/build/static/layout/Breadcrumb_cap_w.png

Best Practices Question


KACE SMA in DMZ

09/11/2019 291 views

Is anyone running their appliance in a DMZ? It makes me paranoid, but I find it tedious to log in to the VPN from my phone, to access the mobile app to check on tickets, etc. 

1 Comment   [ + ] Show comment

Comments

  • If you're going to do this (I wouldn't), please enable 2FA on all administrator accounts. Attackers are increasingly targeting organizations using RMM tools like KACE to spread ransomware. By simply putting your box on the outside, all it takes is one weak/compromised password to give away the keys to your whole infrastructure.

All Answers

1

this is an usual setup. Just make sure the right ports are open or forwarded (for check in and using the webui port 80 and 443 are needed, if you put the SMA outside of your intranet you should invest into a SSL certificate and use 443 only)

Answered 09/12/2019 by: Nico_K
Red Belt

  • Does this not make you nervous in any way? Seeing as to how the appliance can communicate with every device on the network.
  • no, I have this setup since 2013 like that (just the domain has been changed due to a move and a different contract, and yes, it is not really a DMZ setup just a port forwarding to a host)
    I forward only port 443 and 80 to the machine and all others are closed.
    The users on the device have 2FA. I see in the firewall logs that some nice people try to access but they are "IP blocked" for 90min if they try from outside.
    Had an issue once with 5.5 where a security flaw was found and not reported to the vendor which simply let me check when it happened, closed the firewall, setup and restore (does not need long) and wait for a fix from KACE and then was all good.
1

I had used Quest's KACE as a Service, where they host it for you, for 5 years.  While not in the DMZ exactly, it's completely outside of the network, and you have to have a VPN tunnel to connect internally to do things like LDAP authentication.  We did not had any problems with it, but we also have almost all the security options checked.  2FA was not one of them, but only one person had admin rights, and they were good about their password.  That was me.

Answered 09/13/2019 by: ondrar
Black Belt