Letter to obtain agreement of client IT staff to provide remote access
Dear XXXXXX,
If you choose to install NEOSYS on your own server and not to utilise NEOSYS servers, these are the requirements to enable NEOSYS to support and manage the NEOSYS server remotely in a secure fashion. Our support agreement is conditional on having permanent access.
COST/BENEFIT ANALYSIS OF PROVIDING NEOSYS ACCESS VIA SSH (SECURE SHELL):
The loss in security by opening an incoming port from the internet for support has to be assessed and weighed against the benefits and put into perspective of your overall security as follows:
The NEOSYS support contract envisages that NEOSYS will be providing much more than just emergency support for problems. One of the points of the support contract is for NEOSYS to provide support to implement new features in NEOSYS on an ongoing basis. Having to apply to your staff every time for access would effectively prevent us from delivering this.
NEOSYS have to provide maintenance services out of office hours when the database is not in use and your staff will not be available at that time to grant access.
PERSPECTIVE ON YOUR OVERALL SECURITY:
There are many ways for information to be taken from your offices apart from NEOSYS tightly controlled SSH port access.
The server based version of NEOSYS will provide general security for your data in NEOSYS since users will not have direct access to the NEOSYS database files on local and shared directories. Users will only have controlled access to NEOSYS via web browser.
To heighten security around a server it can be separated from the office LAN very easily by a low cost/low bandwidth firewall/router. This ensures that the NEOSYS server has no access to the office LAN while continuing to enable access to the server from the office LAN and from the internet for NEOSYS remote support. This concept is known as DMZ since the server is neither in home territory (the LAN) nor in uncontrolled territory (the internet) but can be accessed from both.
CONCLUSION:
Overall the NEOSYS server will be secure and locked down since SSH access on a single non-standard port is not a significant risk compared to the risk of loss of information via other routes in your organisation. If you wish to setup your own SSH server either on the NEOSYS server or in a router or firewall to enable access by NEOSYS we are happy to work on that basis as well.
DETAILED TECHNICAL REQUIREMENTS:
1) Port forward tcp 19580 on a public routers firewall's external interface to the NEOSYS server which may, for additional security, be in a DMZ and not on your standard internal network. Access to port 19580 from the internet may be restricted by source IP as the NEOSYS support will only be via certain standard NEOSYS office IP numbers.
2) All access from the NEOSYS server to the your LAN or DMZ is strictly prohibited by firewall/security policies except that NEOSYS shall be granted access to an internal SMTP server on the clients LAN, for the purpose of emailing warnings, notifications, and other status messages.
3) Access to the NEOSYS server from your DMZ/LAN users should be permitted over the port 80 (http) and optionally 443 (https).
4) NEOSYS must be granted access to a local administrator account on the NEOSYS server to facilitate management of the server.
5) The following secure remote access software will be installed by NEOSYS on the NEOSYS server.
CYGWIN environment with standard options plus openssh listening on port 19580 and cygrunservice options.
NEOSYS will require temporary access from the internet using teamviewer or rdp in order to install the SSH secure remote access software.
SUMMARY:
NEOSYS server can only be accessed by port 19580 from the internet and by port 80/443 (http/https) from the LAN.
NEOSYS server needs to send emails to users via SMTP. You need to provide an SMTP server or allow port 2500 outgoing to the internet to send email via a NEOSYS SMTP server.
Best Regards, XXXXX XXXXX