SSH Server daemon

disclaimer: I am not affiliated in any way with the vendor for the link below. I am simply providing a potential resource for a service I was looking for.

http://www.bitvise.com/index.html

preface: I was looking for a ssh daemon to run on a windows 2003 server for remote access. The server will be located in a co-lo and I did not want to establish a full-time VPN tunnel from our office to the co-lo for obvious "potential" security reasons.

There is a cost for the server daemon, but compare to other vendors, it's peanuts.

Using this daemon with a custom IPSEC firewall policy, allows you select which IP's can use this service.

http://homepages.wmich.edu/~mchugha/w2kfirewall.htm

The documentation at bitvise explains how to tunnel the ms native terminal services "remote desktop" connection inside an ssh tunnel. I confirmed this using ethereal.

further... bitvise has a ssh client that is free, which works exceptionally well.

note to bbs admin...if this violates the posting rules, feel free to remove. My intent was to pass along a resource I came across after many months of searching for a cost effective solution.

~ Don

 

An interesting tool and another application that may well be added to the network admins toolbox.

However:

I don't really see how your solution is inherently better that a full time VPN tunnel. Especial as in everything but name, that is exactly what you've set up.

You have an encrypted tunnel that you are passing data back and forward accross - that's a VPN!

A decent IPSEC VPN solution will allow you to set firewall rules to control access to and from the tunnel giving you just what you've achieve with the ssh daemon.

You have a solution that works for you. Splendid. But just because it is different to most people's VPN set up doesn't make it inherently more secure or negate the requirement for you to check the security as thoroughly as you would any other VPN solution.

 

While I accept the possibility of being wrong, my understanding of connecting two separate subnets via a VPN makes both networks effectively appear as one. Since the co-lo is a production environment separate from our business LAN, I have no interest in allowing unneccessary LAN traffic (either actual or potential) of accessing the co-lo subnet. My attempt was to treat this much like having separate LAN and DMZ networks. This to me makes my approach "inherently" more secure, simply by the "least privledges" approach.

Yes..I agree with ACL's, but why add the complexity??

I respectfully take issue with this. I have re-read my original post and I don't see where I stated my approach was any better than someone else's approach. Rather, I stated "potential " security reasons. I don't advocate one approach is better than the other. I was simply offering another resource.

Besides... "Most people's VPN set up" are commonly used for remote office access to file and application sharing, in which the main LAN needs to be visible to the remote LAN. My particular needs, which I didn't initally explain, are for the ability to remotely administer a server farm.

This thread has all the makings of a holy war , I do however respect your opinion.

~ Don

 

A war - whatever next.

A VPN does not need to be network to network. It can also be peer to network, or peer to peer. A VPN is simply an encrypted tunnel. With peer to peer the virtual private network comprise only the two peers, but it is still a network and still a VPN.

I still contend that your statement:

implies that your solution is more secure than a VPN.

However,

is right on the money; so whether the original statement can be read to imply preference, I whole heartedly agree with your later sentiment, and appreciate you bringing a new resource to my attention.