Firewalls and Remote Access, Part II

The first remote access solution that I would like to discuss is the virtual private network December 21, 2015

The first installment of this article appeared in the October issue of Radio.

The first remote access solution that I would like to discuss is the virtual private network. A VPN access solution is like none other; it creates a tunnel over the Internet through which all of your data travels. This tunnel is encrypted from end to end and is considered to be the most secure remote access method.

Cisco VPN Client
After this tunnel is created and you are connected to it, the computer you are using remotely acts like it is directly connected to the remote network. Likewise, to the remote network, your computer appears to be just like the others on the local area network.

This kind of remote access solution is the best one, in my opinion. The ports do not need to be forwarded to any specific computer on the local network. This is due to the fact that the firewall or router is handing all the remote network access requests. Certain ports need to be open on a firewall for VPN to work properly, of course.

FOR INSTANCE

Let me give an example of VPN usage.

Say I want to access the Web portal on my AoIP nodes to manipulate some audio changes remotely. With some other remote access methods, I would need to have a computer setup on my engineering network that I can remotely jump into; from that computer I can access the Web portal and make my changes. If that computer is shut off or reboots I cannot access my engineering network remotely. With a VPN solution, that’s not an issue. I do not need to “jump” into another computer to do what I need to do; I can do it right from the desktop of the computer I am on because I appear to be on the local network.


VNC server properties
VPN solutions require the use of specialized hardware and software. Most Cisco routers can be set up to allow VPN tunneling without additional licensing. Some of the less expensive solutions from Linksys or Netgear also have the ability to set up VPN tunnels. You might already have gear on hand that you can utilize for a VPN solution.

Once you have the VPN solution set up, you will need to configure your remote host computer to be a client of your VPN router. Windows 7 (and newer versions) have the ability to connect to certain VPN tunnels without the need to purchase or add additional software. Certain VPN solutions from Cisco, SonicWall and Watchguard require specialized software to access their VPN solutions.

The need for specialized software varies with each VPN implementation; check with the manufacturer of your equipment to find out if you require specialized software.

All of the other remote access solutions I will mention require a computer to be online at all times on your local engineering network. Some of these solutions require a port forward on the firewall; others do not. The remote access software you choose will determine the cost.

VNC

VNC Viewer
VNC is a remote access solution that has been around since the late 1990s. There are various versions of VNC; some are free, some require a license. Of all the remote access solutions this one is the least secure because it uses simple passwords and runs on Java. On the other hand, it is also the simplest one to set up and run.

VNC requires a port forward on the firewall if you wish to access it remotely; it runs on a local computer and allows you remote access of the keyboard, mouse and video.

VNC uses a combination of ports to allow access: Client viewing software uses port 5900, and port 5800 is used for remote access via a Web browser running Java. The features you get with VNC are dependent upon the version you use; a variant of VNC called uVNC has file transfer and other capabilities that regular VNC does not.

I do not recommend having VNC open to the Internet due to the insecure nature of its codebase; it runs on Java, which is inherently insecure. I use VNC regularly in conjunction with VPN tunnels; once I get on the network with a VPN connection, I then access all of my engineering computers via VNC.

TEAMVIEWER


TeamViewer
Teamviewer is a cost-based remote access solution; there is a free version for non-commercial and home use.

It requires a computer to be online at all times, and it works by creating a connection back to the Teamviewer servers, which reside on the Internet. Once it makes that connection, it presents the user with an ID and password to use for remote access. The computer you wish to use to access your engineering computer remotely will also need to have a copy of Teamviewer installed.

All Teamviewer does is create a portal so that you can access the remote PC as though you are sitting in front of it. Teamviewer does not require ports to be opened on the firewall, thus it is considered more secure than VNC. Teamviewer also changes the default passcode each time it is restarted. This code is needed to access the computer remotely. A static or set password can be entered that will not change, if so desired.

The end user is also allowed to set up an account with which they can associate all of their Teamviewer enabled computers. This works great as a simple monitoring tool: I can tell at a glance if my remote computers are online. If they are not, then I can take steps to determine why.

The insecure side of Teamviewer stems from the fact that it needs to make an outgoing connection to a third-party server to work. For security professionals this creates a question: How secure is the third-party server? If someone were to crack this third-Ïparty server, could they access your computers with impunity? This is a valid question — but as long as your static or set passwords are complex it really does not present any more of a security risk than a VPN tunnel.

Teamviewer has a steep cost associated with it. There are three tiers of licensing, and the lowest one costs around $749. This license needs to be updated as newer versions of Teamviewer come out; as of this writing the upgrade cost to the latest version of Teamviewer from the $749 license is $199.99.

If Teamviewer is used in an unlicensed mode, it will limit connectivity time to your remote computer to five minutes and display a warning about commercial use without a license.

GOTOMYPC

GoToMyPC
GoToMyPC is another remote access solution that functions similarly to Teamviewer. It is also a cost-based solution for businesses and has no free version for non-commercial or home use. However, it is free to try for 30 days; thereafter you must buy a license.

In order to use this solution you must register with a website and install software on the remote PC and the controlling PC. Much like Teamviewer, it does not require ports to be open on the firewall; but unlike Teamviewer, you can access your remote access PC via a Web browser. It requires a PC to be on at all times for remote access.

GoToMyPC has the same security concerns as Teamviewer: It creates a connection back to the primary GoToMyPC servers and bypasses all of the firewall security measures.

The remote access methods I have mentioned here are some of most common ones; there are many more on the Internet that offer different features and cost advantages.

There is no reason in today’s technologically advanced society that we should cling to the idea that every problem that we face needs to be dealt with in person. We have tools to allow us to work efficiently and to minimize our downtime, and you should take advantage of them.

I would be completely lost without the ability to access my engineering network remotely. I, like most of you, have been at dinner and had the phone ring. It is so convenient and wonderful to be able to fix an issue with my phone in five minutes and get back to dinner rather than having to jump up and drive into the station, and I know that my GM is happy about how quickly issues get resolved.

Remote access to your engineering network, however you may accomplish it, is a necessity in today’s work environment.

Receive regular news and technology updates. Sign up for our free newsletter here.

Comments