Secure direct connection/VPN options...

Hello,

I am currently in the process of modifying my applications so I can have them hosted using one of your Windows VPS plans.

One of my applications is a Windows application which will require either a direct connection to the database OR access to a .NET remoting application that can be hosted on IIS. While the first choice is probably not an option on a VPS host, the second option is at least feasible.

Unfortunately, the application itself doesn't contain much in the way of security, and Microsoft recommends that .NET remoting endpoints are not exposed directly to the Internet: http://msdn.microsoft.com/en-us/library/aa302429.aspx.

While I can make modifications to the application itself to make it more secure, this will be a very time consuming route. It would be preferable to create a web site under IIS that is not Internet facing, and have my clients access the VPS server directly through some kind of direct channel (such as a VPN connection), which would ensure my database won't be hacked via an exposed .NET remoting endpoint. I should mention that my clients (for this application at least) will be internal company employees and they will be limited to less than 5 users.

So before I go through some pretty extensive application changes to fix this rather obvious security hole, I thought I would ask if there is anything supported or that could be added on to one of your Windows VPS hosting plans that would allow a direct connection to a non-Internet facing IIS instance?

TIA
-NightOwl888
 
At the risk of making a fool of myself (it's probably too late for that) I think I misread your question and you know the info I gave which I've now deleted.

I'm not sure what you can do in terms of a VPN. I use SSH tunnels with Putty all the time as a sort of poor man's VPN to securely connect to Windows servers. I don't know how practical that is in an end user situation. A proper VPN would be less geeky. If you do want to install an SSH server, have a look at Copssh
 
:) Yup, spoke to you before in the CSLA forum.

And that is exactly what I am trying to solve here - making a CSLA (v1.51, ported to .NET 2.0) Windows application work remotely (from the client computer over the Internet to the VPS host server).

Currently I am using a non-Internet facing IIS hosted remoting setup and my client uses a VPN connection to establish an Intranet connection (tunnel) first and then the IIS web server instance is accessed through a local IP address.

I am not quite sure how the client would be able to remotely access the private web site via a local IP address (192.168.*.*) like you mentioned though. That is why I was inquiring about using a VPN connection in the first place. Care to elaborate?

I could limit the IP range over an Internet facing host combined with an SSL certificate, which would be good. However, that alone won't prevent an attacker from being able to spoof the IP address and attack/compromise the remoting endpoint directly.

I should also point out that I am not currently using role-based security within my business objects (and there are issues preventing me from implementing this easily), so once the WSDL is known about the remoting endpoint, accessing the data is a trivial matter.

Using a client certificate over the Internet would be acceptable, as it provides both privacy and authentication, however it is not suppored by .NET remoting (it requires Web Services). Unfortunately, the version of CSLA I am using doesn't have extensibility to build another channel like CSLA 2.0 does which would solve this problem nicely.

So, I have 3 options:

1. Replicate the setup I have now with a VPN tunnel to the IIS server.
2. Change the UI layer of the Windows application to an ASP.NET UI.
3. Upgrade my 40+ business objects plus one web and one Windows UI to CSLA 2.0(+) and build my own Web services channel that supports client certificates.

These options are listed in the order of lowest to highest amount of time to implement, so I thought I would at least ask if the easy fix is available before delving into time consuming design changes.
 
At the risk of making a fool of myself (it's probably too late for that) I think I misread your question and you know the info I gave which I've now deleted.

I'm not sure what you can do in terms of a VPN. I use SSH tunnels with Putty all the time as a sort of poor man's VPN to securely connect to Windows servers. I don't know how practical that is in an end user situation. A proper VPN would be less geeky. If you do want to install an SSH server, have a look at Copssh

Looks like we crossed posts here - yep, I read the one you deleted first and that is the one I answered.

I have used SSH before, but unfortunately I wasn't in charge of setting up the configuration. We had it set up really nice - a shortcut to a batch file which first opened the SSH connection and then in our case opened launched the remote desktop and logged in automatically. It made accessing the server pretty simple. I just wish I had access to the confuration file and the SSH client so I could replicate that setup.

And in my case it needs to be really simple because the end users don't even know how to use copy and paste...
 
Just as a quick FYI a Virtuozzo VPS won't do the VPN server like you wish, we have some exciting things on the horizon but not quite ready to go live :)
(HyperV)
 
Another thought just occurred to me. I could potentially install the Windows application (client) directly onto the VPS server and my client could access it via Terminal Services.

This brings up other questions.

1. What is the maximum number of Terminal Services instances you can have open simultaneously?
2. Would I have to tunnel through using SSH to get access to Terminal Services, or is there a more direct route?
 
Another thought just occurred to me. I could potentially install the Windows application (client) directly onto the VPS server and my client could access it via Terminal Services.

This brings up other questions.

1. What is the maximum number of Terminal Services instances you can have open simultaneously?
2. Would I have to tunnel through using SSH to get access to Terminal Services, or is there a more direct route?

1. It is remote admin, so 2+console only, terminal services can be offered but there are no connections free and it is $5.75/month per user connected for the licenses.

2. No need for this terminal services has its own encryption.
 
Back
Top