Microsegmented Zero Trust Remote Access in 10 Minutes or Less
This past weekend, I faced a quandary: I needed to set up access for Big Network’s Software Engineers to reach a standard RS-232 serial console at my home. I had a few options:
- Connect my laptop with a USB to Serial cable; let them control the console on the laptop with Zoom or similar.
- Provide SSH access to a Linux box; use a tool like screen to access built in COM ports.
- Deploy a small serial console server; enable remote network access to that.
I picked the last option, knowing that it would create a more repeatable solution that could be used in the future. So what does this look like?
My home LAN is in orange - where we have our desktops, laptops, printers, etc. plugged in to the Internet. I could have simply plugged in the Console Server to this network, enabled Dynamic DNS on my router, setup NAT port forwards, and then created a static DHCP reservation. Yep, typical and doable, but it means I’m still exposing a device to the Internet that doesn’t need to be on the Internet, and if that console server would ever become compromised, that device would now have a full pivot point to compromise the rest of my home network.
Instead, by deploying an Edge Pro in the middle, I can achieve a few things:
- Avoid the hassle of Dynamic DNS, Port Forwarding, and static DHCP reservations.
- Keep the console server off the Internet entirely.
- Create a micro-segmented network that is purpose built and eliminates a pivot point for intruders to the rest of the home network.
If you want to access the Console Server, you simply need to be granted access to this Cloud Network in the Big Portal, and use a Big App to connect. From there, you simply Telnet or SSH to the Console Server.
Let’s have a look at the Big Network configuration:
First - my cloud network:
Clients connecting to this Cloud Network are assigned IP addresses in the range 192.168.70.200 to 192.168.70.250. You can see my Macbook Pro is assigned 192.168.70.241. An Edge Pro is connected to the network below.
Next, on the Edge Pro:
I have a simple mapping of the Cloud Network called “5J Console Server” to the LAN port. All Edge Pro’s ship with a default LAN network that provides a local gateway at 192.168.70.1, a DHCP server, and an Edge Dashboard for status information. Knowing this, I gave my Console Server a static IP at 192.168.70.5.
From there, I simply connect with the client:
I love how I can use descriptions in Big Network to help others connecting know what they need to do; in this case I let them know that the Console Server is available at 192.168.70.5.
Lastly, I can use Telnet to connect to the console (as per the manufacturers recommendation):
Success! Serial console via a secure micro-segmented zero trust network.