Best Practice for remote management of critical routers and firewalls (e.g. SSG-5) having public addresses.

Normally I like to access routers only  from inside the LAN.  But, sometimes that's not possible and I have to access them via a public address.

What is the best practice (and settings) for doing this?  
I'd like to have both WebUI and CLI access.
LVL 27
Fred MarshallPrincipalAsked:
Who is Participating?
Best practice would be to only allow encrypted protocols such as SSH, and restrict access to specific IP addresses. I am not familier with Juniper but on my Cisco I have an access-list on the WAN interface that only allows SSH from my specific IP addresses that I want to have access. In addition, the management access is only permitted from specific IP addresses. Such a configuration means that in order to make access from the outside, the configuration has to allow it in two places. This helps to prevent configuration errors. In addition, since the management port is firewalled, it won't show up on a port scan. Finally, I have access list on the WAN interface of my router, so traffic has to get past that filter before it even hits the firewall. Having essentially duplicate access-lists on the internet router and firewall does make for more work, but it also means that a configuration error on one piece of equipment is less likely to open up your network too much more than what you want.

In addition to VPN solutions already mentioned, I have LogMeIn running on my machine. As long as Internet connection is running, I can access my PC via LogMeIn and make configuration changes from there. Useful if I manage to blow up the external remote management access, but doing something like that is another way into the network and must be weighed carefully. Other remote PC access tools would work as well.
If possible I like to connect through VPN then access routers "as if" I were coming from the inside.

Failing that then make sure you have a good password, and use non-standard ports.
Fred MarshallPrincipalAuthor Commented:
Using a VPN "as if" is what I do now.  But that doesn't always suffice.

Any preferred security protocols?  I'd rather not go in unencrypted.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Fred MarshallPrincipalAuthor Commented:
It seems like there are a few protocols to choose from and I'm not so sure which ones are truly common so easy to work with and which ones are "old" and not so likely, etc.  I'd rather not have to spend time learning the hard way....
Sanga CollinsSystems AdminCommented:
The ideal method is via VPN to the remote LAN. But in some cases like replacement equipment, or new deployments this may not be ideal. If you are using Juniper ssg devices, they have Networks security manager (NSM) Which is a Java based application for management of juniper devices. Its worth a look and doesnt require a license for 25 devices or less.
btanExec ConsultantCommented:
Authentication and secure channel is critical element. E.g authenticate via an edge gateway device that is configured with aaa server like radius, ldap or ad or even tactacs to reach a portal that eventually allow to establish a network access securely to the management resource in separate vlan. Sometimes itmight be a rdp to a workstation to pivot to the vlan and acts as proxy. Tedious and hops around but is to create that layers of segregation.

Best never to have management interface connect directly to internet esp ssh  rabbis not lockdown. There is public scanning that can reveal these easily...just look at shodan. Regular scanning by the security team may be done as well to make sure to.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.