I wanted a solution that reduced the number of accounts I needed to manage in order to control access to my network from the internet, and reduced the attack exposure of the Windows box. This accomplishes both of those while giving the huge benefit of easy encryption and minimum steps involved.
Primary Goals Accomplished:
- No direct exposure of the T.S. to the internet. Only authenticated connections should reach the server.
- Easy to setup new users and disable old ones.
- Easy for the remote users. No complex state-of-connections knowledge required.
- The only hardware requirement is an available box to run Debian and OpenSSH. Which believe me, is damn near any hardware you can reasonably call a computer. If you already have an existing Linux server, cool.
- Required software is FLOSS (Free/Libre/Open Source Software). An important consideration for any security solution. Mature FLOSS security solutions can be trusted.
- Required software is free, an important consideration in business today.
- Can be used for connection to almost any service on your network that does simple port communication over TCP/IP.
- Can be used as a HTTP proxy for browsing intranet web servers , including DNS lookups. (This works on Firefox, I have no idea about IE, I don't use it).
- End-to-end encryption of traffic, including the login credentials.
- Works for any client OS that supports SSH (Linux, Windows, Mac, BSD, and others).
- I already had an SSH server, and the remaining setup took about an hour and a half, including configuring 3 users and training them. A majority of that time was creating an installer for the users, so that it would be a point-and-click install. That wasn't really necessary.
- If you limit connections to services inside your network based on the IP Addresses of your clients, that might kill the deal for you. Do you mind if the remote accounts have the same set of privileges as each other? Their connections will all come from the SSH server (i.e. same IP).
- Feel free to comment if you know of others.
- Setup a Linux box with OpenSSH and configure your firewall to forward port 22 to it. [30 minutes - 2 hours, depending on your experience and your internet connection]
- Setup users on the Linux box and configure them to not get a shell when they successfully login (This limits the users from full access to the power of Linux). :) [15 minutes]
- Next give your remote users a copy of portaPuTTY and create a link to run it with some options (I created an installer for this), then copy their existing rdp connection and tweak a couple settings. [15 minutes, or the time it takes to create an installer]
- Train users to start the SSH connection, then connect to the Terminal Server, and close them in reverse order. [5 minutes per user]
My next post will have detailed instructions for setting it all up.