Concerns / search for *BEST* way to do remote WebGUI access
-
It would be extremely "handy" to have remote access to the pfsense installations I maintain over the internet (I'm up to two). The admonition is to AT LEAST use HTTPS, preferably certificate authentication.
It seems to me that certificate authentication has a potential vulnerability in that the certificate must be "imported" by the browser that I am using for access. It is then on that machine, and I am dependent on the security of that machine, physical and otherwise. I could then immediately delete it, but I tend to be an untrusting soul, and wonder if it is written over, or if some virus grabbed it in the process of my using it.
With password security, I could have a really great password. However here I suppose that I would be vulnerable to keyloggers on the machine I am connecting from.
The book and other things I have read seem to discourage remote access at all. Just how much risk is there if I do things "the right" way (whatever that is!).
Finally, there seems to be a recommendation to use ssh instead of HTTPS. How is this more secure? It is still necessary to authenticate with either a password or a certificate. Both are encrypted, and with very robust algorithms (depending on your choice). So what is the difference? I know less about the VPN, but assume that there is a startup that again, authenticates with a certificate.
I would greatly appreciate a few comments on my thoughts above to help me to figure out (1) The best way to do this, and (2) How much I should avoid it.
Thank you.
-
HTTPS and a non standard port. I watched my chosen port in the firewall logs for a couple of weeks before I chose it. Ive never seen anyone try it.
-
Well the best way would be to not allow direct access from the internet to the GUI.
Set up a VPN server (OpenVPN is great for this) and access the GUI over this tunnel.If this is too much for you: as chpalmer stated: https and non-standard port will take care of most of the scriptkiddies.
-
Limiting the access to only your IP address would be as secure as the other options, IMO.
-
You must involve some kind of encryption, ideally a VPN such as OpenVPN, IPsec, or as a last resort, PPTP.
HTTPS is ok, but a self-signed certificate has its drawbacks. If you always access it from the same machine though it isn't so bad, because you will still be notified if the certificate has changed in some way.
Personally, I use HTTPS+IP restrictions on most locations, and OpenVPN or other tunneling for the rest.
