0

I have a question on security please and seeing if a VPN would offer any more security than SSL alone over the public internet.

With a 2012 R2 Hyper-V server is in a data-center setup to use a certificate for SSL encryption (from a Windows 2012 R2 PKI that is up and running).

This server sits behind a firewall which NATs port 443 from the public IP to private LAN.

A number of offices a number of 2012 R2 Hyper-V servers connect to the data-center hyper-V server, each office Hyper-V server has a certificate installed.

If we lock down the firewall to accept requests only from the client offices IPs, is there any security issue that should be concerned about?

Can Hyper-V run behind a decrypting SSL proxy (such as a fortigate or nginx reverse proxy that sits between the two hyper-v servers) that decrypts, inspects, then re-encrypts traffic?

I can see the client is trying to talk to the replica target on tcp/135. The only issue I can see by blocking that is during sync setup the replica cert cannot be retrieved - is tcp/135 used for anything else other than initial setup?

morleyc
  • 1,150
  • 13
  • 47
  • 89

1 Answers1

0

HTTP (non-SSL) replication should only be used on trusted networks, e.g. LAN, VPN, etc, where you aren't worried about man-in-the-middle attacks. Once you go onto un-trusted networks, e.g. Internet, you should use SSL.

It's not that hard to set up. If you're worried about costs then set up your own PKI.

Aidan Finn
  • 211
  • 1
  • 3
  • Thanks for the reply, yes we are already running PKI and have SSL - I am just worried about vulnerabilities to exploit the replication protocol and gain root access to the box – morleyc Jan 04 '16 at 17:07