Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 373 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG SSL VPN extra security

DAENG

I wonder how I could bring more security into my network. I have a Fritz DSL Box with a port open for SSL VPN and after this a XG box latest Version.

In my network I have several PCs which all have an open RDP running, so I cann acces them trough VPN.

The first thing I did is to only route to an empty Win 10 PC which I then use to open other PCs with RPD.

But this still seams somehow unsafe to me. Also I have one zone with Cameras which are accessible trough their ports from outside.

I actually only need to view them from my mobile fone.

So is there a way to install another Auth Level so the XG is only exposing the abouve mentioned if there is a client authentication before the VPN Level or after?



This thread was automatically locked due to age.
Parents
  • 0

    Hello,

    Closing all ports besides the SSLVPN is "enough" for external authentication, the Firewall will use both the Username + Password & Certificate for authentication, well... It's *pretty* hard for someone to get access on It. You also can (should) use 2FA for higher security.

    For the RDP issue there are two ways to fix, you can either create a RDP gateway or use the built-in feature "Bookmarks" of the Firewall.

    Also, are the cameras accessed through an application? Or through the Web Browser?

    Thanks!

  • 0 in reply to Prism

    First of all Thanks!

    Ok, the I check out for 2FA.

    But I did not understand the Bookmark feature. Maybe Id id not explain well. It makes me headaches that all my PCs are exposed, so as soon one would break into VPN they could acess the RDP PCs. So I tought it would be nice to have another wall between.

    The Cams are accessable trough HTTP, they dont even have TSL/SSL :/

  • 0 in reply to DAENG

    You can use WAF as a reverse proxy to protect your cameras, (It will need a bit of tweaking.) You can check this KB for more information. If you already have a DDNS setup, you will be able to use Let's Encrypt to generate a TLS certificate.

    In general, your better setting up a WAF that's only accessible locally and through SSLVPN.

    For the Bookmark feature; The firewall will be the one establishing the connection by RDP, you will be using It through the User Portal. There's a tutorial on how to setup on this KB. It's also recommended to use this behind SSLVPN.

    Also, just to know what you're trying to achieve so we can think on a better way to secure It; What's your threat risk? I've checked your post history and you are a Home User. (I can be wrong.)

    Are you trying to protect yourself from automated attacks? Phishing? Someone randomly clicking on malware and infecting a local computer? Your wife? Someone who dislikes you.

    You need to understand first what or who can attack you, then you will be able to protect yourself.

    * I'm saying this so you don't become paranoid about security.

Reply
  • 0 in reply to DAENG

    You can use WAF as a reverse proxy to protect your cameras, (It will need a bit of tweaking.) You can check this KB for more information. If you already have a DDNS setup, you will be able to use Let's Encrypt to generate a TLS certificate.

    In general, your better setting up a WAF that's only accessible locally and through SSLVPN.

    For the Bookmark feature; The firewall will be the one establishing the connection by RDP, you will be using It through the User Portal. There's a tutorial on how to setup on this KB. It's also recommended to use this behind SSLVPN.

    Also, just to know what you're trying to achieve so we can think on a better way to secure It; What's your threat risk? I've checked your post history and you are a Home User. (I can be wrong.)

    Are you trying to protect yourself from automated attacks? Phishing? Someone randomly clicking on malware and infecting a local computer? Your wife? Someone who dislikes you.

    You need to understand first what or who can attack you, then you will be able to protect yourself.

    * I'm saying this so you don't become paranoid about security.

Children