Secure Remote Access

I am addicted to book stores and can spend an inordinate amount of time in one.

Combine that with the fact that I recently got a Tablet PC with built in Wi-Fi AND that pretty much all of the Borders bookstores and Starbucks coffee shops in my area are now T-Mobile Hotspots and I am in the position of a truck rolling downhill and picking up speed. Combine all of the above with the fact that I recently got a free offer from T-Mobile for 2000 free hours and the truck now has NO brakes!!!

While I am a fan of connectivity at any time from anywhere, I am also the paranoid type. Especially when it comes to WiFi. WEP is just a door made of tissue paper, so I had some requirements that needed to be satisfied if I was going to be able to work from any of these locations.

The relevant pieces of my configuration were:

Broadband cable provider who does not assign fixed IP's. The DHCP leases are pretty long, but I did not want to worry about them.
Consumer grade router as the externally facing device on my network.
Windows 2000 Server - Running IIS, .NET 1.1, and Sourcegear Vault
Windows XP Pro - Dev Machine
Windows XP Tablet - Which would be the client that would connect from outside.

I needed the following:

Secure Access via Terminal Services to both the W2K and XP boxes
Secure access to my source code which is stored in Sourcegear Vault on the W2K server
I was NOT going to spend any extra money!

Took me a couple of days to put everything together but I do believe I am on the right track.

First thing was to use ZoneEdit.com's Dynamic IP capability to assign a domain name to my rotating external IP address. That way I did not have to worry about remembering an IP address and it changing on me.

Second, I chose SSH as the method of establishing a VPN connection from my client machine to my internal network. The only exposed port on my internal network is the SSH port. That port is forwarded to my SSH Server. I have chosen to use Public Key Authentication combined with a pass phrase as my authentication mechanism for SSH. I believe this is more secure than the password or the host based authentication mechanisms that SSH provides.

Once the SSH Connection is established, I tunnel Terminal Server as well as port 80 traffic via that encrypted connection. I am tunneling Port 80 traffic as my Sourcegear vault exposes a web services API. So sitting anywhere I have network access to the Internet, I can with a reasonable degree of confidence connect into my home network and get access both to my source control tree and my home machines.

The tools used were all free and widely available:

OpenSSH for Win32
Putty for Win32
Lots of trial and error

One of these days, I'll do a write up on the gotchas and the configuration issues that I went through. But for right now, in a truly amazing change of pace, the weather today is just about gorgeous! So am going to go and enjoy it!

posted on Friday, March 26, 2004 3:06 PM

This website is Copyright © 2001-2004 by Kylas Group LLC. All rights reserved. By using this website you agree to abide, comply, and be bound by these Terms of Use and Terms of Service. As a user of this website you agree that all information is provided on an as is basis, and the use of this web site is at your sole risk. Links listed are solely based on our opinion of value. The links provided are maintained by their respective organizations, who are solely responsible for its content. Trademarks are the property of their respective owners. Use of trademarks, logos, and brand names on this site are for identification purposes only, and does not imply an endorsement of this website by the trademark owner.

My Links

Archives

Post Categories

Articles

Blogs - Architecture

Blogs - Security

Blogs - Smart/Great/Local

Info - Architecture

Info - Essential

Info - Security

Affiliations

Sponsored By

Secure Remote Access