The Challenge of Gaining Remote Access through a Home Firewall
All SOHO and home networks should be protected by a firewall configured to block anything and everything trying to get to your computers. However, gaining remote access often pushes users in the direction of punching holes in a firewall. In other words, the firewall is configured to allow packets meeting certain criteria to pass from the Internet to the internal network. This is a bad idea; if you can get in, an attacker will find a way to leverage this controlled but open door.
(If you want to see if your firewall is open to one or more session types, run ShieldsUP!)
There are methods, however, to get remotely connected without allowing external devices to reach into your network to establish a session. Figure 1 is a graphic depiction of how this is done.
The SOHO desktop in our example establishes a secure connection over the Internet to a service provider’s server. This usually appears as an HTTPS address. This computer, the target of the remote user, remains connected even if no remote users are active.
When remote users need access (portrayed by the laptop in our example), they also establish a remote connection to the service provider’s server, select the desktop from a list, and supply the necessary login credentials. Once the connection is made, the laptop gains access by securely sending packets through the service provider’s server to the desktop’s connection. Note that service provider staff do not have access to the pass-through data.
Various solutions, both fee-based and free, are available.
Solutions for SOHO Remote Access – Remote Desktop
One of the most popular solutions is GoToMyPc. Owned by Citrix, it is an easy to use fee-based solution. The basic verson has few bells-and-whistles. Figure 2 shows a sample GoToMyPC home desktop setup window.
Note that Citrix doesn’t use Windows user credentials for access. It uses a unique, shareable access code.
Once connected, the remote user has full access to the desktop, just as if he or she was sitting in front of its keyboard.
The GoToMyPC solution begins at about $200 per year. At this level, there are few features other than remote control. Additional services are available for an additonal annual fee.
My favorite solution, one that I use for my business, is LogMeIn. LogMeIn provides a free solution which provides simple remote access, as described above. However, a Pro version exists that provides a host of features, beginning at about $250 per year. Also, LogMeIn provides Hamachi, a free VPN alternative.
Figure 3 depicts the host machine setup. You can select a free or fee-based connection. A fee-based connection requires an available license, something checked automatically during setup.
After the host setup, the remote user logs into the LogMeIn Web site. The available hosts are listed in the Home tab, as shown in Figure 4.
To connect, the remote user clicks on Remote Control, which brings up the remote access screen and menu, as shown in Figure 5. Note the full service menu on the left, including the ability to create scheduled events. The menu is easily hidden to provide a larger desktop viewing area.
Setting up either GoToMyPC or LogMeIn takes less than five minutes, with no technical knowledge required.
Although not shown here, no remote access discussion would be complete without at least mentioning RealVNC. The VNC remote product comes in free or fee-based versions. I didn’t include details here because I believe VNC requires more technical skills than LogMeIn or GoToMyPC products. Remote connections today should be easy and fast. So why fight with technical issues–at least that’s how I see it.
The Final Word
Establishing remote access should not require firewall or other perimeter configurations that weaken security. The basic principle is to establish connections from the inside out. Don’t let external systems initiate sessions with your network.