Using Vault over the Internet

[Hans Olav Nymand]

Hi,

We are setting up a Vault server which should be accesible for a few named users via the Internet. Basically we just set it up the usual way, only the webserver itself is not on the LAN but open to the Internet. It is accesed by named users each with an individual password, and basically this works fine.

Our concern is what we can do to make the webserver itself more secure. I realize this is not the normal use of Vault, and we only doit because some users need access without being able to VPN in to our LAN. Normally on the LAN the webserver is just set up with anonymous access and all validation of users are handled by Vault.

And as said this works fine, only we are concerned that a Microsoft web-server set up with anonymous access might not be sufficiently safe in itself. So here comes the question. What is supported by Vault - if anything else but anonymous access is at all supported. Just setting the web-server to require a login of course does not work, because the Vault client can't support that login, so we are wondering
- Does a purely webbased client exist? That would allow us to set up any type of security...
- Can we make a setup where the Vault login is integrated with the underlying MS security system (the Windows login and Vault login then being the same)
- Can we do anything else ?


Regards,
Hans Olav

[jeremy_sg]

Hans,

I've got quite a few questions, so that I can understand more or what you're dealing with.

1. Why no VPN? OpenVPN is a very nice free VPN that we use here.
2. Could you limit access by ip addresses?
3. What version of IIS are you using?

[Hans Olav Nymand]

> 1. Why no VPN? OpenVPN is a very nice free VPN that we use here.
> 2. Could you limit access by ip addresses?

I think (1) and (2) boils down to the same answer. It's about access from machines at customers locations, and while we probably could do both (1) and (2) we would much prefer not to do anything which requires us to either install something at these machines (except of course the Vault client) and/or have to know things such as an IP address. Customers machines are behind firewalls, have anti-virus, security policies etc. and it will be a big workload for us to make it work.

Of course - if there is no other alternative we will reconsider both (1) and (2).

>3. What version of IIS are you using?

The one that ships with Windows Server 2003 - 6.1 I think it is; definitely 6.x.


/Hans Olav

[jeremy_sg]

First off, I'll state that any recommendations I can make may seem hacky, since your business needs have eliminated using a VPN.

The best recommendation that we could come up with is to install an SSH server on your external server and use SSH port forwarding to only expose the IIS port to a user who has logged in successfully to the SSH server. You could then have your developers carry around the SSH client and configuration on a USB thumb drive. We like Putty as a no-install ssh client.