Welcome, Guest. Please login or register.
Did you miss your activation email?
+  pfSense Forum
|-+  pfSense English Support» webGUI» Concerns / search for *BEST* way to do remote WebGUI access
Username:
Password:
 
Home Help Search Login Register
 

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Concerns / search for *BEST* way to do remote WebGUI access  (Read 592 times)
0 Members and 1 Guest are viewing this topic.
rnsc
Jr. Member
**
Offline Offline

Posts: 45


View Profile
« on: April 11, 2010, 10:16:26 pm »
It would be extremely "handy" to have remote access to the pfsense installations I maintain over the internet (I'm up to two).  The admonition is to AT LEAST use HTTPS, preferably certificate authentication.

It seems to me that certificate authentication has a potential vulnerability in that the certificate must be "imported" by the browser that I am using for access.  It is then on that machine, and I am dependent on the security of that machine, physical and otherwise.  I could then immediately delete it, but I tend to be an untrusting soul, and wonder if it is written over, or if some virus grabbed it in the process of my using it.

With password security, I could have a really great password.  However here I suppose that I would be vulnerable to keyloggers on the machine I am connecting from.

The book and other things I have read seem to discourage remote access at all.  Just how much risk is there if I do things "the right" way (whatever that is!).

Finally, there seems to be a recommendation to use ssh instead of HTTPS.  How is this more secure?  It is still necessary to authenticate with either a password or a certificate.  Both are encrypted, and with very robust algorithms (depending on your choice).  So what is the difference?  I know less about the VPN, but assume that there is a startup that again, authenticates with a certificate.

I would greatly appreciate a few comments on my thoughts above to help me to figure out (1) The best way to do this, and (2) How much I should avoid it.

Thank you.
« Last Edit: April 11, 2010, 10:20:30 pm by rnsc » Logged
chpalmer
Full Member
***
Offline Offline

Posts: 198


View Profile
« Reply #1 on: April 11, 2010, 10:37:44 pm »

HTTPS and a non standard port.  I watched my chosen port in the firewall logs for a couple of weeks before I chose it. Ive never seen anyone try it.
Logged
GruensFroeschli
Global Moderator
Hero Member
*****
Offline Offline

Posts: 4253


No i will not fix your computer!


View Profile WWW
« Reply #2 on: April 12, 2010, 04:34:53 am »
Well the best way would be to not allow direct access from the internet to the GUI.
Set up a VPN server (OpenVPN is great for this) and access the GUI over this tunnel.

If this is too much for you: as chpalmer stated: https and non-standard port will take care of most of the scriptkiddies.
Logged
We do what we must, because we can.
dotdash
Hero Member
*****
Offline Offline

Posts: 1063



View Profile
« Reply #3 on: April 12, 2010, 06:28:25 pm »
Limiting the access to only your IP address would be as secure as the other options, IMO.
Logged
jimp
Administrator
Hero Member
*****
Online Online

Posts: 3810



View Profile
« Reply #4 on: April 12, 2010, 07:17:42 pm »
You must involve some kind of encryption, ideally a VPN such as OpenVPN, IPsec, or as a last resort, PPTP.

HTTPS is ok, but a self-signed certificate has its drawbacks. If you always access it from the same machine though it isn't so bad, because you will still be notified if the certificate has changed in some way.

Personally, I use HTTPS+IP restrictions on most locations, and OpenVPN or other tunneling for the rest.
Logged
Co-Author of pfSense: The Definitive Guide.

Need help fast? Try Commercial Support.

Also check the Doc Wiki for additional information.
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

 

Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC
Page created in 0.152 seconds with 20 queries.