Kyle - provided that the setup is configured reasonably, you’re right. Practically speaking, you’re right. Neither is “weak” unless you’re up against an NSA penetration team. The mechanics between establishing an SSL/TLS session and a VPN connection (IPSEC/PPTP) aren’t all that much different. From a “best practices” perspective, here’s why I recommend VPNs (compared to a pre-boxed SSL implementation):
- stronger keys and algorithms (the paranoid can crank this up)
- certificates or pre-shared keys (stronger integrity).
- less potential vulnerability injects - consider just a Cisco ASA versus your external router doing the port forwarding AND the web server - patching is crucial here
- ease of configuration - a novice admin is more likely to get the VPN setup “right”
- Denial of Service attacks - better to protect yourself at the perimeter than at your server
- who you can blame/trust, first it can be in IT (expert) hands instead of industrial control engineers (good thing when discussing networks).
6a. Are you going to get fired when your “Cisco VPN concentrator” got hacked? No! What about your FactoryPMI box that you exposed from the 'net? It doesn’t carry that same reputation in non-technical terms.
We’re speaking in a highly theoretical context. FactoryPMI runs a tight, specialized version of Apache Tomcat that can be configured to require TLS for any communication, and isn’t listening to anything else.
More importantly, if you’re really paranoid, you can adopt a “defense in depth” strategy and implement one on top of the other.
[quote=“Kyle Chase”]I dont understand the logic of not using HTTPS. You define one port to open to your clients. You can use port forwarding to change the external port. The client gets no internal network access like they could with a VPN.
If you want a good start on this, I use a sweet open sourced router call vyatta. Its an easy to use firewall, and it also uses snort for packet inspection and intrusion prevention. Let me knwo what you think.[/quote]