Safest way to host files for remote/off-site access?
Test
access FMS files remotely.
I know I can open port 5008 for TCP/IP access to office FMS sitting
begind a firewall but I'm afraid that some will figure it all out and
get to our data.
Any body know what the safest way to do this would be?
Is Apple Remote Desktop or Timbuktu a safer bet?
TIA
Lynn allen
On Windows, GoToMyPC (gotomypc.com) works a treat. It's point to point
VPN, and very easy to set up.
On Mac, Timbuktu works quite well too.
Lynn Allen
--
Allen & Allen Semiotics www.semiotics.com
FSA Associate Filemaker Design & Consulting
42
semiotics.com says...
> Test <te...@123.com> wrote:
>
> > The commute to the office is taking its toll on me. So I would like to
> > access FMS files remotely.
> >
> > I know I can open port 5008 for TCP/IP access to office FMS sitting
> > begind a firewall but I'm afraid that some will figure it all out and
> > get to our data.
> >
> > Any body know what the safest way to do this would be?
> >
> > Is Apple Remote Desktop or Timbuktu a safer bet?
> >
>
> On Windows, GoToMyPC (gotomypc.com) works a treat. It's point to point
> VPN, and very easy to set up.
>
> On Mac, Timbuktu works quite well too.
>
> Lynn Allen
Timbuktu works fine on Windows too; cross platform.
There is also Remote Desktop built into XP. (Mini-single user-terminal
server)
There is also VNC (cross platform), which is completely free.
I don't care for GoToMyPC its basically just paying for Remote Desktop,
which is silly unless you have no computer skills and want to pay
'someone else' to set it up and support it for you.
The issue with -all- of these is that they really don't solve the
problem the OP asked about.
He's afraid opening the port will make his FM files vulnerable if
someone 'out there' notices the port and guesses his FM login password.
(You DID password protect your files right?)
However, using timbuktu, remote desktop, gotomypc or VNC isn't any
safer, as in all cases someone can notice the port and guess his login
password to those...
Overall if you open up a port in your filewall to access your
lan/fmdata, there's an inherent risk somebody else will notice and guess
your passwords.
You can double layer it by using something like remote desktop -and-
password protecting FM... now there's two passwords to guess.
And you can use VPN software for encryption etc and add a 3rd layer...
and/or use firewalls that will only accept incoming connections from
your ip address at home etc (requires you have a static or at least
stable ip at home though)
Lynn allen
> I don't care for GoToMyPC its basically just paying for Remote Desktop,
> which is silly unless you have no computer skills and want to pay
> 'someone else' to set it up and support it for you.
>
> The issue with -all- of these is that they really don't solve the
> problem the OP asked about.
>
> He's afraid opening the port will make his FM files vulnerable if
> someone 'out there' notices the port and guesses his FM login password.
> (You DID password protect your files right?)
>
> However, using timbuktu, remote desktop, gotomypc or VNC isn't any
> safer, as in all cases someone can notice the port and guess his login
> password to those...
Um. There was no open port in the firewall with GoToMyPC. None. Not
needed. On the other hand, you do generally have to do the firewall
dance with Timbuktu, and if you need to access more than one computer on
a network it causes some additional setup work. GoToMyPc, because you
set it up on each guest with a specific name that's registered, doesn't
have this problem.
And yes, if you're not a Windows whiz, (spelled as I intended) GTMPC is
easier than Remote Desktop. I'm happy to pay for a simple, secure, EASY
connection to the remote computer I use it for. Anybody who can make
something in Windows work right the first time has my undying gratitude.
You must of course use a really secure password for any outside access.
Mine is more than 12 characters, with mixed alpha & numeric. No
guessing will work.
And the FM files as well should have a secure password. That's a given.
If you don't want to expose your files to the world, DON'T open port
5003 for WAN access. Use some form of VPN.
42
semiotics.com says...
> 42 <nos...@nospam.com> wrote:
>
> > I don't care for GoToMyPC its basically just paying for Remote Desktop,
> > which is silly unless you have no computer skills and want to pay
> > 'someone else' to set it up and support it for you.
> >
> > The issue with -all- of these is that they really don't solve the
> > problem the OP asked about.
> >
> > He's afraid opening the port will make his FM files vulnerable if
> > someone 'out there' notices the port and guesses his FM login password.
> > (You DID password protect your files right?)
> >
> > However, using timbuktu, remote desktop, gotomypc or VNC isn't any
> > safer, as in all cases someone can notice the port and guess his login
> > password to those...
>
> Um. There was no open port in the firewall with GoToMyPC. None. Not
> needed.
Quite right. My oversight. With GoToMyPC you -just- need to guess the
login information. I hardly see that as an advantage though. ;)
> On the other hand, you do generally have to do the firewall
> dance with Timbuktu, and if you need to access more than one computer on
> a network it causes some additional setup work. GoToMyPc, because you
> set it up on each guest with a specific name that's registered, doesn't
> have this problem.
>
> And yes, if you're not a Windows whiz, (spelled as I intended) GTMPC is
> easier than Remote Desktop.
Opening a port on the pervasive linksys/smc/dlink firewalls out there is
a 5 minute job that *any* pc-tech can do, for a small one time fee.
On more advanced enterprise firewalls from cisco et al, sure the
complexity goes up... but if you are running those you've got a
relationship with someone who can set it up for you too.
> I'm happy to pay for a simple, secure, EASY
> connection to the remote computer I use it for.
Paying $20/mo *indefinately* to free yourself from a minor technical
detail seems insane to me. There are situations where gotomypc makes
sense, but easily half the people using it would be equally served by
remote desktop or vnc or timbuktu or pcanywhere at a fraction of the
price. Even dynamic ips are easily handled via dynanmic dns hosts.
Would you rent a $60.00 inkjet printer for 20.00 bucks a month if I came
to your office and set it up for you? I wouldn't, nobody would!
The bottom line is that remote desktop is practically free and can
generally be set up by a qualified tech in under an hours labour.
GoToMyPC's success in the soho market is predicated on the fact that
most people don't know how inexpensive and easy it really is. If they
knew it was built into their PCs and could be setup in under an hour
(often in under 10 minutes)...
But what consulting firm is going to chase the market for 'setting up
single user remote desktop for $60.00'? Meanwhile gotomypc has
television ads...
> Anybody who can make
> something in Windows work right the first time has my undying gratitude.
Remote desktop works like a champ. You've already paid for it and its
already installed. You click a checkbox in windows to turn it on, and
open a port in the firewall. Buying, downloading, and installing
GoToMyPC is as likely as not more actual work.
Don't misunderstand me, I have nothing against GoToMyPC per se, its a
great tool that can be used to traverse difficult firewall situations
particularly when the ability to have a port opened is simply
unavailable...(e.g. in some corporate environments, in some school
environments, etc) and then $20/mo for a working solution is good
value... but for the average soho... its not.
> You must of course use a really secure password for any outside access.
> Mine is more than 12 characters, with mixed alpha & numeric. No
> guessing will work.
> And the FM files as well should have a secure password. That's a given.
On this we a agree.
> If you don't want to expose your files to the world, DON'T open port
> 5003 for WAN access. Use some form of VPN.
If the concern is that somebody is going to guess the login creditials.
VPNs aren't any more secure, unless you have rules in place to limit
where incoming connections can come from (but that hampers your ability
to use it in hotels, via cellular networks, and generally undermines the
usefulness of its ability to support mobile users. Fixed remotes work,
but mobile users ... not so much.)
The primary value of a VPNs in this scenario is that they prevent the
data from being seen in transit, because its encrypted. And yes, they
also provide a password protected barrier to your LAN, but sharing a
password protected filemaker database via port 5003 is an equivalent
barrier. Layering a VPN on top of filemaker doubles the number of
barriers but doesn't really increase the inherent security of the
system.
Lynn allen
> The primary value of a VPNs in this scenario is that they prevent the
> data from being seen in transit, because its encrypted. And yes, they
> also provide a password protected barrier to your LAN, but sharing a
> password protected filemaker database via port 5003 is an equivalent
> barrier. Layering a VPN on top of filemaker doubles the number of
> barriers but doesn't really increase the inherent security of the
> system.
Sorry, this isn't entirely true. Because of certain facts about FM 6 and
earlier version password challenges, exposing your files even this far
is a much more significant risk than access through a VPN.
At least an intruder has to guess or penetrate the VPN access FIRST
before they get access to the FM files. The encryption is an additional
plus, but the primary barrier is the initial access.
Test
Thank you both for your fantastic feedback!
In short, sounds to me like I will be loging in via Timbuktu to access
an 'on-site' machine (Password 1) , controling that machine, and loging
in to FM (Password 2), while only accepting my static ip address
through the firewall.
Sounds pretty secure to me.
Thanks a million.
42
semiotics.com says...
> 42 <nos...@nospam.com> wrote:
>
> > The primary value of a VPNs in this scenario is that they prevent the
> > data from being seen in transit, because its encrypted. And yes, they
> > also provide a password protected barrier to your LAN, but sharing a
> > password protected filemaker database via port 5003 is an equivalent
> > barrier. Layering a VPN on top of filemaker doubles the number of
> > barriers but doesn't really increase the inherent security of the
> > system.
>
> Sorry, this isn't entirely true. Because of certain facts about FM 6 and
> earlier version password challenges, exposing your files even this far
> is a much more significant risk than access through a VPN.
> At least an intruder has to guess or penetrate the VPN access FIRST
> before they get access to the FM files. The encryption is an additional
> plus, but the primary barrier is the initial access.
Absolutely. I agree that a VPN is generally more secure than direct
access. However, its just as vulnerable to "somebody noticing it and
guessing the passwords" as direct access is.
If I led the OP to beleive they were equivalent, that would be
incorrect. They are only equivalent with respect to that particular
threat.
That said, its my view that the risk is VASTLY greater that you'll be
compromised by a spyware/keylogger while entering your user/password at
the gotomypc website, for example, than that 'black hat crackers' armed
with packet sniffers are looking for your plaintext passwords through
compromised ISP routers, ESPECIALLY if you use other peoples computers.
(in schools, labs, friends homes, hotels, cafes, etc) many of which are
compromised or even intentionally monitored.
IME most packet sniffer attacks on low profile systems (the average
soho) are perpetrated by insiders (staff/employees & their children).
42
Yes. That should prove quite secure, and will probably perform quite
admirably too if your database layouts aren't too graphics heavy.