Question: VPN v Port forwarding? Security

smilodon · February 07, 2012, 02:03:11 PM

I've been asked to look into a problem for a friends customer and am going to have to explain a couple of options. I know enough about the subject to confuse myself so would be grateful for a little clarity from the big brains here on the forum if possible.

Quick overview. The customer has an office with a broadband connection and (probably) an internal network. They manage a remote site of residential apartments. The remote site has an access control system that allows access to the building and apartments through a control system using key fobs. The access control system has a main control panel on site that runs the access control system. While it can be connected to and administered by a PC there is currently no location to store one securely on site. Each time someone looses a key or moves in or out of an apartment the customer has to send someone to the site with a laptop running the access control software and sort out the key fobs. The customer would like to start doing this remotely and posting out the fobs to residents. The access control system has the feature to be connected to and administered over a network including TCP/IP. The customer is having a broadband connection installed at the apartment block with a modem router etc. And I will be required to set it up so that a PC at their HQ with the Access control software installed on it can remotely access the apartment block and manage the key fobs.

The issue I'm having is regarding the connection between the office and the apartment. I believe they will need a VPN setting up to do this properly and securely. However the customer is talking about setting up a simple port forwarding system so the two computers (the desk top in the office and the access control panel in the apartment block) can communicate.

Could anyone confirm that port forwarding especially for access control to private apartments is not a sensible option and that a VPN would be a far better solution. I'm also not sure about any additional costs though? Most modern ADSL/cable routers will have both VPN capabilities and Dynamic DNS built in ? I'm not sure if the customer is going to have to pay any additional costs for VPN (software/additional hardware) .

I'm not confident enough about VPN's to want to go and challenge their arguments directly yet. So any advice about what would be involved in setting a VPN up and why port forwarding is not a good solution would be greatly appreciated.

cheers.

Penfold · February 07, 2012, 02:49:17 PM

Ooooooh funnily enough I've just written a 1,000 article on this for that well-known client of mine that you're familiar with....

When I access client machines I have previously just used Logmein or Teamviewer. Both of which zip through firewalls and routers and both of which seem to work very well with the minimum of set up. Perhaps that may be the way to go and save you scrabbling round for VPN access etc.

Out of interest, check what EAC (electronic Access Control) system they're using and let me know as it'd be interesting to know.

smilodon · February 07, 2012, 03:21:36 PM

They use a Paxton system.

I use Team Viewer quite a bit. However we don't need access to a PC at the apartment block. What we're actually connecting to is an Access Control Ethernet interface, which in turn is connected to a broadband modem/router at the apartment block. I assuming that router needs a built in VPN server. We would then run the Paxton Access Control software on a dedicated PC in the main office and forward through a Dynamic DNS service to the router at the apartment block.... unless I've completely missed a trick here?

Tutonic · February 07, 2012, 03:26:01 PM

If they want it to be secure, then they'll need to setup a VPN connection between their office and the remote site.

You could probably get away with some simple port forwarding and just use VNC/Remote Desktop to connect into the remote PC but it wouldn't be secure at all.

Draytek routers come armed with a whole host of VPN options, I used to use them in my previous job to connect retail stores back to our company network (which was behind a Fortinet firewall) and it worked well. Plenty of guides on how to set this up are available, it really isn't very hard at all.

smilodon · February 07, 2012, 04:04:12 PM

Thanks for the info re Draytek. The problem is that there is no remote PC. The Access control system in the apartment block will connect into a bespoke Ethernet interface which in turn will connect into the apartment blocks router. i.e.

Apartment Block Office
Door control 1 --- Door control 2 --- Ethernet Interface --- modem router ---- the Internet ---- modem router --- Intranet --- PC --- Access control software

Tutonic · February 07, 2012, 05:10:05 PM

As long as the two modem routers you're using can create a VPN tunnel between each other, I reckon it would work.

smilodon · February 07, 2012, 06:13:02 PM

Cool. as long as I've not missed some obvious flaw to cunning plan. Cheers

Benny · February 07, 2012, 08:45:48 PM

This is about risk. VPN will create your secure channel. Port forwarding will be (probably) easier. If the CPE supports VPN, do that, if not, forward the ports.
Might be more interesting to change the default ports, make sure that if you do port forward you don't forward the management port of the CPE, it's a ballache to reboot and reconfigure them.