Re: [pfSense] Forwarding an external port according to user

2011-10-28 Thread Seth Mos
Hi,

On 24-10-2011 14:34, David Brown wrote:

 Obviously running VNC over a VPN would improve the security, since
 everything is encrypted, and it would be possible to set that up.  In
 particular, it would be easier to set OpenVPN rules to say only port
 5900 is allowed, than to try to give all the required firewall rules to
 let users get local access from home machines to the company systems.

This is exactly what I would suggest. Create a 2nd OpenVPN server
instance, that interface will show up on the firewall tab and you can
create a single rule there to allow them to VNC to the Server name.

I use a lot of RealVNC at work which also has the encryption and various
authentication methods including windows logon.

Regards,

Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Forwarding an external port according to user

2011-10-24 Thread David Brown

On 24/10/2011 13:57, Vassilis V. wrote:

Hello David!

You seem to be very over complicating things :) If I understand you
correctly, you want to have your users authenticate themselves in order
to have limited access to the work network and offer them certain
services there. You already mentioned your solution but dismissed it!
What you want to set up and would solve all your problems with high
security is a VPN.

Your workers connect to the VPN (There are clients for every OS), and
immediately they have access to their PC at work. No need to open
individual ports for VNC, SMB etc. If you want each user to only be able
to connect to his own PC, have every user get a fixed IP (described in
the book) and then set up rules in the OpenVPN tab so that each IP can
only access certain PC's. The added benefit of a VPN is that the traffic
is encrypted and each user must authenticate himself with certificates
(or/and username/password).

Hope it helps!

Vassilis


Using a VPN is certainly a possibility - our road warriors who use a 
laptop as a main computer use a VPN (OpenVPN), and I use a VPN from my 
home machine regularly to access everything in the network here.  Where 
VPNs are the right solution, they are what we use.


But I see two disadvantages of VPNs.  They give too much access. 
Obviously firewall rules can be added to limit access in some ways, but 
it is somewhere between difficult and impossible to get the right 
balance between security and functionality here.  How do I set up 
firewalls that lets the user access company files on a server from their 
home machine without also opening these files to whatever malware 
they've installed?  I can proscribe rules and regulations for computers 
on the company network, I can monitor them for suspicious behaviour, and 
do regular checks.  But I can't do that for people's home computers.  I 
can do so on a limited basis for a few users, especially for those with 
company laptops that they use from home or outside, but it is not 
scalable in general.


The other disadvantage of a VPN is that the we use a lot of specialised 
software - people can't easily install it on their home machines.  They 
may also need different sorts of access to different machines - trying 
to get routine and firewalling rules that allow this over a VPN without 
being too permissive is hard.


With VNC, both these issues are solved, since they are effectively 
working on their company desktops.



Obviously running VNC over a VPN would improve the security, since 
everything is encrypted, and it would be possible to set that up.  In 
particular, it would be easier to set OpenVPN rules to say only port 
5900 is allowed, than to try to give all the required firewall rules to 
let users get local access from home machines to the company systems. 
But encrypting VNC over a VPN is not really necessary - it is probably 
easier to use UltraVNC (or any other VNC with encryption built-in).  It 
is also not much of a security issue since most employees have the same 
ISP as the company - there is very little possibility of eavesdropping 
or other attacks.



David
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Forwarding an external port according to user

2011-10-24 Thread David Brown

On 24/10/2011 14:08, Jim Pingle wrote:

It isn't quite all that easy. There is already an open ticket for that
feature.

http://redmine.pfsense.org/issues/385


OK, thanks.  I'm convinced that such a feature is technically possible, 
but I also appreciate that it would take a lot of work to implement. 
Since it is already on the feature request list, and has not been 
dismissed in any way, then I suppose it will stay there until a pfSense 
developer has the time to look at it.  I doubt if such a feature will 
considered top-priority for a while, but that's fair enough.  It's 
certainly not an essential feature for me - it would just be a nice to 
have feature.


Thanks,

David


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Forwarding an external port according to user

2011-10-24 Thread Vassilis V.



David Brown wrote on 10/24/2011 02:34 PM:


Using a VPN is certainly a possibility - our road warriors who use a
laptop as a main computer use a VPN (OpenVPN), and I use a VPN from my
home machine regularly to access everything in the network here. Where
VPNs are the right solution, they are what we use.

But I see two disadvantages of VPNs. They give too much access.
Obviously firewall rules can be added to limit access in some ways, but
it is somewhere between difficult and impossible to get the right
balance between security and functionality here. How do I set up
firewalls that lets the user access company files on a server from their
home machine without also opening these files to whatever malware
they've installed? I can proscribe rules and regulations for computers
on the company network, I can monitor them for suspicious behaviour, and
do regular checks. But I can't do that for people's home computers. I
can do so on a limited basis for a few users, especially for those with
company laptops that they use from home or outside, but it is not
scalable in general.


I cant agree that VPN's give too much access. The way the VPN in pfsense 
is configured, it gives exactly the amount of access that you allow. 
Having a VPN connection that allows only to connect to port 5900 on a 
certain PC is a piece of cake. If you want to offer samba to your users, 
you shouldnt really port forward the ports to WAN. Even if you limit the 
source IP it feels somehow wrong to do it :) But its more of a general 
question if you want to give them access to samba or not, the tool you 
want to use (port forward or VPN) doesnt matter.





The other disadvantage of a VPN is that the we use a lot of specialised
software - people can't easily install it on their home machines. They
may also need different sorts of access to different machines - trying
to get routine and firewalling rules that allow this over a VPN without
being too permissive is hard.


I didnt clearly describe the solution I proposed, they would still use 
VNC to work on their work PC. They would just tunnel it through the VPN 
and have only access to port 5900 on their PC.




With VNC, both these issues are solved, since they are effectively
working on their company desktops.


Obviously running VNC over a VPN would improve the security, since
everything is encrypted, and it would be possible to set that up. In
particular, it would be easier to set OpenVPN rules to say only port
5900 is allowed, than to try to give all the required firewall rules to
let users get local access from home machines to the company systems.


Exactly! :-) And it would be alot easier to 
configure/expand/maintain/monitor in the future



But encrypting VNC over a VPN is not really necessary - it is probably
easier to use UltraVNC (or any other VNC with encryption built-in). It
is also not much of a security issue since most employees have the same
ISP as the company - there is very little possibility of eavesdropping
or other attacks.


I also use VNC alot but personally I wouldnt do it in the open via a 
port forward. There might be some fancy software that offers 
encryption but personally I prefer to tunnel it through a VPN for 
security reasons. I trust OpenVPN with certificates far more than 
UltraVNC with encryption.


Having OpenVPN installed on the home PC really isnt a problem, even for 
Windows users. You can have ready-to-deploy zip files with the config 
and the certificates ready for each user. They wouldnt have to remember 
any passwords and via the firewall rules you could make sure they only 
have access to the VNC port.



Vassilis
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list


Re: [pfSense] Forwarding an external port according to user

2011-10-24 Thread Daniel Davis
David,

Whilst this is not as secure as a real VPN, you could possibly use something 
like OpenVPN ALS (Previously Adito). It is a remote access over SSL solution 
that allows your users to somewhat securely connect to work resources without 
needing to install a VPN client or open insecure ports on your firewall. Your 
users will log in to the OpenVPN ALS page and authenticate using their 
credentials (it can authenticate against LDAP, AD etc.), they will then get a 
portal page which will show the resources you have given them access to (This 
can be RDP, VNC etc). When they open a resource it will launch a Java client 
and tunnel the connection over SSL.

Some things to note though is that the project is dead and the last released 
version has some significant known security flaws, however, it will still be 
vastly more secure than just forwarding VNC traffic through your firewall.

Regards,

Daniel Davis


 -Original Message-
 From: list-boun...@lists.pfsense.org [mailto:list-
 boun...@lists.pfsense.org] On Behalf Of David Brown
 Sent: Tuesday, 25 October 2011 12:14 AM
 To: pfSense support and discussion
 Subject: Re: [pfSense] Forwarding an external port according to user
 
 On 24/10/2011 15:53, Vassilis V. wrote:
 
 
  David Brown wrote on 10/24/2011 02:34 PM:
 
  Using a VPN is certainly a possibility - our road warriors who use
 a
  laptop as a main computer use a VPN (OpenVPN), and I use a VPN from
 my
  home machine regularly to access everything in the network here.
 Where
  VPNs are the right solution, they are what we use.
 
  But I see two disadvantages of VPNs. They give too much access.
  Obviously firewall rules can be added to limit access in some ways,
 but
  it is somewhere between difficult and impossible to get the right
  balance between security and functionality here. How do I set up
  firewalls that lets the user access company files on a server from
 their
  home machine without also opening these files to whatever malware
  they've installed? I can proscribe rules and regulations for
 computers
  on the company network, I can monitor them for suspicious behaviour,
 and
  do regular checks. But I can't do that for people's home computers.
 I
  can do so on a limited basis for a few users, especially for those
 with
  company laptops that they use from home or outside, but it is not
  scalable in general.
 
  I cant agree that VPN's give too much access. The way the VPN in
 pfsense
  is configured, it gives exactly the amount of access that you allow.
  Having a VPN connection that allows only to connect to port 5900 on a
  certain PC is a piece of cake. If you want to offer samba to your
 users,
  you shouldnt really port forward the ports to WAN. Even if you limit
 the
  source IP it feels somehow wrong to do it :) But its more of a
 general
  question if you want to give them access to samba or not, the tool
 you
  want to use (port forward or VPN) doesnt matter.
 
 
 I agree that samba over WAN feels wrong - it's only an option I'm
 vaguely considering, and just mentioning here as another example.  An
 alternative example, as well as VNC, would be RDP for Windows remote
 desktop protocol (though I prefer VNC as it is more cross-platform).
 
 I understand that you can specify exactly the rules you want in pfSense
 for VPN access.  But it can only restrict traffic based on the IP
 address and other such criteria - my point about having too much access
 is there is no way to restrict it by the type of originating program.
 Perhaps you are one of the lucky few who only has to deal with *nix
 type
 systems, but I have to assume that employees home machines and home
 networks are full of malware (except for the few that I've checked, and
 know that they are kept reasonably secure).  So if a home machine has
 access over a VPN to files on a company server, then so does all the
 malware they have installed.  With VNC only, I avoid that (although
 keyloggers are still a potential issue).
 
 Of course, if I do try out samba over the WAN, the same thing applies
 there as with VPN access.
 
 
 
  The other disadvantage of a VPN is that the we use a lot of
 specialised
  software - people can't easily install it on their home machines.
 They
  may also need different sorts of access to different machines -
 trying
  to get routine and firewalling rules that allow this over a VPN
 without
  being too permissive is hard.
 
  I didnt clearly describe the solution I proposed, they would still
 use
  VNC to work on their work PC. They would just tunnel it through the
 VPN
  and have only access to port 5900 on their PC.
 
 
 Ah, okay.  That's one way to handle it that I'm already considering.
 
 Of course, this also means that users would need to install and
 configure OpenVPN on their home machines.  It's not hard, but it is an
 extra step.
 
 With pure VNC, I can also look at using the VNC java client - if I
 put
 that on a server somewhere, then it makes it possible for people