tunnel.cat

Posted on 08 Dec 2015 by Marek 

There are many Network Attached Storage devices on the market, and plenty to choose from for small businesses. Most of them are a lower-powered CPU with a couple of disks in a box, running some sort of NAS management software on top of Linux. Plenty provide some sort of software for "remote access" — which sounds great at first. A naïve solution is to open up ports on a customer's ADSL router, let them install the NAS client, and they can get files from the office whenever they want.

Job done, consultancy invoice sent... and timebomb now ticking.

One of the first problems is at the network layer. The world has run out of IPv4 addresses, and the UK's incumbent telco and major ISPs lag massively behind the rest of the world in IPv6 roll-out. It is only a matter of time before the customer's broadband will end up on a Carrier Grade NAT, and you'll have to deal with first-line support in getting ports opened for servers.

But, more urgently, there is going to be a security hole. Maybe not today, but at some point, there will be a CVE announced that affects the customer's NAS. NAS vendors are not known for producing timely updates, assuming they're still supporting the device your customer bought a couple of years ago. They've made their money, everyone's buying bigger devices now, and that's where the vendors' effort is now focussed.

The final problem is that even if the vendor does put out timely security patches, many have historically been very slow at putting out support updates for operating system upgrades. Numerous NAS devices had problems with changes to SMB file sharing in OS X "Mountain Lion" — and you can bet you'll only find out about this when the customer has bought a new laptop that can't easily be downgraded. NAS vendors' remote access client applications tend to be even worse at tracking OS updates — if the remote access client worked well in the first place.

We solve these problems by setting up a cheap VPN server in the customer's office. VPNs usually require a static IP address at the server end — so we provide that too, out of our IP address space. In turn, that makes it easy for us to manage the VPN server and keep it up-to-date. End-users just connect their laptop to their office VPN, and can continue to access files as though they were in the office all along. We don't need to open up ports to the Internet. We don't need the customer to have a static IP address (or even to not be behind CGN), because their VPN server tunnels to our network. We don't need to worry about flaky client apps from vendors. If it works in the office, it will work on the road — and with AES128 encryption, it will be just as secure.

The name of our service is tunnel.cat because it provides a tunnel between the customer's VPN server and our network. We registered the domain to be short, snappy and easy to remember, and a separate domain makes getting "proper" SSL certificates for customer VPNs a breeze.

Do you have problems getting files from your server when working at home? Maybe you need an office tunnel.cat!