Co-Location Server

[alex1002]

I have my Windows 2008 R2 in a colo. I want to figure out the best way to remote into it and also whats my best bet for protecting it, eg firewall.

 

[BThunderW]

Set up a hardware firewall (if you're on a budget a modified Watchguard X550e or x750e running pfSense) and then VPN to it via OpenVPN. From there you can simply use Remote Desktop to manage your server securely without having to expose RDP port to the internet.

 

[alex1002]

Just wondering why you like the watch guard so much. Have you had any success with pfsense and virtual on the same server?

 

[BThunderW]

yeah, I run pfSense both on hardware and virtualized. I like watchguard cause those boxes have proven to be 100% stable. If your server goes down for whatever reason, it'll take your virtualized pfsense down with it and you'll lose ability to manage it. With a hardware fw you can still manage your server via drac/ipmi/whatever even if the server fails.

 

[Mike]

We're talking a single server here. Just set up a VPN target on Windows and be done with it, as it can take care of itself pretty good anyway?
If your hardware firewall dies you wont have connectivity to your server either. Unless you get another uplink, on which you could run an entire second server.

 

[BThunderW]

What I was saying is that there's a greater chance that your server will fail than a hardware firewall (disk failure, windows update failure, bad driver, blue screen, etc). My colo is over 60 miles away and having a dedicated fw has saved me a few trips to the DC.

We're talking a single server here. Just set up a VPN target on Windows and be done with it, as it can take care of itself pretty good anyway?
If your hardware firewall dies you wont have connectivity to your server either. Unless you get another uplink, on which you could run an entire second server.

 

[Mike]

I understand, let me ventilate my point of few;

If it runs, it will probably keep doing so from a software stand point. However, like any system and especially a security appliance, your hardware firewall requires updating too right?
It's debatable to either open up your out of band management to the WAN, or just create another SPOF in front of your server.

The blue screen is too easy...

 

[Toddh]

I think whether you choose to update your hardware firewall is optional. We try and keep our clients up to date because the updates usually add stability or features. But it's generally not a security issue.