Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set up a DMZ or isolated network to securely host services rather than tunnelling them #1074

Open
MatthewCroughan opened this issue Mar 13, 2019 · 27 comments

Comments

Projects
None yet
4 participants
@MatthewCroughan
Copy link
Contributor

commented Mar 13, 2019

I've already set up a storage solution at https://nextcloud.matthewcroughan.co.uk that allows access to the DoES local SMB share in a secure manner, meaning people can access their files at DoES, store their work files in a way that is instantly accessible, without clogging up the machines internal storage space (dropbox) and or thrashing their disks.

The problem with this is that I'm finding myself doing this for other things now too, such as an RDP server on @ajlennon's machine that can give people access to a high powered machine inside or outside of DoES. Since RDP runs via UDP I can easily tunnel this out to a server that I control and then do the same again, but this isn't scalable or secure.

I would really appreciate it if we could accelerate an effort for an external/secondary network where we can run services.

#947

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented Mar 13, 2019

Hi all - I've discussed with Matt and I think what he's doing is really useful work.

I'm aware that security of the space is an issue though and I do believe we should probably ensure everybody agrees on direction before more holes are poked through firewalls and so forth?

@johnmckerrell

This comment has been minimized.

Copy link
Member

commented Mar 13, 2019

On #817 a VPN was mentioned, how much of what you want to do could be achieved with a VPN? (Probably not next cloud but can you do the other things you've been trying to do?)

@MatthewCroughan

This comment has been minimized.

Copy link
Contributor Author

commented Mar 13, 2019

@johnmckerrell
Is there a reason why Baltic can not just DMZ our router and then we can port forward from there?

Originally posted by @skos-ninja in #817 (comment)

It'd be much nicer if we could co-ordinate this properly from the start, it's far more effort for an inferior result to try and use a VPN. We need a properly isolated network. What I'm doing is already effectively a VPN to my server.

@johnmckerrell

This comment has been minimized.

Copy link
Member

commented Mar 13, 2019

Just a thought is we should probably not port forward things ... and instead we should vpn into the network to then access that stuff?

Also posted by @skos-ninja in #817 (yes I know I edited that to benefit myself)

Baltic DMZ-ing our router has nothing to do with how we arrange our network, it just means that we don't have to ask them to open each individual port.

I'm not saying we shouldn't open any ports, but if you want to be able to Remote Desktop or SSH into a machine, you should do that over a VPN connection, if you want to make a service such as Next Cloud available publicly then that wouldn't go on a VPN. I'm asking you (us) to think about what it is we want to make available.

At no point will it be possible for you to simply run a new service on your computer and have that available publicly instantly, certainly not via IPv4 (as we only have one IP address). There will always be port forwarding needed on our router.

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented Mar 13, 2019

+1 for VPN access to webcams and my computer and so forth

@MatthewCroughan

This comment has been minimized.

Copy link
Contributor Author

commented Mar 13, 2019

@johnmckerrell Right, so currently I couldn't make use of a VPN to have things like Nextcloud open to the internet, I'd still have to poke holes through tunnels. Currently I have a kind-of VPN going on with my server externally, and that is all that allows me to do this.

By providing a VPN into DoES, it does make it easier for me to interact with things, like my pi's or the RDP server, which I'm already doing via my server. Saves a lot of hassle. It definitely makes things better, and I'd be thankful for it, since I'd be able to get on with my stuff.

The only problem with that is we can't have anything be public facing via it, which means anybody wanting to use nextcloud outside of does would have to VPN into does, and we couldn't have a memorable domain associated with it.

@johnmckerrell

This comment has been minimized.

Copy link
Member

commented Mar 13, 2019

Indeed, good thing I didn't say VPN was the only option! I don't believe we can just set up a network and say "DMZ!" and that means that you just plug things in and they're magically available, IPv4 won't allow it. You will always need to request that an external port is forwarded to your internal IP address (currently the DoES network would need tweaking and the Baltic Broadband one too but we might be able to get them to forward everything on to us so it's just our end that needed tweaking).

Whether "things that are on the internet" need to be on their own separate network I'm not sure, it probably wouldn't hurt but if you're talking about having the server on both networks then it doesn't really help, i.e. the reason you put it on its own network is "if it gets hacked then the other network isn't exposed" but if it's on both networks then.. it exposes both networks anyway.

@MatthewCroughan

This comment has been minimized.

Copy link
Contributor Author

commented Mar 13, 2019

@johnmckerrell The only bridging that would occur would be sensible, for example SMB via Nextcloud. SMB in and of itself is a silly thing to expose to the internet, whereas Nextcloud is intended for public facing usage. I've not done or looked into this network segregation before, and I don't know how to make this happen, hence why I'm asking you and Jake to look into it.

One bad, old, vulnerable protocol exposed would mean that the network is compromised in some way, even with a VPN, which is why a separate network segment entirely makes more sense.

A VPN would be less secure, since it would provide people access onto our main network, with no segregation between services, if it were used by a lot of people it could potentially invite more activity and potential risks. I don't know of any other way to have public facing things in a secure way other than a DMZ, since I don't know much of anything about networking. It's the only term I know of that describes what I want, since again, I don't know enough about networking.

A VPN is a good short term solution for me personally, and I already have a small one via ssh tunnels, but I was going to set up wireguard/openvpn, however if we can get this sorted officially then I'd prefer to do that.

@johnmckerrell

This comment has been minimized.

Copy link
Member

commented May 1, 2019

The new IP addresses are due to be setup on 7th May 6-7pm. During this time there will be some network downtime but hopefully it will be minimal. No promises when the new IP addresses will be available but we should be able to do it following this work.

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented May 1, 2019

What's the thinking on which network segment the new IP addresses will sit?

@johnmckerrell

This comment has been minimized.

Copy link
Member

commented May 1, 2019

Current thinking is that we'd create new networks for each IP and these could be allocated to physical ports on the switch, so any device plugged into a certain ethernet port would be exposed on that IP address. We would require that these devices remained only on that network and that no bridging was performed (i.e. having a device both on an "external" network and on the DoES internal network).

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented May 1, 2019

Makes a lot of sense to me. I might be interested in having multiple devices serving different services on the public TCP ports if that can be accommodated...

@johnmckerrell

This comment has been minimized.

Copy link
Member

commented May 1, 2019

For you to have control over that, the way to do it would be for you to have your own router that performs the NATing that would be needed here. The alternative would be for DoES to manage this and port forward specific services for specific IP addresses but you would not be able to make any changes to the setup yourself (I think so anyway, I should check if the unifi software would allow different users to have different levels of access, i.e. if I could give you access to our router but only to add settings to your own WAN that might be interesting).

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented May 1, 2019

To be fair I don't think I should be given access to more stuff I might break...

It would be easy enough for me to set up an RPi box as a NAT gateway for some other boxes if there's space somewhere...

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented May 1, 2019

Oh and if I pay more can I have a personalised IP address?

Like 65.76.69.88 or something ?

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented May 1, 2019

68.79.69.83 would be cool too

@johnmckerrell

This comment has been minimized.

Copy link
Member

commented May 1, 2019

@johnmckerrell

This comment has been minimized.

Copy link
Member

commented May 9, 2019

The best way to set these IP addresses up is to place a switch between the Baltic router and our Ubiquiti gateway. Ideally it would be a managed switch with an IP address assigned to each port. Each person who has paid for an IP address would then get assigned a port on the switch and could plug what they need into it, whether a machine, or a router that could then do further NAT-ing. The simplest thing would be having the hosted machine within the cupboard but if we're careful we could potentially use the existing wiring to wire one of these IP addresses into the main room, although it would be much more preferable to have them in the cupboard as we know how people like to juggle ethernet cables around.

@ajlennon have a read of that and give me a shout about what you'd like to do.

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented May 9, 2019

All sounds good to me.

I am sure I brought in a decent Netgear managed switch some time ago. Any ideas where that went @amcewen ?

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented May 9, 2019

Hey @johnmckerrell I found my managed switch. What do you think? Should do the job?

switch

@johnmckerrell

This comment has been minimized.

Copy link
Member

commented May 9, 2019

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented May 9, 2019

I know @MatthewCroughan is keen on gigabit but do we really need that for most use-cases?

Perhaps not a long term solution but something that would get us started with minimal expenditure?

@johnmckerrell

This comment has been minimized.

Copy link
Member

commented May 9, 2019

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented May 9, 2019

This would just be for the static IPs wouldn't it? I'd be happy enough with this setup for my needs for now.

@johnmckerrell

This comment has been minimized.

Copy link
Member

commented May 9, 2019

It would, yes you could bring that in to get us going

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented May 9, 2019

ok boss!

@johnmckerrell

This comment has been minimized.

Copy link
Member

commented May 10, 2019

Documentation and stuff for the switch:

https://www.netgear.com/support/product/FS726TP.aspx#Firmware%20Version%202.0.1_14

I've put it in the network cupboard for now. Worth noting that it has PoE ports, we couldn't really use them while the switch is sitting between the Baltic router and our gateway but if we replaced it in the future it could be handy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.