Hi

First, sorry - this question does not have a specific answer - we're looking for ideas!

We have a number of machines that rarely connect to our network, but we would like to inventory. These are mainly laptops of remote workers. They will occasionally use the VPN to change their passwords, but other than that they stay "out on the internet". I've seen a few posts about opening a K1000 to the internet, but wondering if anyone has any comments on the risks of this (script kiddies, somehow getting bad data from users that arent ours etc), as well as alternatives. We've also thought about using some kind of vpn "onconnect" script to run kbscriptrunner.exe.

Any comments welcome!

0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Community Chosen Answer

2

We have 80 laptops that mainly stay off-campus or use the public wireless when on campus.  We had to open only the two ports in the firewall and so far only problem was some strange machines started showing up from a company back east and contacted them and it was from some misconfiguration they did and it pointed their clients to our IP. When their machines did check in they were at our mercy, not the other way around.

We feel it is worth it to open it up now we see the laptops check in and they also get critical patches this way, this is handy only half of the laptop users are admins on their systems

Answered 03/06/2013 by: SMal.tmcc
Red Belt

Please log in to comment

Answers

1

For the best possible security you will want to enable SSL and get yourself a publicly signed certificate. I had my K1000 outward facing for a few years without incident.

Remote management is always a bit difficult, especially when a Replication Share is not an option. The vpn script idea isn't bad for inventory purposes, just realize that you could potentially be pushing software and patching across the WAN.

Answered 03/06/2013 by: mpace
Red Belt

Please log in to comment
1

As the KBOX can be put in the DMZ or behind the firewall, we recommend behind and just install agents with a public dns or ip address so that it connections thorugh your firewall. This reduces your exposure as mpace indicates you want to enable SSL and then only have to open port 443 in your firewall for connections. 

That has been the best option for post people, as if they get past your firewall, you probably have bigger issues to deal with other then them getting to your kbox.

Now if you already deployed agents to these machines that are outside the network, it may require removing and reinstalling them so they have the FQDN as their host name. 

Answered 03/06/2013 by: nshah
Red Belt

Please log in to comment
1

Smal is right any computer that does stray in would be at your mercy not the other way around. 

BY using ssl you are no moe exposed than running a public webserver on unix and php

Answered 03/06/2013 by: jdornan
Red Belt

Please log in to comment
1

Thank you all very much for the replies.

Assuming we opened 443 through the firewall, would we still be able to push updates/packages to the machines? I understood that the AMP service port would also need to be opened (tcp/52230). It seems that 139/445 is only needed for provisioning, there is no way we'll be opening these - Smal, do I understand correctly that with tcp 80/443 and 52230 open you are able to push updates and get inventories from the clients? I'd imagine it needs the cifs ports open to be able to push managed installations, or are you able to do this with just AMP/HTTP(S)?

Once open, I would imagine this would give access to the /admin section as well, which does not seem to have any rate limiting or brute force protection. Has anyone run this through a reverse proxy? This might be a way to only allow access to the "user" parts of the web ui.

We're still looking at the vpn route, but this is more of a culture problem, I'll post back if we find a good way to force regular "roadwarrior" vpn connections - since these would connect over the same medium as https clients, we dont really have a bandwidth benefit either way.

Thanks again - your experiences have been very helpful!

Answered 03/07/2013 by: HGcn
Yellow Belt

  • We have 443 and 52230 open. We are able to get inventory, do updates, MI and scripting to these machines. I can create special custom software inventories and they work. The users can log into the portal and download/install approved software
    • The other advantage of this is, if a laptop gets stolen and the fool turns it on and goes on a wireless network, it will check in with the ip it is at and also allow us to lock or destroy that OS and files.
  • Thanks Smal - being able to wipe the device is a pretty handy bonus feature! I'll update here with anything we find as we set up. I think we'll try a reverse proxy for at least the https stuff, as we can then lock out access to /admin from the internet side.
  • If you need a document that outlines the ports for any justification...

    http://www.kace.com/support/resources/kb/article/Which-network-ports-does-the-KACE-K1000-appliance-require-to-function
  • rate limiting is provided by the underlying freeBSD OS so in a sense it does protect against brute force unless they choose a very slow method
Please log in to comment
Answer this question or Comment on this question for clarity