Jump to content
House Price Crash Forum

Archived

This topic is now archived and is closed to further replies.

DTMark

Firewalls And Ip Security

Recommended Posts

Just moved from Three 3G to EE 4G. Neither can have a fixed IP address. Actually, you can have one with Three if you buy through AAISP at their comedy prices, but leaving that aside..

I have to access remote desktops and SQL Servers. Both have always been locked down by IP Address.

With Three's 3G it wasn't possible to remote into home from the outside, but, remoting to other servers was fine. It's as if the NAT only worked in one direction. If my IP changed I'd access the firewall control panel, put the new IP in and that would "stick" and work fine.

With EE 4G it's very strange. If I do the same, it usually works. Usually. Sometimes RDP won't connect. After several tries it does and it's fine. Once connected it doesn't drop. Must be something to do with NAT.

Which then makes me question the actual level of security that locking things to IP addresses has. Apart from the fact that those can be "spoofed" anyway, even if I only open one single port and one IP at the other end, this makes me think that actually a whole pool of IPs could get through (those on the same network).

Which is where my knowledge runs out. In "secure" setups, is some kind of tunnelling (?) software installed at both ends with some sort of client certificate which is more secure than locking to an IP address - in effect I suppose what I'm describing is a kind of "software VPN". Am I?

Share this post


Link to post
Share on other sites

In "secure" setups, is some kind of tunnelling (?) software installed at both ends with some sort of client certificate which is more secure than locking to an IP address - in effect I suppose what I'm describing is a kind of "software VPN". Am I?

In can be. Yes.

Share this post


Link to post
Share on other sites

I've come across this..

http://openvpn.net/

I'm not sure this is what I want. Might be..

I have five Windows (2008 R2) servers that I connect to, all at data centres, some run just MS SQL, others are IIS boxes.

I need to be able to see the desktop on them (RDP from a Win7 machine) and sometimes to connect to other specific ports (e.g. SMTP, MS SQL)

Can't have a fixed IP at this end.

What I basically want is something that when installed on the destination servers, would, for the purposes of anyone doing a port scan, show that ports 1433, 3389 are closed. Ports 80 and 443 would function normally and be open to the world.

However when I as the client connect to it with locally installed software, it allows me access to those "hidden" ports and only me.

In effect software that has no GUI that you use, lives at both ends pretty much "silently" and transparently, the only thing it does is handle the authentication layer.

Share this post


Link to post
Share on other sites

I have to access remote desktops and SQL Servers. Both have always been locked down by IP Address.

Yeah, worked with clients like that, we always just tunnelled or proxied through a fixed IP address. As a level of security it ensures that you have access to the fixed IP machine. It is a bit OTT to be honest. SSH with certificates should be enough security for anything outside banking, security type environments.

Share this post


Link to post
Share on other sites

My Netgear router has the facility to broadcast my dynamic IP address to DynDns and also has the facility to add security for remote management, ie only from my computer. I've been using this since I changed ISP earlier this year to a provider without fixed IP addresses and it works well.

I'm not sure if Netgear routers work with 3G/4G but it may be worth a look.

Share this post


Link to post
Share on other sites

My Netgear router has the facility to broadcast my dynamic IP address to DynDns and also has the facility to add security for remote management, ie only from my computer. I've been using this since I changed ISP earlier this year to a provider without fixed IP addresses and it works well.

I'm not sure if Netgear routers work with 3G/4G but it may be worth a look.

My old 3G router had that, at the moment I just have the 4G dongle, but I'll need to buy a router as at the moment only my PC can access the net since it's plugged in via USB. You can't use Internet connection sharing with the newer dongles since they are their own private net and you can't port forward.

The only router in the world - AFAIK - that I can get is this one and it's for SOHO use so it ought to have that, too. (Replaces need for dongle entirely and supports external antennae)

But, the firewalls at e.g. Rackspace - which are Cisco devices - can't cope with names, only IP addresses :(

I do have another option which is to get the phone line turned back on again with ADSL with a fixed IP and some clever routing here, but that involves a month or two of BT faffing about trying to provision a phone line and "broadband" (I wouldn't call it that) and adds another £40 or £50 a month to the £90 a month that this 4G thing will cost me.

Share this post


Link to post
Share on other sites

Both have always been locked down by IP Address.

Can you explain what you mean by that?

Which is where my knowledge runs out. In "secure" setups, is some kind of tunnelling (?) software installed at both ends with some sort of client certificate which is more secure than locking to an IP address - in effect I suppose what I'm describing is a kind of "software VPN". Am I?

All VPN are in software, there's no such a thing as hardware VPN. 'V' stands for virtual. Yes, encryption is end-to-end.

To answer your question, the user-friendly way is to install VPN software on both servers and client.

However my preferred way is to install sshd on the servers and an ssh client on the other end (Putty on Windows for example) and then tunnelling using ssh limitless capabilities. But if this sounds to difficult probably VPN is better.

Share this post


Link to post
Share on other sites

Which then makes me question the actual level of security that locking things to IP addresses has. Apart from the fact that those can be "spoofed" anyway, even if I only open one single port and one IP at the other end, this makes me think that actually a whole pool of IPs could get through (those on the same network).

Which is where my knowledge runs out. In "secure" setups, is some kind of tunnelling (?) software installed at both ends with some sort of client certificate which is more secure than locking to an IP address - in effect I suppose what I'm describing is a kind of "software VPN". Am I?

Welcome to the wondrous world of carrier-grade NAT; guaranteed to break just about any networking protocol.

In most conventional NAT systems, every time your device makes an outgoing connection, it is allocated a port on the same external IP. So, if you connect first to google, then yahoo, then create a second conection to google; all 3 connections will appear to have come from the same IP address.

In some forms of carrier-grade NAT, this isn't the case. Each connection you make, can potentially appear to come from a completely different IP address. So in the example above, each connection may appear to be unrelated to the others. There are various intermediate forms, e.g. which might reuse the same IP to connect to a remote host on multiple occasions.

If you need to connect from within a CGN network, then you basically can't use IP authentication, you need to use something else. Either you could use certificate based authentication, where the server checks that the connecting device has a valid certificate, in addition to username/password; or perhaps use some form of two-factor authentication (e.g. send an SMS message to a known phone to validate each login). You will have to ask the server administrator to sort this out for you.

An alternative, is to have the server/network administrator set you up with a VPN, so that your device appears to have an IP on the same private network as the servers you are working with. The disadvantage is that CGN breaks a lot of VPN technologies....

Share this post


Link to post
Share on other sites

I've come across this..

http://openvpn.net/

I'm not sure this is what I want. Might be..

I have five Windows (2008 R2) servers that I connect to, all at data centres, some run just MS SQL, others are IIS boxes.

I need to be able to see the desktop on them (RDP from a Win7 machine) and sometimes to connect to other specific ports (e.g. SMTP, MS SQL)

Can't have a fixed IP at this end.

What I basically want is something that when installed on the destination servers, would, for the purposes of anyone doing a port scan, show that ports 1433, 3389 are closed. Ports 80 and 443 would function normally and be open to the world.

However when I as the client connect to it with locally installed software, it allows me access to those "hidden" ports and only me.

In effect software that has no GUI that you use, lives at both ends pretty much "silently" and transparently, the only thing it does is handle the authentication layer.

If you have windows 2008 servers I would just use the built in VPN. This is under RRAS server role. Its all wizard and UI based configuration so should be straightforward if you're technically minded. If you installed PPTP which is the most common protocol then you can connect over an encrypted link directly from the windows client PC. Since Windows XP PPTP client has been integrated with the OS. You'd still expose 80 and 443 through the firewall but the RDP and SQL ports should definitely be closed. You would however have to open additional ones for PPTP traffic. The main benefit of such an approach is there's no third party software to install, and very little configuration if you wanted to change client PCs.

Share this post


Link to post
Share on other sites

Thanks very much for those explanations - that's really helpful, just what I wanted. Can I ask a favour...

I have this issue with this very website:

Website keeps dying

It's taken me about 30 refreshes to even get this page to load. This is the only website which seems to be impacted by the CGN - if that's the problem. Everything else is perfect (apart from securing things by IP/presentation of same at the other end) and blazingly fast.

Do you think it likely that the reason that about 80% of my page accesses to this website fail, are caused by CGN?

The solutions suggested above will solve my "connect to secure remote server" issue. But they won't make this site work properly. Other sites might be affected too, but I haven't come across any, and I don't do online gaming.

I'm wondering if I'll need to get the ADSL re-enabled, and so I end up with an ADSL router, a 4G router, and a "balancer" router (humour me, not into networking) which intelligently picks out specific traffic and sends it via ADSL with the rest going via 4G. Actually that router I linked to might be able to do that (balance/route between 4G and DSL). But ADSL is so dog-slow (3.6km of the GPO's finest old doorbell wire) that sending any traffic over that isn't an attractive idea.

(Select All, Copy in preparation for the page to break when I submit this..)

Share this post


Link to post
Share on other sites

Just wanted to thank everyone for the responses. I have found a solution to this which gets around CGNAT very nicely. Not only that it also gets me a fixed IP address with a provider that uses dynamic IPs.

https://www.astrill.com/

It's one of those nice pieces of kit that "does exactly what it says on the tin".

You can tunnel both in and out, so if you want to be able to RDP to your machine from the outside you can, or access your media files. With the cost of 4G data I probably won't be doing that.

Downstream speed isn't hit too hard but ping times and upstream are. That said it's still perfectly usable and you can enable and disable it with one click. A couple of back-to-back tests demonstrate this.

Disabled

3034083280.png

Enabled

3034082677.png

This is with a UK based VPN IP. If you wanted to, you could also pick a US based one if you like watching US TV streamed shows and need a US IP for that. Very handy in China, too. And makes it harder for others to snoop on what you're doing.

So now I can tell Three to shove their broken transmitter which never managed more than 4Meg upstream anyway (to be fair that's excellent for 3G, but I have no idea what they have done to "break" the service) and no need to access control panels to reconfigure firewalls every time said tramsmitter ejected me from the network.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

  • The Prime Minister stated that there were three Brexit options available to the UK:   208 members have voted

    1. 1. Which of the Prime Minister's options would you choose?


      • Leave with the negotiated deal
      • Remain
      • Leave with no deal

    Please sign in or register to vote in this poll. View topic


×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.