opnsense / tools

OPNsense release engineering toolkit
https://opnsense.org/
BSD 2-Clause "Simplified" License
279 stars 206 forks source link

guacamole #91

Closed mimugmail closed 6 years ago

mimugmail commented 6 years ago

Some months ago I tested guacamole as a central mgmt tool for SSH access. It could be used as a clientless HTML5 VPN but the dependencies are huge: java, tomcat, mysql.

Nonetheless .. we can use this as a start for a discussion to integrate it as a plugin?

image

Any opinions to this?

AdSchellevis commented 6 years ago

@mimugmail it looks like a nice product, but personally I'm not too enthusiastic putting things like this on a firewall, it adds a lot of attack surface to one of the most sensitive systems in your infrastructure.

Normally I would place a solution like this on it's own virtual environment, but integrating a virtual solution with it's own connectivity challenges in OPNsense is quite some work (and usually not really worth the effort).

ndejong commented 6 years ago

Had never heard of this, it's a remote-desktop gateway that provides a client interface via a HTML5 browser - for others that want to read up on it:-

Apparently it builds on FreeBSD

As of 0.9.2, Guacamole builds properly on FreeBSD and against the latest FreeRDP from git.

The documentation talks about a lot of dependencies as @mimugmail mentioned:-

Their previous 0.9.1.x revision is available in the FreeBSD ports tree

As a network edge device, does the Guacamole functionality belong on OPNsense? It does seem to fit into the definition of things some administrators might be willing to run at a network edge, but wow it is a heavy weight set of components to be adding on the firewall itself.

Personally I'd feel uncomfortable running this directly on a firewall via a publicly exposed port(s), I might consider it over an ssh-tunnel or VPN connection but if an ssh-tunnel or VPN connection is an option then why not just run the RDP session directly from my client machine?

Perhaps you could describe scenarios where Guacamole provides access that is otherwise not possible? I appreciate this question might sound silly or that the answer is "obvious" but there is something about your words "tested guacamole as a central mgmt tool for SSH access" that makes me believe there is another (much easier, and more secure) approach to addressing your remote-ssh access requirements.

mimugmail commented 6 years ago

You could fix your internal Routers in an emergency via your Android Phone since it's only Browser based. Juniper, Sophos and Cisco also offer this in their UTM products. And since it would be an optional Plugin I dont see a huge risk for the mass of the normal users.

AdSchellevis commented 6 years ago

@mimugmail aren't they offering a html terminal to only there own box? we declined html5 consoles earlier, if I'm not mistaken there are other, more lightweight options that do this for access to the firewall itself only.

mimugmail commented 6 years ago

It's a Tomcat App working as a rdp/vnc/SSH Client with predefined profiles. It's not intended for managing OPN itself

ndejong commented 6 years ago

I feel like you might be wanting to create a setup where you can access an RDP enabled host using just username/password authentication from an external location and then keep your ssh keys on that RDP host so you can access whatever you have internally - is that right?

AdSchellevis commented 6 years ago

I know it's not for managing OPNsense, I'm just a bit surprised if Sophos and Cisco add this into their firewall products, that's all.

mimugmail commented 6 years ago

Cisco https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/webvpn-overview.html

Sophos https://community.sophos.com/kb/en-us/117470

SonicWall http://help.sonicwall.com/help/sw/eng/9600/26/2/3/content/SSL_VPN_Virtual_Office.095.6.htm

FortiGate https://cookbook.fortinet.com/ssl-vpn-using-web-and-tunnel-mode-54/

... I can count more if you like.

I know it's overblown .. and I dont need it for myself, but it would make the project more attractive to prospects.

AdSchellevis commented 6 years ago

well, that's my main concern, I have no objections to offering web tunnels when properly integrated and secured (which is what other vendors indeed also offer), but guacamole just feels like too much in my humble opinion.

mimugmail commented 6 years ago

That's why I opened this issue :) Let's wait what @fichtner thinks about it, there's no hurry on my side.

AdSchellevis commented 6 years ago

sure, no rush

mimugmail commented 6 years ago

@fichtner your objective opinion in this? :)

fichtner commented 6 years ago

I need more time to eval the new build server speed and how to optimise the build process

To be frank, adding more software, especially larger dependency chains will bring the build time up to half a day at least which slows down response time for tests and releases, introduces more chances for breakage and also bloats major update set downloads, but that's just the cautious side talking....

mimugmail commented 6 years ago

Ok, I think this pkg is not that much important to risk all this downsides it brings into the build process. But perhaps it brought the awareness that modern (but also only commercial) NGFW offer a HTML5 VPN :)

fichtner commented 6 years ago

Let's revisit when we have a large deployment use case at hand?

mimugmail commented 6 years ago

Sure, there are many different VPNs available to reach the network behind .. but clientless is clientless :)

Freighter commented 5 years ago

Hi all, I just found this discussion. My Personal Problem is that I'm stuck with a Sophos UTM Home License due to the fact that it is the ONLY Sollution that brings the HTML5 capabilities to a Private Home Customer Basis. But this is Limited at some point. So from my private experience would this feature boost the distribution of Opnsense in the community and also for Users that are using pfSense enable to switch to Opnsense sollution. :)

best regards Klaus

mimugmail commented 5 years ago

It's not our effort to make users switch from pf :) I worked with guacamole for some time now. The upgrade process on linux itself is a mess, no idea how to support this in a stable manner.

It would be better to use the docker container somewhere behind your Firewall.