Re: Remote access from Internet
- From: David Brown <david@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 25 Mar 2009 08:33:56 +0100
Steve at fivetrees wrote:
"Tarmo Kuuse" <tarmo.kuuse@xxxxxxx> wrote in message news:gqb4ed$18l$1@xxxxxxxxxxxxxxxxxxxxxxzwsdotcom@xxxxxxxxx wrote:There are various methods employed, though not so popular in this dayAn initial proposal was to implement the entire user interface as a Java applet and use a simple back-end protocol to move data. Traditional web interface seems to be a more robust solution so Java was dropped.
and age. One method is to use a proprietary and encrypted protocol
tunneled over port 80. Your embedded device is visible to the world,
but all it serves up is a Java application that runs in the client-
side browser and communicates using an encrypted data stream. That is
fairly transparent to end-users insofar as the "software installation"
happens as soon as they navigate to the device's page.
Anyway, it occurs to me that device could open a connection to Internet instead of waiting for an incoming one.
Device opens a TCP connection to a public relay server. They authenticate each other and the connection is kept alive indefinitely.
The user who desires access connects to relay server with a browser and logs in. The server then relays all HTTP requests to device (via existing TCP connection) and passes the HTTP responses back to client.
Pros: no incoming connections, NAT and dynamic public IP become transparent, no web security problems
Cons: need relay server, need tunneling protocol.
Hmm, gotta think some more.
Further to my earlier post re manful gateways: again, I've run into exactly this (no extra cost/infrastructure on site allowed), and what you described is how we fixed it. A relay (management) server actually opens up a lot of possibilities: look on it as added, centralised value - you can do far more there than you can at each remote site, including logging, account management, upgrades, etc etc etc.
However: you still need to ensure that the comms from the remote sites to the relay server(s) are secure. In our case we used dial-up - i.e. point to point, and not public: the remote site dialled in, and was not externally accessible (it was a while ago). If you're using the Internet, then you probably need to block all ports *except* for one that you actively manage - ideally by something strong like SSH. I'm sure you know not to be tempted to try to be secure through obscurity, or to try to write your own...
As a side note on ssh security, there is no need to put ssh on port 22 (the same applies to other protocols as well). A server with ssh open on port 22 is going to get hammered with dictionary attacks on a fairly continuous basis. You need to make sure your user names and passwords are secure (i.e., don't allow root ssh login - make the attacker guess the username as well), and you might want to use fail2ban or similar automatic blockers. But if you put your ssh server on port 32412, the only traffic you'll ever see is your own logins.
.
- Follow-Ups:
- Re: Remote access from Internet
- From: Tarmo Kuuse
- Re: Remote access from Internet
- References:
- Remote access from Internet
- From: Tarmo Kuuse
- Re: Remote access from Internet
- From: zwsdotcom
- Re: Remote access from Internet
- From: Tarmo Kuuse
- Re: Remote access from Internet
- From: zwsdotcom
- Re: Remote access from Internet
- From: Tarmo Kuuse
- Re: Remote access from Internet
- From: Steve at fivetrees
- Remote access from Internet
- Prev by Date: Re: Remote access from Internet
- Next by Date: Re: Remote access from Internet
- Previous by thread: Re: Remote access from Internet
- Next by thread: Re: Remote access from Internet
- Index(es):
Relevant Pages
|
