K1000 inventorying remote machines
Hi
First, sorry - this question does not have a specific answer - we're looking for ideas!
We have a number of machines that rarely connect to our network, but we would like to inventory. These are mainly laptops of remote workers. They will occasionally use the VPN to change their passwords, but other than that they stay "out on the internet". I've seen a few posts about opening a K1000 to the internet, but wondering if anyone has any comments on the risks of this (script kiddies, somehow getting bad data from users that arent ours etc), as well as alternatives. We've also thought about using some kind of vpn "onconnect" script to run kbscriptrunner.exe.
Any comments welcome!
Answers (5)
We have 80 laptops that mainly stay off-campus or use the public wireless when on campus. We had to open only the two ports in the firewall and so far only problem was some strange machines started showing up from a company back east and contacted them and it was from some misconfiguration they did and it pointed their clients to our IP. When their machines did check in they were at our mercy, not the other way around.
We feel it is worth it to open it up now we see the laptops check in and they also get critical patches this way, this is handy only half of the laptop users are admins on their systems
For the best possible security you will want to enable SSL and get yourself a publicly signed certificate. I had my K1000 outward facing for a few years without incident.
Remote management is always a bit difficult, especially when a Replication Share is not an option. The vpn script idea isn't bad for inventory purposes, just realize that you could potentially be pushing software and patching across the WAN.
As the KBOX can be put in the DMZ or behind the firewall, we recommend behind and just install agents with a public dns or ip address so that it connections thorugh your firewall. This reduces your exposure as mpace indicates you want to enable SSL and then only have to open port 443 in your firewall for connections.
That has been the best option for post people, as if they get past your firewall, you probably have bigger issues to deal with other then them getting to your kbox.
Now if you already deployed agents to these machines that are outside the network, it may require removing and reinstalling them so they have the FQDN as their host name.
Thank you all very much for the replies.
Assuming we opened 443 through the firewall, would we still be able to push updates/packages to the machines? I understood that the AMP service port would also need to be opened (tcp/52230). It seems that 139/445 is only needed for provisioning, there is no way we'll be opening these - Smal, do I understand correctly that with tcp 80/443 and 52230 open you are able to push updates and get inventories from the clients? I'd imagine it needs the cifs ports open to be able to push managed installations, or are you able to do this with just AMP/HTTP(S)?
Once open, I would imagine this would give access to the /admin section as well, which does not seem to have any rate limiting or brute force protection. Has anyone run this through a reverse proxy? This might be a way to only allow access to the "user" parts of the web ui.
We're still looking at the vpn route, but this is more of a culture problem, I'll post back if we find a good way to force regular "roadwarrior" vpn connections - since these would connect over the same medium as https clients, we dont really have a bandwidth benefit either way.
Thanks again - your experiences have been very helpful!
Comments:
-
We have 443 and 52230 open. We are able to get inventory, do updates, MI and scripting to these machines. I can create special custom software inventories and they work. The users can log into the portal and download/install approved software - SMal.tmcc 11 years ago
-
The other advantage of this is, if a laptop gets stolen and the fool turns it on and goes on a wireless network, it will check in with the ip it is at and also allow us to lock or destroy that OS and files. - SMal.tmcc 11 years ago
-
Thanks Smal - being able to wipe the device is a pretty handy bonus feature! I'll update here with anything we find as we set up. I think we'll try a reverse proxy for at least the https stuff, as we can then lock out access to /admin from the internet side. - HGcn 11 years ago
-
If you need a document that outlines the ports for any justification...
http://www.kace.com/support/resources/kb/article/Which-network-ports-does-the-KACE-K1000-appliance-require-to-function - nshah 11 years ago -
rate limiting is provided by the underlying freeBSD OS so in a sense it does protect against brute force unless they choose a very slow method - jdornan 11 years ago