Re: [pfSense] Forwarding an external port according to user
Hi, On 24-10-2011 14:34, David Brown wrote: > Obviously running VNC over a VPN would improve the security, since > everything is encrypted, and it would be possible to set that up. In > particular, it would be easier to set OpenVPN rules to say only port > 5900 is allowed, than to try to give all the required firewall rules to > let users get local access from home machines to the company systems. This is exactly what I would suggest. Create a 2nd OpenVPN server instance, that interface will show up on the firewall tab and you can create a single rule there to allow them to VNC to the Server name. I use a lot of RealVNC at work which also has the encryption and various authentication methods including windows logon. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Forwarding an external port according to user
On 25/10/2011 03:46, Daniel Davis wrote: David, Whilst this is not as secure as a real VPN, you could possibly use something like OpenVPN ALS (Previously Adito). It is a remote access over SSL solution that allows your users to somewhat securely connect to work resources without needing to install a VPN client or open insecure ports on your firewall. Your users will log in to the OpenVPN ALS page and authenticate using their credentials (it can authenticate against LDAP, AD etc.), they will then get a portal page which will show the resources you have given them access to (This can be RDP, VNC etc). When they open a resource it will launch a Java client and tunnel the connection over SSL. Some things to note though is that the project is dead and the last released version has some significant known security flaws, however, it will still be vastly more secure than just forwarding VNC traffic through your firewall. Thanks for the tip, though I doubt if I will use it - I'd rather not base the system on a dead project unless it has significant benefits. It is always assumed as a general security principle that you should never transmit anything over the open internet without encryption. Yet people do that all the time (think http, pop3, smtp), and even with plain text passwords (pop3). In this case, the traffic will all stay reasonably local - the server and the clients (at least most of them) are all on the same ISP, and physically close. A quick check shows that my home router is four hops from the office router, and all machines are from the ISP. What is the real-world risk of someone breaking in there to monitor the traffic, much less adding equipment or routes to intercept and change the traffic? It is as close to zero as makes no difference. If we were a bank, or holding national secrets, it would be a different matter - but we are not going to be subject to targeted, high-power attacks. So I don't lose any sleep about the lack of encryption in the VNC access we have today. Having said that, of course it is always better to have encryption as well. Thus I'm looking at what's available, to see if there is anything more convenient than what I have, and greater security is always a nice bonus. I actually see an additional login, using passwords that /I/ control, as being a bigger step for security than encryption - it's too easy for users to pick poor passwords on VNC on their desktops. mvh., David Regards, Daniel Davis -Original Message- From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of David Brown Sent: Tuesday, 25 October 2011 12:14 AM To: pfSense support and discussion Subject: Re: [pfSense] Forwarding an external port according to user On 24/10/2011 15:53, Vassilis V. wrote: David Brown wrote on 10/24/2011 02:34 PM: Using a VPN is certainly a possibility - our "road warriors" who use a laptop as a main computer use a VPN (OpenVPN), and I use a VPN from my home machine regularly to access everything in the network here. Where VPNs are the right solution, they are what we use. But I see two disadvantages of VPNs. They give too much access. Obviously firewall rules can be added to limit access in some ways, but it is somewhere between difficult and impossible to get the right balance between security and functionality here. How do I set up firewalls that lets the user access company files on a server from their home machine without also opening these files to whatever malware they've installed? I can proscribe rules and regulations for computers on the company network, I can monitor them for suspicious behaviour, and do regular checks. But I can't do that for people's home computers. I can do so on a limited basis for a few users, especially for those with company laptops that they use from home or outside, but it is not scalable in general. I cant agree that VPN's give too much access. The way the VPN in pfsense is configured, it gives exactly the amount of access that you allow. Having a VPN connection that allows only to connect to port 5900 on a certain PC is a piece of cake. If you want to offer samba to your users, you shouldnt really port forward the ports to WAN. Even if you limit the source IP it feels somehow wrong to do it :) But its more of a general question if you want to give them access to samba or not, the tool you want to use (port forward or VPN) doesnt matter. I agree that samba over WAN feels wrong - it's only an option I'm vaguely considering, and just mentioning here as another example. An alternative example, as well as VNC, would be RDP for Windows remote desktop protocol (though I prefer VNC as it is more cross-platform). I understand that you can specify exactly the rules you want in pfSense for VPN access. But it can only restrict traffic based on the IP address and other
Re: [pfSense] Forwarding an external port according to user
David, Whilst this is not as secure as a real VPN, you could possibly use something like OpenVPN ALS (Previously Adito). It is a remote access over SSL solution that allows your users to somewhat securely connect to work resources without needing to install a VPN client or open insecure ports on your firewall. Your users will log in to the OpenVPN ALS page and authenticate using their credentials (it can authenticate against LDAP, AD etc.), they will then get a portal page which will show the resources you have given them access to (This can be RDP, VNC etc). When they open a resource it will launch a Java client and tunnel the connection over SSL. Some things to note though is that the project is dead and the last released version has some significant known security flaws, however, it will still be vastly more secure than just forwarding VNC traffic through your firewall. Regards, Daniel Davis > -Original Message- > From: list-boun...@lists.pfsense.org [mailto:list- > boun...@lists.pfsense.org] On Behalf Of David Brown > Sent: Tuesday, 25 October 2011 12:14 AM > To: pfSense support and discussion > Subject: Re: [pfSense] Forwarding an external port according to user > > On 24/10/2011 15:53, Vassilis V. wrote: > > > > > > David Brown wrote on 10/24/2011 02:34 PM: > >> > >> Using a VPN is certainly a possibility - our "road warriors" who use > a > >> laptop as a main computer use a VPN (OpenVPN), and I use a VPN from > my > >> home machine regularly to access everything in the network here. > Where > >> VPNs are the right solution, they are what we use. > >> > >> But I see two disadvantages of VPNs. They give too much access. > >> Obviously firewall rules can be added to limit access in some ways, > but > >> it is somewhere between difficult and impossible to get the right > >> balance between security and functionality here. How do I set up > >> firewalls that lets the user access company files on a server from > their > >> home machine without also opening these files to whatever malware > >> they've installed? I can proscribe rules and regulations for > computers > >> on the company network, I can monitor them for suspicious behaviour, > and > >> do regular checks. But I can't do that for people's home computers. > I > >> can do so on a limited basis for a few users, especially for those > with > >> company laptops that they use from home or outside, but it is not > >> scalable in general. > > > > I cant agree that VPN's give too much access. The way the VPN in > pfsense > > is configured, it gives exactly the amount of access that you allow. > > Having a VPN connection that allows only to connect to port 5900 on a > > certain PC is a piece of cake. If you want to offer samba to your > users, > > you shouldnt really port forward the ports to WAN. Even if you limit > the > > source IP it feels somehow wrong to do it :) But its more of a > general > > question if you want to give them access to samba or not, the tool > you > > want to use (port forward or VPN) doesnt matter. > > > > I agree that samba over WAN feels wrong - it's only an option I'm > vaguely considering, and just mentioning here as another example. An > alternative example, as well as VNC, would be RDP for Windows remote > desktop protocol (though I prefer VNC as it is more cross-platform). > > I understand that you can specify exactly the rules you want in pfSense > for VPN access. But it can only restrict traffic based on the IP > address and other such criteria - my point about having too much access > is there is no way to restrict it by the type of originating program. > Perhaps you are one of the lucky few who only has to deal with *nix > type > systems, but I have to assume that employees home machines and home > networks are full of malware (except for the few that I've checked, and > know that they are kept reasonably secure). So if a home machine has > access over a VPN to files on a company server, then so does all the > malware they have installed. With VNC only, I avoid that (although > keyloggers are still a potential issue). > > Of course, if I do try out samba over the WAN, the same thing applies > there as with VPN access. > > > > >> > >> The other disadvantage of a VPN is that the we use a lot of > specialised > >> software - people can't easily install it on their home machines. > They > >> may also need different sorts of access to different machines - > trying > >> to get routine and firewalling rules that allow
Re: [pfSense] Forwarding an external port according to user
On 24/10/2011 15:53, Vassilis V. wrote: David Brown wrote on 10/24/2011 02:34 PM: Using a VPN is certainly a possibility - our "road warriors" who use a laptop as a main computer use a VPN (OpenVPN), and I use a VPN from my home machine regularly to access everything in the network here. Where VPNs are the right solution, they are what we use. But I see two disadvantages of VPNs. They give too much access. Obviously firewall rules can be added to limit access in some ways, but it is somewhere between difficult and impossible to get the right balance between security and functionality here. How do I set up firewalls that lets the user access company files on a server from their home machine without also opening these files to whatever malware they've installed? I can proscribe rules and regulations for computers on the company network, I can monitor them for suspicious behaviour, and do regular checks. But I can't do that for people's home computers. I can do so on a limited basis for a few users, especially for those with company laptops that they use from home or outside, but it is not scalable in general. I cant agree that VPN's give too much access. The way the VPN in pfsense is configured, it gives exactly the amount of access that you allow. Having a VPN connection that allows only to connect to port 5900 on a certain PC is a piece of cake. If you want to offer samba to your users, you shouldnt really port forward the ports to WAN. Even if you limit the source IP it feels somehow wrong to do it :) But its more of a general question if you want to give them access to samba or not, the tool you want to use (port forward or VPN) doesnt matter. I agree that samba over WAN feels wrong - it's only an option I'm vaguely considering, and just mentioning here as another example. An alternative example, as well as VNC, would be RDP for Windows remote desktop protocol (though I prefer VNC as it is more cross-platform). I understand that you can specify exactly the rules you want in pfSense for VPN access. But it can only restrict traffic based on the IP address and other such criteria - my point about having too much access is there is no way to restrict it by the type of originating program. Perhaps you are one of the lucky few who only has to deal with *nix type systems, but I have to assume that employees home machines and home networks are full of malware (except for the few that I've checked, and know that they are kept reasonably secure). So if a home machine has access over a VPN to files on a company server, then so does all the malware they have installed. With VNC only, I avoid that (although keyloggers are still a potential issue). Of course, if I do try out samba over the WAN, the same thing applies there as with VPN access. The other disadvantage of a VPN is that the we use a lot of specialised software - people can't easily install it on their home machines. They may also need different sorts of access to different machines - trying to get routine and firewalling rules that allow this over a VPN without being too permissive is hard. I didnt clearly describe the solution I proposed, they would still use VNC to work on their work PC. They would just tunnel it through the VPN and have only access to port 5900 on their PC. Ah, okay. That's one way to handle it that I'm already considering. Of course, this also means that users would need to install and configure OpenVPN on their home machines. It's not hard, but it is an extra step. With "pure" VNC, I can also look at using the VNC java client - if I put that on a server somewhere, then it makes it possible for people to access their office desktops from other machines without any installation. This can be very handy for people that are away from home and office (such as when they are trying to have a restful holiday...). Maybe I can just put together something using the java VNC client (the tightvnc java client supports SSL already, I believe) and a web page with the required links, and simply make port forwards for the users that need external access. It's not /that/ much work, or so very many users. A reverse captive portal like I described may be an elegant solution, but it is certainly not necessary. With VNC, both these issues are solved, since they are effectively working on their company desktops. Obviously running VNC over a VPN would improve the security, since everything is encrypted, and it would be possible to set that up. In particular, it would be easier to set OpenVPN rules to say only port 5900 is allowed, than to try to give all the required firewall rules to let users get local access from home machines to the company systems. Exactly! :-) And it would be alot easier to configure/expand/maintain/monitor in the future But encrypting VNC over a VPN is not really necessary - it is probably easier to use UltraVNC (or any other VNC with encryption built-in). It is
Re: [pfSense] Forwarding an external port according to user
David Brown wrote on 10/24/2011 02:34 PM: Using a VPN is certainly a possibility - our "road warriors" who use a laptop as a main computer use a VPN (OpenVPN), and I use a VPN from my home machine regularly to access everything in the network here. Where VPNs are the right solution, they are what we use. But I see two disadvantages of VPNs. They give too much access. Obviously firewall rules can be added to limit access in some ways, but it is somewhere between difficult and impossible to get the right balance between security and functionality here. How do I set up firewalls that lets the user access company files on a server from their home machine without also opening these files to whatever malware they've installed? I can proscribe rules and regulations for computers on the company network, I can monitor them for suspicious behaviour, and do regular checks. But I can't do that for people's home computers. I can do so on a limited basis for a few users, especially for those with company laptops that they use from home or outside, but it is not scalable in general. I cant agree that VPN's give too much access. The way the VPN in pfsense is configured, it gives exactly the amount of access that you allow. Having a VPN connection that allows only to connect to port 5900 on a certain PC is a piece of cake. If you want to offer samba to your users, you shouldnt really port forward the ports to WAN. Even if you limit the source IP it feels somehow wrong to do it :) But its more of a general question if you want to give them access to samba or not, the tool you want to use (port forward or VPN) doesnt matter. The other disadvantage of a VPN is that the we use a lot of specialised software - people can't easily install it on their home machines. They may also need different sorts of access to different machines - trying to get routine and firewalling rules that allow this over a VPN without being too permissive is hard. I didnt clearly describe the solution I proposed, they would still use VNC to work on their work PC. They would just tunnel it through the VPN and have only access to port 5900 on their PC. With VNC, both these issues are solved, since they are effectively working on their company desktops. Obviously running VNC over a VPN would improve the security, since everything is encrypted, and it would be possible to set that up. In particular, it would be easier to set OpenVPN rules to say only port 5900 is allowed, than to try to give all the required firewall rules to let users get local access from home machines to the company systems. Exactly! :-) And it would be alot easier to configure/expand/maintain/monitor in the future But encrypting VNC over a VPN is not really necessary - it is probably easier to use UltraVNC (or any other VNC with encryption built-in). It is also not much of a security issue since most employees have the same ISP as the company - there is very little possibility of eavesdropping or other attacks. I also use VNC alot but personally I wouldnt do it in the "open" via a port forward. There might be some fancy software that offers "encryption" but personally I prefer to tunnel it through a VPN for security reasons. I trust OpenVPN with certificates far more than UltraVNC with "encryption". Having OpenVPN installed on the home PC really isnt a problem, even for Windows users. You can have ready-to-deploy zip files with the config and the certificates ready for each user. They wouldnt have to remember any passwords and via the firewall rules you could make sure they only have access to the VNC port. Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Forwarding an external port according to user
On 24/10/2011 14:08, Jim Pingle wrote: It isn't quite all that easy. There is already an open ticket for that feature. http://redmine.pfsense.org/issues/385 OK, thanks. I'm convinced that such a feature is technically possible, but I also appreciate that it would take a lot of work to implement. Since it is already on the feature request list, and has not been dismissed in any way, then I suppose it will stay there until a pfSense developer has the time to look at it. I doubt if such a feature will considered top-priority for a while, but that's fair enough. It's certainly not an essential feature for me - it would just be a "nice to have" feature. Thanks, David ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Forwarding an external port according to user
On 24/10/2011 13:57, Vassilis V. wrote: Hello David! You seem to be very over complicating things :) If I understand you correctly, you want to have your users authenticate themselves in order to have limited access to the work network and offer them certain services there. You already mentioned your solution but dismissed it! What you want to set up and would solve all your problems with high security is a VPN. Your workers connect to the VPN (There are clients for every OS), and immediately they have access to "their" PC at work. No need to open individual ports for VNC, SMB etc. If you want each user to only be able to connect to his own PC, have every user get a fixed IP (described in the book) and then set up rules in the OpenVPN tab so that each IP can only access certain PC's. The added benefit of a VPN is that the traffic is encrypted and each user must authenticate himself with certificates (or/and username/password). Hope it helps! Vassilis Using a VPN is certainly a possibility - our "road warriors" who use a laptop as a main computer use a VPN (OpenVPN), and I use a VPN from my home machine regularly to access everything in the network here. Where VPNs are the right solution, they are what we use. But I see two disadvantages of VPNs. They give too much access. Obviously firewall rules can be added to limit access in some ways, but it is somewhere between difficult and impossible to get the right balance between security and functionality here. How do I set up firewalls that lets the user access company files on a server from their home machine without also opening these files to whatever malware they've installed? I can proscribe rules and regulations for computers on the company network, I can monitor them for suspicious behaviour, and do regular checks. But I can't do that for people's home computers. I can do so on a limited basis for a few users, especially for those with company laptops that they use from home or outside, but it is not scalable in general. The other disadvantage of a VPN is that the we use a lot of specialised software - people can't easily install it on their home machines. They may also need different sorts of access to different machines - trying to get routine and firewalling rules that allow this over a VPN without being too permissive is hard. With VNC, both these issues are solved, since they are effectively working on their company desktops. Obviously running VNC over a VPN would improve the security, since everything is encrypted, and it would be possible to set that up. In particular, it would be easier to set OpenVPN rules to say only port 5900 is allowed, than to try to give all the required firewall rules to let users get local access from home machines to the company systems. But encrypting VNC over a VPN is not really necessary - it is probably easier to use UltraVNC (or any other VNC with encryption built-in). It is also not much of a security issue since most employees have the same ISP as the company - there is very little possibility of eavesdropping or other attacks. David ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Forwarding an external port according to user
It isn't quite all that easy. There is already an open ticket for that feature. http://redmine.pfsense.org/issues/385 Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Forwarding an external port according to user
Hello David! You seem to be very over complicating things :) If I understand you correctly, you want to have your users authenticate themselves in order to have limited access to the work network and offer them certain services there. You already mentioned your solution but dismissed it! What you want to set up and would solve all your problems with high security is a VPN. Your workers connect to the VPN (There are clients for every OS), and immediately they have access to "their" PC at work. No need to open individual ports for VNC, SMB etc. If you want each user to only be able to connect to his own PC, have every user get a fixed IP (described in the book) and then set up rules in the OpenVPN tab so that each IP can only access certain PC's. The added benefit of a VPN is that the traffic is encrypted and each user must authenticate himself with certificates (or/and username/password). Hope it helps! Vassilis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
