Solved

How do we mitigate security risk if we open ports on PCs and enable port forwarding on our router?

Posted on 2012-03-19
16
967 Views
Last Modified: 2012-04-03
Hello Experts,

Our office Windows 2008 server and Windows XP workstations are connected to the internet through FiOS using the Verizon issued Actiontec MI424WR router.  If we add some port forwarding rules to enable remote desktop sessions with certain workstations, what steps need to be taken on the router and/or workstations to prevent rogue connections to our network? What type of security (encryption/authentication) should be implemented?

We also want to open a particular port for an application on our server to communicate with client laptops through the internet.  What steps should we take to mitigate risk to our server and prevent port/vulnerability scanning?  Do we need to purchase a security appliance?

Thank you so much for your help with this matter.

Sincerely,
Mike
0
Comment
Question by:jumptohigh
  • 5
  • 5
  • 3
  • +2
16 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 167 total points
ID: 37741451
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37741468
> What steps should we take to mitigate risk to our server and prevent port/vulnerability scanning?
open ports -or more precise: any connection to the internet- are subject for scanning 'cause it's the nature of such a port to be connected
so scanning is a threat, and threats cannot be mitigated, they simply exist
to mitigate risk, you need to know what your asset is and if your application has vulnerabilities to be exploited, then you can calculate the risk and thnk about proper countermeasures

i.g. a network firewall at the internet boundery should be sufficent
but it's the nature of your configuration then, that some ports are open and hence not blocked by the firewall, you need to harden the application listening on these ports
0
 
LVL 14

Assisted Solution

by:grimkin
grimkin earned 167 total points
ID: 37741482
Hi,

In a small office setup I would be inclined to implement a VPN solution to allow remote access to clients from the internet. Opening RDP over the internet is a bad idea as this allows for possible brute-force  / denial-of-service against your exposed service.

You can set up your Windows server as a remote access server and forward the necessary ports through from your router OR (and this would be my preference) obtain a new device to perform router / firewall / VPN functionality. Depending on your budget and number of users, you could look at a Checkpoint Edge or Juniper SRX device - both of these offer excellent remote VPN and network  /appliation layer firewall functionality.

Once connected via VPN, you can then allow (via firewall rules) clients to connect to RDP sessions or any other services which you may wish to offer.

This setup implements an extra layer of security between external machines and your internal LAN(s) and keeps your internal servers & workstations away from the internet.

HTH
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 166 total points
ID: 37741551
It's always best to VPN in as opposed to port forwarding. You can purchase a VPN capable device like another router, a firewall or even us an extra PC as the VPN server. Your FiOS router should first be able to support PPTP/IPSEC (which your's appeaRS to support). I'm not certain, but does your FiOS IP address ever change, or is it static?
If you want to setup an extra service on a server you can follow these instructions to get a VPN installed. http://www.techrepublic.com/article/configure-a-windows-server-2003-vpn-on-the-server-side/5805260
Then your users will have to authenticate to the VPN first, thus proving who they are and then they are granted access to the network to RDP into various computers etc. Port Scan's are going to happen no matter what you go with, but if it's that worrisome you can setup an IPS to try to block them if they are detected, but if you have hardened your router (changed the default passwords) and have the minimum amount of services open.
The router should be capable of blocking any open ports that don't need to be open, so I don't think you need to purchase a firewall, however many come with VPN capablities and can sometimes even block attacks actively. For around 100$ you can get a D-Link router that supports 25 VPN connectons: http://www.newegg.com/Product/Product.aspx?Item=N82E16833127237
-rich
0
 

Author Comment

by:jumptohigh
ID: 37750095
Thanks everyone for helping out this IT neophyte.

HTH, if I obtain a separate device to perform router / firewall / VPN functionality, where does the router that FiOS issued me come into play?  Do we even need it or must it be setup differently in order to pass "control" to the new device?

We have about 25 folks that would like to "VPN" in, which particular brand/model would you recommend for this purpose?

Once a client has logged into the VPN device, how does it "know" to connect via RDP to the appropriate PC on the work's internal network?  Is the user presented with a list of clients it can connect to?

Rich, the FiOS address is not static... since we have had it though it has only changed twice.  Will this be a problem?  How can this be remedied/circumvented?

Thanks,
Mike
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 37750500
moving to a business FiOS plan would help, perhaps you can call and ask for a static without much fuss? The product I linked to provides VPN tunnels for 25 clients.
A VPN is a virtual private network, it operates much like the network, just with a different IP address. Most VPN's are set up to Split tunnel, meaning that traffic going to the internet (non rfc 1918 IP's 10.x.x.x/192.168.x.x/172.16.x.x) go out the clients own ISP, and IP's that resolve to the VPN and internal IP's go to your work network.
Having a DHCP IP makes it tough to create a DNS entry your clients can use to find the router to VPN to. A public record would need to be updated as soon as possible for a VPN to work, same if your users were to simply use the port fwd'ing you planed on before, they'd have to know where to go. DNS is the best way, remembering your domain name is east, then add VPN or Remote to the front (remote.example.com) if much easier than 109.213.17.144 or what have you. There are way to use a script to detect when the IP has changed, and then update DNS but that is tricky on a few levels and I don't recommend it. Once you do VPN in, the uses can RDP to their machine name and or ip address using the RDP client, the VPN should route them right to where they need to be.
-rich
0
 
LVL 14

Expert Comment

by:grimkin
ID: 37751630
>> If I obtain a separate device to perform router / firewall / VPN functionality, where does the router that FiOS issued me come into play?  Do we even need it or must it be setup differently in order to pass "control" to the new device?

The new device would replace the FiOS router entirely

>> We have about 25 folks that would like to "VPN" in, which particular brand/model would you recommend for this purpose?

This is really a question of budget. As I mentioned before, the Checkpoint Edge or Juniper SRX are good stable offerings, however they are very license-oriented and can be too expensive for small - medium companies to implement. I have found Draytek to be a good solution here, you can view their product matrix here: http://www.draytek.com/user/SupportDLProductMatrix.php.

The 2910G model will allow for 32 site-to-site or remote worker VPN tunnels for example and is good stable kit.

>> Once a client has logged into the VPN device, how does it "know" to connect via RDP to the appropriate PC on the work's internal network?  Is the user presented with a list of clients it can connect to?

Once a client has logged in, they are effectively on the local LAN at the office and can then communicate normally as they would if they were there at a desk, i.e. open up the remote desktop client and enter the private IP of the server.

>> Rich, the FiOS address is not static... since we have had it though it has only changed twice.  Will this be a problem?  How can this be remedied/circumvented?

You can use dynamic DNS here - there are many companies who offer this, I have used dyndns.org in the past and found them to be very reliable. Basically a machine on the network has a small client installed which updates dyndns.org if your IP changes, you are therefore always reachable under "mycompany.mydyndns.org". As an aside, Draytek and many other routers also support this functionality in their firmware meaning that you do not have to install the client on another machine in the network.

HTH
0
 

Author Comment

by:jumptohigh
ID: 37752376
Again, thanks so much for your help with this Rich and HTH!

How does the client log into the VPN device; through a web page or do they need special client software?

Also, I viewed the draytek product info for the 2910G and there is an entire section devoted to certificates and keys?  Is this something that needs to be setup as well for authentication purposes?

Which VPN protocol do I enable? PPTP, IPSEC, L2TP?

I will look into dyndns.org.  So the draytek will support dyndns.org and then I won't need to install the client on the server?

Thanks again for all the help - it is much appreciated!

Regards,
Mike
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37752431
Which VPN protocol do I enable? PPTP, IPSEC, L2TP?

When setting up the VPN directly to the server it uses L2TP over IPSEC, so you don't need to enable PPTP.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 37752476
VPN's typically involve 3rd party software, but some can use be connected to via the ipsec/pptp/l2pt that windows has had since XP, it's just not as easy to do. The Dlink router I linked to comes with software to use as the vpn client, you can also use 3rd parties like VPNC or even windows itself. I'm sure who ever you decide to use will have a recommended settings and tunnel type, PPTP is a protocol just like IPSEC, so there are a hundred other authentication and encryption variables I don't want to get into :)  Nonetheless if you start looking for better gateways than the FiOS router you should be able to find the solution for your workers.
-rich
0
 
LVL 14

Expert Comment

by:grimkin
ID: 37754984
>> How does the client log into the VPN device; through a web page or do they need special client software?

Some routers like d-link, cisco and others require 3rd party software which is freely available from their websites and easily installed. The Drayteks can use the standard windows dial-up-networking connection software.

>> Also, I viewed the draytek product info for the 2910G and there is an entire section devoted to certificates and keys?  Is this something that needs to be setup as well for authentication purposes?

There are different ways to authenticate to VPNs but using the Drayteks as an example, you simply set a username and password, certificates are not necessary but can be used for extra security.

>> Which VPN protocol do I enable? PPTP, IPSEC, L2TP?

As mentioned above, L2TP over IPSEC is fine.

>> I will look into dyndns.org.  So the draytek will support dyndns.org and then I won't need to install the client on the server?

Absolutely, that's correct! Just sign up with dyndns and put your username / password into the config section on the router.
0
 

Author Comment

by:jumptohigh
ID: 37756509
rich and grimkin you have been most helpful!

So once I log in through VPN, I can launch remote desktop and enter the IP of the computer I want to connect to (e.g. 192.168.1.20:3389)... do I even need to specify 3389?

Thanks for your help,
Mike
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 37756588
no need to specify port unless you change the default on the computers in the registry. If you don't need to specify one now, the VPN won't change that :)
-rich
0
 

Author Comment

by:jumptohigh
ID: 37759122
Rich, thanks so much.

I see the draytek product offers DoS protection; how is it able to do that?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 37759164
You can't these days use a small appliance to thwart off a DoS, the DDoS you get these days are much bigger than your pipe can handle, so it's up to your ISP to handle that. Small, single IP's maybe can be sent RST packets, but often times it's spoofed to begin with. I don't buy into DoS protection from many appliances, unless that is their sole purpose. DoS protection is done one of two way, sending RST packets to reset the connection (ask the other side to drop the connection) or by ignoring/not passing the data any further. You may be able to defend off one or two LOIC's (low orbit ion cannons) but after that, I doubt it.
There are all sorts of DoS to combat as well, SSL renegotiation, Slowloris are sort of new, i'd be surprised if it helped against these: http://ha.ckers.org/slowloris/ http://www.thc.org/thc-ssl-dos/
-rich
0
 

Author Closing Comment

by:jumptohigh
ID: 37802827
Thanks so much for your help with this, especially Rich and grimkin!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This video discusses moving either the default database or any database to a new volume.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now