My blog has moved and can now be found at http://blog.aniljohn.com

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Friday, March 26, 2004
« CIS Benchmark and Scoring Tool for Windo... | Main | Secure Remote Access - II »

I am addicted to book stores and can spend an inordinate amount of time in one.

Combine that with the fact that I recently got a Tablet PC with built in Wi-Fi AND that pretty much all of the Borders bookstores and Starbucks coffee shops in my area are now T-Mobile Hotspots and I am in the position of a truck rolling downhill and picking up speed.  Combine all of the above with the fact that I recently got a free offer from T-Mobile for 2000 free hours and the truck now has NO brakes!!!

While I am a fan of connectivity at any time from anywhere, I am also the paranoid type. Especially when it comes to WiFi.  WEP is just a door made of tissue paper, so I had some requirements that needed to be satisfied if I was going to be able to work from any of these locations.

The relevant pieces of my configuration were:

  • Broadband cable provider who does not assign fixed IP's. The DHCP leases are pretty long, but I did not want to worry about them.
  • Consumer grade router as the externally facing device on my network.
  • Windows 2000 Server - Running IIS, .NET 1.1, and Sourcegear Vault
  • Windows XP Pro - Dev Machine
  • Windows XP Tablet - Which would be the client that would connect from outside.
I needed the following:
  • Secure Access via Terminal Services to both the W2K and XP boxes
  • Secure access to my source code which is stored in Sourcegear Vault on the W2K server
  • I was NOT going to spend any extra money!
Took me a couple of days to put everything together but I do believe I am on the right track.
 
First thing was to use ZoneEdit.com's Dynamic IP capability to assign a domain name to my rotating external IP address. That way I did not have to worry about remembering an IP address and it changing on me.
 
Second, I chose SSH as the method of establishing a VPN connection from my client machine to my internal network.  The only exposed port on my internal network is the SSH port. That port is forwarded to my SSH Server. I have chosen to use Public Key Authentication combined with a pass phrase as my authentication mechanism for SSH. I believe this is more secure than the password or the host based authentication mechanisms that SSH provides. 
 
Once the SSH Connection is established, I tunnel Terminal Server as well as port 80 traffic via that encrypted connection.  I am tunneling Port 80 traffic as my Sourcegear vault exposes a web services API.  So sitting anywhere I have network access to the Internet, I can with a reasonable degree of confidence connect into my home network and get access both to my source control tree and my home machines.
 
The tools used were all free and widely available:
  • OpenSSH for Win32
  • Putty for Win32
  • Lots of trial and error
One of these days, I'll do a write up on the gotchas and the configuration issues that I went through. But for right now, in a truly amazing change of pace, the weather today is just about gorgeous! So am going to go and enjoy it!
 
Tags:: Security
3/26/2004 3:06 PM Eastern Standard Time  |  Comments [4]  |  Disclaimer  |  Permalink   
Sunday, May 8, 2005 12:06:48 AM (Eastern Daylight Time, UTC-04:00)
Have you checked out OpenVPN? It allows you to VPN to an endpoint net over SSL, on a port of your choice. Combine it with some port knocking (I use a special ICMP sequencing myself), you can get secure access from virtually anywhere without much configuration.
<br>
<br>There are some pretty good drivers for XP, as well as Linux and BSD, making it quite cross platform... and supports the FULL integration of OpenSSL's PKI infrastructure.
<br>
<br>You can check it out at <a target="_new" href="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</a>
Dana Epp
Sunday, May 8, 2005 12:06:48 AM (Eastern Daylight Time, UTC-04:00)
Great thread guys, thanks!
Beau
Sunday, May 8, 2005 12:06:48 AM (Eastern Daylight Time, UTC-04:00)
I set up OpenVPN for some customers. Definetly easier to install/configure then FreeS/WAN or PPTP on the Linux server side. On the Windows side, OpenVPN is easier then IPSec as well, although a bit harder then PPTP which comes built right into the OS.
<br>
<br>The bridging capability is pretty neat too.
Wim Kerkhoff
Sunday, May 8, 2005 12:06:48 AM (Eastern Daylight Time, UTC-04:00)
bmonday(dot)com
Comments are closed.