Need to start exposing services to the internet


Recommended Posts

So I'm at the point where I'd like to start exposing some services externally. For instance I have a Windows 10 VM running Milestone for my security cameras, and a static IP from my ISP. I want to see the live view from the Milestone Mobile app, so I've port forwarded the two ports Milestone Mobile uses. I also run the UniFi controller docker, and have a couple of external sites I manage, so I've simply port forwarded the couple of ports I needed for that. Should I be handling these situations differently, or is this the best practice from a security standpoint?

Link to comment

As long as you only forward ports where the answering service is auditable and trusted, you should be as secure as can be expected.

 

Every exposed application must be monitored, treated as possibly hostile, and you need to keep up with the software authors recommendations for security.

 

Ideally, the machine hosting the exposed apps should be in a different network segment than your everyday internal stuff, but that's not always doable.

Link to comment
1 hour ago, Smackover said:

Ok, that's basically where I am. I'm up on my firewalling and VLANing, but I do see a lot of folks using Letsencrypt and a reverse proxy and I'm not up to speed on those. Would that do anything for me?

Sort of, for the services where you can use reverse proxy. Instead of opening up a bunch of ports, one for each app, you only open one port and can keep security audits focused on that port and the LE enabled NGINX server. However, for uncommon apps like your security cameras, it may not be possible to pass that through NGINX. You will have to research that with the author / company.

Link to comment
On 7/5/2019 at 5:36 PM, Smackover said:

So I'm at the point where I'd like to start exposing some services externally. For instance I have a Windows 10 VM running Milestone for my security cameras, and a static IP from my ISP. I want to see the live view from the Milestone Mobile app, so I've port forwarded the two ports Milestone Mobile uses. I also run the UniFi controller docker, and have a couple of external sites I manage, so I've simply port forwarded the couple of ports I needed for that. Should I be handling these situations differently, or is this the best practice from a security standpoint?

why not access the  vm via VNC more secure than Port Forwarding

Edited by Fiservedpi
Link to comment
  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.