dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
14
share rss forum feed

Sajan Parikh

join:2011-03-05
Walcott, IA
reply to Sajan Parikh

Re: [IA] Dedicated IP from Mediacom?

The reason I wanted a dedicated IP was..

I run a company and have many servers around the country and have firewalls set of course.

I've locked all of these servers down so only one IP address can access them. This is the IP address of a VPN I've set up in Chicago.

However this has become a SPOF, and while I'm setting up other VPNs and whitelisting those IPs as well...I thought I'd look into getting a static IP for my home so that I can whitelist that as well.

I certainly wouldn't mind paying extra.

jpatton

join:2010-04-07
Stillwater, OK
I've had this same issue with a couple computers I remote access at work. What I ended up doing was setting up a dyndns hostname for my home connection, then had a cronjob (scheduled task) to check the hostname's IP and update iptables (the firewall rules). It was a PITA to set up, and I do agree that it would be helpful to just be able to get a static IP. As demonstrated here, it's useful for more than just TOS-violating servers.


ZC_217

join:2010-02-07
Des Moines, IA
reply to Sajan Parikh
said by Sajan Parikh:

I've locked all of these servers down so only one IP address can access them. This is the IP address of a VPN I've set up in Chicago.

However this has become a SPOF, and while I'm setting up other VPNs and whitelisting those IPs as well...I thought I'd look into getting a static IP for my home so that I can whitelist that as well.

So are you connecting to this VPN in Chicago then to your servers? Would you be able to set up some sort of multi-homed hardware VPN tunnel?

Where I work, we have 2 Main Cisco 5540 ASA failover pairs and we have many many remote site offices set up with 5505 ASAs that build a VPN connection to either site but we use the EZVPN of Cisco that allows the main site to have Static IPs but the remote sites are able to have dynamic IPs.

I'm not sure you current topology of how you connect to your servers so this may completely be outside the realm of realistic possibilities.

Sajan Parikh

join:2011-03-05
Walcott, IA
Ah, no I may have been a bit unclear...

Currently, I'm connecting to VPN in Chicago then to server. That works great.

If that VPN fails though, I've no graceful way to connect to the server. That's where the whitelisted dedicated IP from mediacom would come in. I can just connect directly from my home.


ZC_217

join:2010-02-07
Des Moines, IA
said by Sajan Parikh:

Ah, no I may have been a bit unclear...

Currently, I'm connecting to VPN in Chicago then to server. That works great.

If that VPN fails though, I've no graceful way to connect to the server. That's where the whitelisted dedicated IP from mediacom would come in. I can just connect directly from my home.

Ah, ok. You are trying to set the firewall your server is behind to allow a second connection in to access the server in the event of the VPN failing.

Just a thought, can your firewall at your server location be set up to accept software VPN client connections? It would allow you a second path in, would be more secure than just a firewall rule allowing a dedicated IP in and then it wouldn't matter what IP you'd get from your ISP. Allows access from anywhere while still being secure.

Sajan Parikh

join:2011-03-05
Walcott, IA

1 edit
That would essentially be me keeping a port open, wouldn't it?

The only problem with that is that it would accept the connection from any IP address and the security would rely on the authentication.

Which is perfectly fine and may end up what we do. However, I was much rather looking to dropping the packet completely if it wasn't from the handful of IPs (our VPNs + Dedicated Mediacom IP) that I would whitelist.

Please correct me briefly and point me in the right direction if I misunderstood. It's 8AM and I haven't slept. :P.


ZC_217

join:2010-02-07
Des Moines, IA
You wouldn't really be leaving a port open per se. It would respond to connections from any IP address, but you can use internal security authentication. I understand not wanting your firewall to respond to anything from untrusted sources but if you have good internal security policies you should be ok.

The way we use our software VPNs is in order to authenticate with the VPN and establish connectivity is to log into the VPN Client with internal Radius logins that must comply with IT Security policies. So you still have to have the right credentials for the firewall to even respond with anything other than requesting login.

Not knowing what kind of business it is, I don't know what level security is required, but I can't see allowing software VPNs opening your firewall up to anymore issues. If you don't have the right credentials it then simply drops the traffic. And you still have access to your servers no matter what your IP is.