyndns.org if your IP changes, you are therefore always reachable under "mycompany.mydyndns.org". As an aside, Draytek and many other routers also support this functionality in their firmware meaning that you do not have to install the client on another machine in the network.
HTH
ASKER
Again, thanks so much for your help with this Rich and HTH!
How does the client log into the VPN device; through a web page or do they need special client software?
Also, I viewed the draytek product info for the 2910G and there is an entire section devoted to certificates and keys? Is this something that needs to be setup as well for authentication purposes?
Which VPN protocol do I enable? PPTP, IPSEC, L2TP?
I will look into dyndns.org. So the draytek will support dyndns.org and then I won't need to install the client on the server?
Thanks again for all the help - it is much appreciated!
Regards,
Mike
How does the client log into the VPN device; through a web page or do they need special client software?
Also, I viewed the draytek product info for the 2910G and there is an entire section devoted to certificates and keys? Is this something that needs to be setup as well for authentication purposes?
Which VPN protocol do I enable? PPTP, IPSEC, L2TP?
I will look into dyndns.org. So the draytek will support dyndns.org and then I won't need to install the client on the server?
Thanks again for all the help - it is much appreciated!
Regards,
Mike
Which VPN protocol do I enable? PPTP, IPSEC, L2TP?
When setting up the VPN directly to the server it uses L2TP over IPSEC, so you don't need to enable PPTP.
When setting up the VPN directly to the server it uses L2TP over IPSEC, so you don't need to enable PPTP.
VPN's typically involve 3rd party software, but some can use be connected to via the ipsec/pptp/l2pt that windows has had since XP, it's just not as easy to do. The Dlink router I linked to comes with software to use as the vpn client, you can also use 3rd parties like VPNC or even windows itself. I'm sure who ever you decide to use will have a recommended settings and tunnel type, PPTP is a protocol just like IPSEC, so there are a hundred other authentication and encryption variables I don't want to get into :) Nonetheless if you start looking for better gateways than the FiOS router you should be able to find the solution for your workers.
-rich
-rich
>> How does the client log into the VPN device; through a web page or do they need special client software?
Some routers like d-link, cisco and others require 3rd party software which is freely available from their websites and easily installed. The Drayteks can use the standard windows dial-up-networking connection software.
>> Also, I viewed the draytek product info for the 2910G and there is an entire section devoted to certificates and keys? Is this something that needs to be setup as well for authentication purposes?
There are different ways to authenticate to VPNs but using the Drayteks as an example, you simply set a username and password, certificates are not necessary but can be used for extra security.
>> Which VPN protocol do I enable? PPTP, IPSEC, L2TP?
As mentioned above, L2TP over IPSEC is fine.
>> I will look into dyndns.org. So the draytek will support dyndns.org and then I won't need to install the client on the server?
Absolutely, that's correct! Just sign up with dyndns and put your username / password into the config section on the router.
Some routers like d-link, cisco and others require 3rd party software which is freely available from their websites and easily installed. The Drayteks can use the standard windows dial-up-networking connection software.
>> Also, I viewed the draytek product info for the 2910G and there is an entire section devoted to certificates and keys? Is this something that needs to be setup as well for authentication purposes?
There are different ways to authenticate to VPNs but using the Drayteks as an example, you simply set a username and password, certificates are not necessary but can be used for extra security.
>> Which VPN protocol do I enable? PPTP, IPSEC, L2TP?
As mentioned above, L2TP over IPSEC is fine.
>> I will look into dyndns.org. So the draytek will support dyndns.org and then I won't need to install the client on the server?
Absolutely, that's correct! Just sign up with dyndns and put your username / password into the config section on the router.
ASKER
rich and grimkin you have been most helpful!
So once I log in through VPN, I can launch remote desktop and enter the IP of the computer I want to connect to (e.g. 192.168.1.20:3389)... do I even need to specify 3389?
Thanks for your help,
Mike
So once I log in through VPN, I can launch remote desktop and enter the IP of the computer I want to connect to (e.g. 192.168.1.20:3389)... do I even need to specify 3389?
Thanks for your help,
Mike
no need to specify port unless you change the default on the computers in the registry. If you don't need to specify one now, the VPN won't change that :)
-rich
-rich
ASKER
Rich, thanks so much.
I see the draytek product offers DoS protection; how is it able to do that?
I see the draytek product offers DoS protection; how is it able to do that?
You can't these days use a small appliance to thwart off a DoS, the DDoS you get these days are much bigger than your pipe can handle, so it's up to your ISP to handle that. Small, single IP's maybe can be sent RST packets, but often times it's spoofed to begin with. I don't buy into DoS protection from many appliances, unless that is their sole purpose. DoS protection is done one of two way, sending RST packets to reset the connection (ask the other side to drop the connection) or by ignoring/not passing the data any further. You may be able to defend off one or two LOIC's (low orbit ion cannons) but after that, I doubt it.
There are all sorts of DoS to combat as well, SSL renegotiation, Slowloris are sort of new, i'd be surprised if it helped against these: http://ha.ckers.org/slowloris/ http://www.thc.org/thc-ssl-dos/
-rich
There are all sorts of DoS to combat as well, SSL renegotiation, Slowloris are sort of new, i'd be surprised if it helped against these: http://ha.ckers.org/slowloris/ http://www.thc.org/thc-ssl-dos/
-rich
ASKER
Thanks so much for your help with this, especially Rich and grimkin!
open ports -or more precise: any connection to the internet- are subject for scanning 'cause it's the nature of such a port to be connected
so scanning is a threat, and threats cannot be mitigated, they simply exist
to mitigate risk, you need to know what your asset is and if your application has vulnerabilities to be exploited, then you can calculate the risk and thnk about proper countermeasures
i.g. a network firewall at the internet boundery should be sufficent
but it's the nature of your configuration then, that some ports are open and hence not blocked by the firewall, you need to harden the application listening on these ports