0

I have a small office network with about 10 workstations and a single physical domain controller. I want to move it to the cloud. For that, I deployed a Windows VM on Azure, which I'm going to promote as an additional DC. Then, I'll shut down the physical one.

Currently the physical server also serves as a VPN server, and the cloud VM is connected to the local office network via this VPN with L2TP and IPSec. When I'll shut down the physical server, it will also kill the VPN.

I thought about exposing the cloud VM itself to the office, instead of initiating a connection from it. On Azure, I have the ability to expose the VM to all traffic from a single IP address on the Internet. This way I can use the office's external static IP and the workstations will be able to communicate with the cloud DC.

My question is, what realistic security risks are involved in this process? Would it be easy to exploit, even when I expose it only to a single IP address? Should I avoid this strategy and keep the VPN approach?

eden881
  • 237
  • 1
  • 2
  • 7

3 Answers3

2

TL;DR: Not secure.

Exposing your VM to a single IP in practice mean that you are blocking connections from other IP addresses. This distinction is important, because IP addresses are not secured in any way and can be spoofed. Therefore this does not prevent the attacker from sending data to your VM with a spoofed IP.

It does help to a certain extent as it is hard/tricky to intercept the responses from the VM (as they are sent to the IP of the office, not the attacker). This hinders the attacker as he has to hack the VM blind or somehow intercept the responses (MITM for example). However this does NOT prevent the VM from being hacked.

VPN of course on the other hand uses proper authentication and is therefore much more secure.

Peter Harmann
  • 7,728
  • 5
  • 20
  • 28
  • Given that my VM's and office's external IP addresses are not publicly known to a potential attacker and I'm not directly targeted, is that likely to happen? I'm trying to figure out the balance between more security and less complexity... – eden881 Aug 11 '18 at 21:40
  • @eden881 unless you are targeted, it seems unlikely to me. – Peter Harmann Aug 12 '18 at 13:39
1

If you lock down the cloud VM so that it only accepts connections from your office, then it's as secure as your office. No one on the internet is realistically going to try blind attacks, and to make it more feasible they would at least need to be able to MitM or intercept the traffic to/from your office. Unless your threat model includes major ISPs and nation states I would say you are absolutely fine with this approach.

Matt G
  • 154
  • 4
0

Given that my VM's and office's external IP addresses are not publicly known to a potential attacker and I'm not directly targeted, is that likely to happen? I'm trying to figure out the balance between more security and less complexity

Unfortunately this makes absolutely no difference, as an attacker is likely not targeting your company, but just running a scanner like nmap, which stumbles on your IP and then tries to attack using known vulnerabilities.

Joe M
  • 2,997
  • 1
  • 6
  • 13
  • 2
    Not really. If the attacker tries to use nmap on the IP of the VM, he will get all ports closed as his IP is blocked. If he tries it on the office, well then there is no difference between using the VPN and using this blocking method and importantly, he won't get the IP of the VM. So unless he knows this office IP and the VM IP go together, he can't really start attacking (unless it is MITM). – Peter Harmann Aug 12 '18 at 13:41