Running web admin through port 80...

[bgowland]

Quote[/b] (chasef @ Feb. 25 2005,11:40)]Hey all,
 I wanna run my GB-PVR web admin through port 80.  What's the most secure way to do this?  Thanks!

Chase

If you're worried about portscanners out there discovering you've got something listening on port 80 then the only things you can do are as follows...

1. Make sure your router (assuming you have one) doesn't respond to port scans. This will prevent the 'probes' out there discovering it by chance.

2. Now you've announced on this forum that you want to run Web Admin on port 80 then point 1. above is actually meaningless (other than the fact that none of us know your domain name or IP address).

3. Assuming (from point 2.) that it is public knowledge that you are running Web Admin on port 80 and somebody malicious knows your domain name/IP address, then the only thing that you can do is change the username and password to be something REALLY REALLY obscure.

As a network sysadmin I know that little or nothing is ever really secure - it's just how difficult you make it to break and what the rewards would be for someone trying to do it.

In short, if your company won't allow you to connect from work using HTTP on any other ports and you're really worried about the security of your system, make sure you schedule your recordings before you leave home.  

Cheers,
Brian

[capone]

I'm assuming that you can't have a redirect page, either. Where you type in an address, and it redirects to an address w/ the port in it?

Btw, if you're not using a router at this point, and you're on a broadband connection, having 80 open is just one of your worries.

[bgowland]

Quote[/b] (chasef @ Feb. 25 2005,11:59)]The problem is, the ___ @ work think that I'll be jeopardizing network security if they don't lock off every port other than 80.

The only thing I could suggest is get friendly with your IT guys and, if the system allows it, asking them to put an address translation in on the company proxy/firewall server. We use MS ISA Server and I know it can be done with that. I've never tried it though.

[UncleJohnsBand]

You could do the following.....

Get a dynamic DNS name for your work PC by using a free service such as DYNDNS.org. This will allow you to identify your work PC with a name and you won't need to worry about knowing the current IP address of you work PC. You will also need to load a dynamic updater to keep your PC's name in sync with your current IP address. I have been using DeeEnEs for about 4 years DeeEnEs

Set your router to forward port 80 to the PC running GBPVR.

Find a PC firewall that allows you you to filter on the host name rather than just IP. Norton Personal Fire Wall will do this....I believe there are others as well. Load this on the PC running GBPVR. In the settings allow access to port 80 only from your work PC name that you created above. Since you have now loaded a local firewall you may need to setup some other settings to allow GBPVR or the MVP 1000 to work correctly over your network(if you have one).

This setup limits access to port 80 from the outside to be only from your work PC. This coupled with the user id/password that the web interface requires should be strong enough security.

If you don't want to deal with the dynamic name thing you can stick with using your externally facing IP ranges instead.

Hope this helps.

[Networker]

Unless you don't mind doing some extra work, opening port 80 through to the GBPVR will simply open your machine up for any vulnerabilities the underlying web server software that is running.

You COULD do any number of things.. I tunnel through an SSH tunnel from work for all kinds of things to the house, RDP, GBPVR, IMAP, SMTP, HTTP, etc. So you if are willing to get SSH running on your windows box (assuming you have no Linux boxes) or you might be able to find a port of Stunnel to do SSL (secure socket layer - https). Using Stunnel you could connect to your GBPVR with 443 (which should be open through your work firewall, that's how I configure our firewall - oh did I mention that I do Network Security for a living ..


Edit - I just did some searches to make sure about the stunnel, if you go to Stunnel windows downloads, there is a OpenSSH project, it's not up2date but easy to setup compared to Cygwin


John