Best Practice for remote management of critical routers and firewalls (e.g. SSG-5) having public addresses.

Posted on 2012-08-20
Medium Priority
Last Modified: 2012-08-30
Normally I like to access routers only  from inside the LAN.  But, sometimes that's not possible and I have to access them via a public address.

What is the best practice (and settings) for doing this?  
I'd like to have both WebUI and CLI access.
Question by:Fred Marshall
LVL 11

Expert Comment

ID: 38311943
If possible I like to connect through VPN then access routers "as if" I were coming from the inside.

Failing that then make sure you have a good password, and use non-standard ports.
LVL 26

Author Comment

by:Fred Marshall
ID: 38312462
Using a VPN "as if" is what I do now.  But that doesn't always suffice.

Any preferred security protocols?  I'd rather not go in unencrypted.
LVL 26

Author Comment

by:Fred Marshall
ID: 38331490
It seems like there are a few protocols to choose from and I'm not so sure which ones are truly common so easy to work with and which ones are "old" and not so likely, etc.  I'd rather not have to spend time learning the hard way....
Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

LVL 18

Expert Comment

by:Sanga Collins
ID: 38332392
The ideal method is via VPN to the remote LAN. But in some cases like replacement equipment, or new deployments this may not be ideal. If you are using Juniper ssg devices, they have Networks security manager (NSM) Which is a Java based application for management of juniper devices. Its worth a look and doesnt require a license for 25 devices or less.
LVL 65

Assisted Solution

btan earned 400 total points
ID: 38332510
Authentication and secure channel is critical element. E.g authenticate via an edge gateway device that is configured with aaa server like radius, ldap or ad or even tactacs to reach a portal that eventually allow to establish a network access securely to the management resource in separate vlan. Sometimes itmight be a rdp to a workstation to pivot to the vlan and acts as proxy. Tedious and hops around but is to create that layers of segregation.

Best never to have management interface connect directly to internet esp ssh  rabbis not lockdown. There is public scanning that can reveal these easily...just look at shodan. Regular scanning by the security team may be done as well to make sure to.
LVL 42

Accepted Solution

kevinhsieh earned 1600 total points
ID: 38332728
Best practice would be to only allow encrypted protocols such as SSH, and restrict access to specific IP addresses. I am not familier with Juniper but on my Cisco I have an access-list on the WAN interface that only allows SSH from my specific IP addresses that I want to have access. In addition, the management access is only permitted from specific IP addresses. Such a configuration means that in order to make access from the outside, the configuration has to allow it in two places. This helps to prevent configuration errors. In addition, since the management port is firewalled, it won't show up on a port scan. Finally, I have access list on the WAN interface of my router, so traffic has to get past that filter before it even hits the firewall. Having essentially duplicate access-lists on the internet router and firewall does make for more work, but it also means that a configuration error on one piece of equipment is less likely to open up your network too much more than what you want.

In addition to VPN solutions already mentioned, I have LogMeIn running on my machine. As long as Internet connection is running, I can access my PC via LogMeIn and make configuration changes from there. Useful if I manage to blow up the external remote management access, but doing something like that is another way into the network and must be weighed carefully. Other remote PC access tools would work as well.
LVL 65

Expert Comment

ID: 38333258

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question