From: Neil W. <ne...@nw...> - 2005-12-11 10:55:56
|
Hi Tim, David, Neil and all others, I'm sorry to have poked the hornets nest. Although the dialogue has been interesting to read! I have a basic understanding of networking, but would not have a clue what you guys are really talking about. All I'm interested in is being able to access my MH from Starbucks or my place of work using a PDA or another windows PC. I'm not planing on publishing my MH domain for people to have a crack at, and personally I believe that nothing is infallible. Just like my house, we are basically keeping the honest people out with these locks and keys etc. So! My MH box is a windows 2000 PC, my work PC's are XP's and my PDA is a HP ipaq hx4700. What do I need to do? Dynamic DNS I'm starting to understand this dynamic DNS but not sure what I require at my MH end. I was just playing with a router (my uncles) that had some dynamic DNS support built in but mine does not. What do I need to do for the dynamic DNS? Does my MH box need to somehow interrogate my router and find out it's external IP address and then mail this somewhere when it changes. (My router is a Netgear FWG114P) SSH??? Do not have a clue what this is or where to start. Alternatives ?? VPN??? Is this some kind of an alternative to SSH? My PDA appears to support VPN. Should I buy another router that supports this instead? My current router supports two VPN tunnels. Can I add a VPN endpoint to my MH W2K box? Regards, Neil Wrightson. |
From: Matthew W. <mat...@us...> - 2005-12-11 14:59:39
|
Neil Wrightson wrote: > Hi Tim, David, Neil and all others, > > I'm sorry to have poked the hornets nest. Fun, isn't it! :-) > > What do I need to do? As I said earlier, ssh is fine for your application. It would be much easier to cut your phone line, cable line and smash a ground floor window to break into your house. > > Dynamic DNS > > What do I need to do for the dynamic DNS? Does my MH box need to somehow > interrogate my router and find out it's external IP address and then > mail this somewhere when it changes. (My router is a Netgear FWG114P) Dynamic DNS is really just a way to look up your current dynamic IP address in a standardized way. Normally, the network element that gets the IP idea address, in your case your Netgear. Whenever it gets a new IP address, it autmatically goes to the dynamic DNS provider and updates their database. In chapter 10 of your Netgear reference manual, it describes how to configure your Netgear for dynamic DNS. I highly recommend doing this. It does not introduce you to new attacks, as most virii (or is it viruses?) target random ranges of IP addresses. > > SSH??? > Do not have a clue what this is or where to start. > Basically SSH is a secure (or not, depending on which 3 letter US agency you work for! Just kidding and stirring the hornet's nest a little myself) version of telnet. It supports an encrypted command line interface to a server. A benefit of SSH is that it supports tunnels and port forwarding, which allows you to connect from your client to your SSH server and then get access to any service that the server can see, even if it is on a different machine within your network. > Alternatives ?? > > VPN??? > Is this some kind of an alternative to SSH? My PDA appears to support > VPN. Should I buy another router that supports this instead? > Really, SSH is just a way of creating a pseudo VPN. Your netgear does seem to support VPN connections. This is the way to go for you. Ignore everything we have been saying about SSH. The netgear VPN will be much easier to setup and manage and will also provide acceptable security. Just make sure that any passwords you use are long and complicated. This will protect you from people trying to brute force guess your passwords. The VPN technology on the netgear looks to be based on IPsec, which is nice and secure (poke, poke). Unfortunately, it also needs a custom client from netgear, called the Netgear ProSafe VPN client as Windows doesn't nicely support IPsec. > My current router supports two VPN tunnels. Can I add a VPN endpoint to > my MH W2K box? Looks like it! > > Regards, > > Neil Wrightson. > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
From: David H. L. Jr. <dh...@co...> - 2005-12-11 23:12:22
|
Neil Wrightson wrote: > Hi Tim, David, Neil and all others, > > I'm sorry to have poked the hornets nest. > > Although the dialogue has been interesting to read! I have a basic > understanding of networking, but would not have a clue what you guys are > really talking about. We are talking about hos easily we will be able to break into your system. There is no such thing as absolute security. You can put a reinforced steel door into your home, and a burglar can take a chain saw and easily cut an opening in the wall. The same thing is true about computers. If you allow access to Misterhouse from the outside, you have to evaluate the risks and benefits and if you proceed think about how to minimize the risks. The simplest - but not particularly secure way to access MH from starbucks is to use your netgear router and set it to forward port 8080 or whatever port you use for MisterHouse to your Misterhouse machine. You would have to keep track of your Cable/DSL IP yourself. And the system would not be very secure - it would still probably stop 99% of all attempts to breach it but the world is enormous, and 99% is not particularly good today. Everything else we have discussed is how to make remote access easier - using a dynamic DNS service so you do not have to track your IP address, and more secure. > What do I need to do? > > Dynamic DNS How frequently does your IP change. If it is not frequent and there is no huge penalty to occasionally not being able to get in, and manually having to make some simple changes, then you do not need anything but an account with a dynamic DNS provider. If you need more then the issue is how do you tell the provider when you dynamic IP has changed. There are a plethora of ways, and they may vary depending on the provider. It is even possible to write scripts to have MH do it. The task is simple - basically telling the DynamicDNS provider "hey here is my new address". > Does my MH box need to somehow > interrogate my router and find out it's external IP address and then mail > this somewhere when it changes. (My router is a Netgear FWG114P) It will depend on your provider. but your basic description is generally correct. > SSH??? VPN??? Do you want more security than your misterhouse password protecting Misterhouse from unauthorized remote access ? SSH & VPN are just ways of doing that. VPN is a somewhat generic term. SSH can be used to do a VPN or VPN like things, or it can be used to provide a remote command prompt. As you are using a windows server, I would probably recomend against SSH. Making use of it in a Linux/Unix enviroment is fairly trivial, it has a high degree of security, and it is easy to get working. Getting SSH working under windows is more complex and usually not worthwhile UNLESS you have a heterogenous environment. VPN's are a huge topic. Any VPN will make you more secure than being bare ass naked to the world. SOme are better than others, some are easier than others, some are freindlier in a windows environment. regardless the purpose of a VPN is to allow you to have controlled access to resources - such as MH, behind a firewall, while denying unauthorized access. A VPN typically requires that both ends of the communications channel are properly setup. Typically there is a VPN server and a VPN client. So the choice of VPN can be dictated by what runs on all the systems you desire to connect. The most common windows VPN's are probably PPTP and IPSec. PPTP is older, the windows implimentation is (sort of) microsoft specific, but it is fairly easy to get setup. IPSec appears to be the likely long term victor in the battle to become the dominant VPN. But setting it up is harder. Windows XP comes with IPSec support, I think Windows 2000 does. Regardless there is NOT a trivial answer to how do I get a VPN running. |
From: Tom <tom...@co...> - 2005-12-12 05:05:51
|
If you have an old machine lying around, you can make it a pretty good firewall. check out http://www.m0n0.ch/wall/ It has built in support for various dynamic DNS providers. Some are free and work very well. It also has PPTP support so I can VPN with the client that XP provides. I use DynDNS and have a domain name registered with GoDaddy.com. I point my registered GoDaddy domain to my DynDNS domain name. If the IP changes, my firewall takes care of updating the DynDNS record which GoDaddy is forwarding so I simply enter my domain name and I always get pointed to my home machine. For security, I'm forwarding requests to my machine which is running Apache and it takes care of security and routing to the MH page. Also for security purposes, I'm not listening on port 80, I chose some random high port. Every once in a while, I run a Nessus scan on my home machine just to make sure some new holes haven;t been discovered. Once you are all set up, if you'd like I can scan your IP address and let you know what I find. I have the scanner set up to scan machines at work so scanning another IP address wouldn't be any problem. It outputs a pretty nice report of it's findings and I can send you that if you'd like. The set up works great. I connect from the road using any machine and even from my Treo. Good luck, tom Neil Wrightson wrote: > Hi Tim, David, Neil and all others, > > I'm sorry to have poked the hornets nest. > > Although the dialogue has been interesting to read! I have a basic > understanding of networking, but would not have a clue what you guys > are really talking about. > > All I'm interested in is being able to access my MH from Starbucks or > my place of work using a PDA or another windows PC. > > I'm not planing on publishing my MH domain for people to have a crack > at, and personally I believe that nothing is infallible. Just like my > house, we are basically keeping the honest people out with these locks > and keys etc. > > So! > My MH box is a windows 2000 PC, my work PC's are XP's and my PDA is a > HP ipaq hx4700. > > What do I need to do? > > Dynamic DNS > I'm starting to understand this dynamic DNS but not sure what I > require at my MH end. I was just playing with a router (my uncles) > that had some dynamic DNS support built in but mine does not. > > What do I need to do for the dynamic DNS? Does my MH box need to > somehow interrogate my router and find out it's external IP address > and then mail this somewhere when it changes. (My router is a Netgear > FWG114P) > > SSH??? > Do not have a clue what this is or where to start. > > Alternatives ?? > > VPN??? > Is this some kind of an alternative to SSH? My PDA appears to support > VPN. Should I buy another router that supports this instead? > > My current router supports two VPN tunnels. Can I add a VPN endpoint > to my MH W2K box? > > Regards, > > Neil Wrightson. > |