Network Service Authorization

[serpretetsky]

If this post looks familiar it's because I have this same post posted at hardocp
Say I have a webserver that is unfixably insecure and is on my local network. What I mean is that if an intruder was determined and had network access to the webserver he could exploit the machine like crazy, and I can't fix that.

I want to be able to access this insecure webserver from outside my network, but obviously I don't want everyone to be able to access this insecure webserver, I need some sort of authentication and authorization to this network service.

I see that what I want already exists in the form of RADIUS servers.

But I'm just not familiar with the concepts, various vendors, and setups. I would prefer something simple, integrated into one solution (integrated into the router i guess) and cheap. I don't require NSA grade security, just something that will raise my security standards from (insecure webserver level)-> (consumer grade router with closed ports secure password level).

I'm also not sure how this would actually work from outside the network. Would I visit some webpage hosted by the router/server that would have me provide a login and password? Would i need to SSH into the router/server and authenticate through CLI? Thanks

 

[XavierMace]

Sounds like you need to setup a VPN to connect to your local network remotely. Most pro-sumer grade routers have that functionality built in as well as software solutions you install on a dedicated PC to build your own router/firewall (Sophos UTM, pfSense, etc).

To give a more complete answer, we'd really need more details on your setup and what you're trying to accomplish.

 

[serpretetsky]

I am considering a VPN solution. It's definitely nice that consumer routers have that functionality built in.

I have a webserver that I provide to clients that I'm not certain is secure (this is not a typical webserver, and its services cannot be moved to a traditional webserver). Clients will typically access this webserver internally, but I want there to be an option to access it from outside. This webserver receives and sends VERY little traffic, some HTTP and some websocket. Only one client is connected at a time.

I see that dd-wrt has openVPN server built into it and that some companies sell there routers with dd-wrt already flashed on. I'm not familiar with openVPN (or any VPN solutions really...). Could I plop a dd-wrt router inside an clients existing network (they have their own router setup with specific settings already), setup openVPN, and just do... i dont know... port forwarding to the inside router for openVPN?

 

[bruceb]

Why can't you put it behind a firewall either hardware or software based ? Then in the firewall just allow only connections from secure locations over a VPN from the user to the server.

 

[serpretetsky]

Hey bruceb,
I'm not sure I understand the difference between what you recommend and what I said about putting an openVPN capable router inside the client's network.

edit: Or are you saying I check their existing firewall/router and if it doesn't support VPN connections, replace it with one that does?

 

[bruceb]

You said your server is not secure. You do that by putting it behind a firewall with rules in place as to who and how they can access it.
Have a look here ... it describes what it does and the basics of how to set it up.

http://www.thewindowsclub.com/set-up-router-firewall

Also here: http://computer.howstuffworks.com/firewall.htm

You may want to consult with an network security specialist to be sure all is done properly.

 

[serpretetsky]

You said your server is not secure. You do that by putting it behind a firewall with rules in place as to who and how they can access it...

What's a good example of a firewall that achieves that. How does the firewall allow a client access to the network service, does the client have to navigate to some http login page first to be authenticated and then the firewall will decide to let traffic through? I'm curious what the end-user experience is like.

 

[bruceb]

The firewall will stop the a non authorized user / IP from even getting to the computer where the application is at. The application then has it's own security login setup. There are plenty of good firewalls from many companies including Cisco. Good routers also have them.

 

[serpretetsky]

The firewall will stop the a non authorized user / IP from even getting to the computer where the application is at.

K, so I have a client sitting at starbucks who is trying to access the webserver. He isn't authenticated yet (he hasn't provided any credentials). He tries to access the webserver and nothing happens... firewall rejects him, fine...

The application then has it's own security login setup.

? What application? My webserver? my webserver does not have any security login setup. Even if it did, you skipped a step. How can the user ever access the application, we're still at step1, they never got through the firewall.

 

[bruceb]

The firewall would need to allow your authorized client to get through to your web server. If the client can not, then you need to add his account or login to the permitted list. It can get somewhat complex, but that is why I suggested you contact a Internet Security Specialist .. He can set up everything you need for this to work. And for security, your web server should also have it's own login credentials. If someone should get past the firewall, then the web server app would stop them.