2

A client has a network that is restrictive. They want no incoming connections and they have no VPN. We're installing an admin tool that external admins need to access. One solution is that the admins access a cloud-based version of the admin tool and a cron job from their network occasionally grabs the data and updates the internal admin tool. This is a huge hassle. Now we've got to deal with data contention issues, delays, etc. I'd rather not do that.

Here's my question: If I propose a reverse tunnel from the admin tool server to a cloud-based SOCKS proxy that their external admin users can log into, is this something that an IT team might consider as being a secure alternative?

overgroove
  • 123
  • 3
  • 2
    Go and sit down with your customer and negotiate with their security department and NOC. In general valid business requirements ought to be accommodated, unless they really can't, but rather than asking us about what might be achieved technology wise, instead ask what the other stakeholders at your clients' find acceptable and can offer before theorising about circumventions ... – HBruijn May 01 '17 at 18:33
  • There have been discussions with IT prior to my arrival at the company. What I've outlined is all I know. I'm not sure how much of a negotiation was had. I'm planning to talk to their IT department soon. I just want to make sure that if I say, "Hi guys, we need access," and they say, "I'm sorry, but we already told you guys strictly no incoming connections," that I have a few smart alternatives. Or at least alternatives that they wouldn't say, "Nobody, in the history since the advent of the word 'network', would ever think that was a reasonable idea." – overgroove May 01 '17 at 18:57

1 Answers1

0

It is not a crazy idea and it is definitely more secure than an incoming connection so it is not a bad suggestion / compromise that they may accept. That said, reverse proxies do not protect you against poorly written applications, exploits like SQL injection will pass right through the reverse proxy unless you also implement filtering and inspection on requests at the proxy's end, so there is still some degree of risk...

One of the companies I work for had a similar problem providing mobile access for remote users to a proprietary software when installed on-premise (not everyone likes cloud), the solution was to use Azure's Hybrid Connection, its basically a reverse proxy but somehow being a Microsoft Azure based solution seems to improve the acceptance on their customers and has been well received.

MrLumute
  • 334
  • 1
  • 7