This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any way to setup WebAdmin to be accessible from the WAN side, without a VPN, yet, without having to worry about brute force attacks?

I setup a UTM for my parents in Bridge Interface + Full Transparent Mode. The great thing about this setup is 1/2 of the network is not filtered in any way, for someone like my lawyer brother who still lives with parents and the other 1/2 of the network has dual AV, Snort, Sophos Content Filtering, with OpenDNS content filtering for my parents, who despite their best efforts, constantly seem to be hitting hijacked ads when on the web, etc.

 Basic topology is:

 Internet[DSL modem/router][Bridged UTM][Unmanaged LAN switch]Airport Extreme in Access Point mode

I can forward port 4444 to the UTM and set the UTM to be accessible from the web. I have no problem doing that; however, since I can not setup A VPN on the UTM in bridge + full transparent mode, I am afraid to leave the UTM accessible to be scanned and attacked on the WAN side. The same goes for my experience with the Sophos UTM and the Amazon Cloud. In testing, I was constantly getting e-mails about IP addresses that have been blocked for too many failed login attempts.

Is there any way that I can secure this setup so that I can manage the UTM remotely without having to worry about a brute force attack, without a VPN? I get that using HTTPS encrypts the traffic, my concern is brute force attacks, that eventually lead to the UTM being compromised on the WAN side.



This thread was automatically locked due to age.
Parents
  • Yes, you should worry about brute force attacks.   Configure OTP 2-factor authentication for any remote access method (including VPN).

    SSLVPN has the extra advantage of needing a certificate installed on your laptop, plus your username+password, plus your OTP code (3-factor!) 

    Filtering on network address helps as well whenever possible, but it is not always possible.

Reply
  • Yes, you should worry about brute force attacks.   Configure OTP 2-factor authentication for any remote access method (including VPN).

    SSLVPN has the extra advantage of needing a certificate installed on your laptop, plus your username+password, plus your OTP code (3-factor!) 

    Filtering on network address helps as well whenever possible, but it is not always possible.

Children
  • Ok, dumb question, but then again, maybe not. Is is possible to create a second admin account and just require that account to use 2 factor authentication?

    While at the same time, leaving the default one to work locally only, without 2 factor authentication?

    I am educating myself with how Sophos does the 2 factor authentication. I like the concept, I am just concerned about locking myself out.

    btw, thanks you everyone for you help!

  • That is a fine strategy.  Just let go of the idea that the admin page should be remotely accessible without VPN or other protection.

    (1) If practical, configure the user portal so that it is only accessible internally (for risk reduction).  Depends on what you want to do with it, and whether this is for yourself at home or lots of people at work.   At least try to get all of your remote users configured with OTP before exposing the portal to the internet.   See more below.

    (2) Enable OTP for your account.   When you login into the portal, you will immediately be required to scan the QR code to sync your phone with Sophos Authenticator.  Thereafter, any remote login for that user (including future logins to the user portal) will use the OTP, which is entered into the password field using the regular password immediately followed by the 6-digit OTP code.

    (3) Configure your method for connecting to the user portal remotely.   Suggested options are:

    • SSL VPN from your laptop (which as I said before requires a pre-configured device), but then you can connect directly to the admin page, or
    • user portal with HTML5 VPN with an RDP resource configured to an internal desktop device, then a web browser in the RDP session connects to the admin page.  Obviously, this option requires that the user portal remain accessible to the internet.

    Because the admin page is not exposed to the internet, you don't need OTP on the Admin account.  

    OTP is not appropriate for shared accounts, so a business does not want OTP on Admin because it locks out all other potential admin users (current or future).