Hosting our company Inventree instance publicly on the internet so administrators can access it at home

[Guusggg]

Hi,

I'd like to preface this with a statement that I have some experience in hacking/modifying/injecting code in desktop applications but I don't have enough experience in Internet Security to know if this is a good idea.

My manager would like me to expose our Inventree instance to a subdomain of our website, so employees and managers can access the instance at home. I know that the web is inherently unsafe, because it was not built from the core to be safe. However, I still would like to complete this request. We have an up to date Linux server running at work, running nothing but Inventree. It has been available inhouse for a long time, and it uses Nginx as a reverse proxy. On the internet, people tend to say to never expose your own server to the web. Is this solid advice, always? We are not hesitant to hire a server on a server farm, however, in my personal opinion I'd like to keep costs low (and I'm a bit principally against cloud servers, as I'm not sure if they will stay cheap and I don't like vendor lock-in).

Please tell me what you think, either hire a server and risk rising costs and vendor lock-in, or keep our server and expose it.
(I will be taking all security measures that I can find; enabling 2FA, getting an SSL cert, blocking all ports except ones that need to be open (anything else?!))

Thank you for your valuable feedback!
Kind regards,

[eeintech]

My recommendation is to not expose it. You can use a subdomain to simplify the URL (instead of IP address), it doesn't make it secure. Then use VPN to connect to your company's network from home and access the instance.

[SchrodingersGat]

I would agree with @eeintech - if you don't want to use a cloud service, it sounds like a VPN is what you want.

[Guusggg]

Thanks a lot for your recommendation!

[Guusggg]

Both your answers are very satisfying, unfortunately I can only pick one... Thank you for the help anyway!

[matmair]

@Guusggg I would strongly advise putting the thing behind a VPN or a portal. FortiGate VPN appliances for example include an SSL VPN portal that patches all traffic after authentication without users needing to install any software on their device.

The thing why ppl advise against exposing your servers is simple: Every software has flaws. Even the Linux kernel, even the webservers and reverse proxies. Some of them are very scary and once they get discovered you need to update immidiatley. Most ppl. do not have the bandwidth to keep up with updates and security advisories for their whole stack (sometimes the vendor can not just fix it and needs you to shut down a service for example till they have a fix. Happened with Microsft spool servers a while back).
So if you do not have a NOC and or SOC in-house or some company that does those things for you I would advise against exposing.

Small horror detail:
There are shady services that just crawl the web all day to log what version of software is exposed on which server and you can pay to run queries there. So once you no something can be broken into you just buy the list with all vulnerable targets and let scripts attack them.

[matmair]

I have no idea where you work but I guess nobody there want's their BOMs on some darknet data dumb.

[Guusggg]

I understand, thanks for taking the time to write it out. I'm not new to developing software, however this is my first job maintaining all the company infrastructure. We wouldn't be ruined by BOM's on the darknet, however I don't want any ransomware hindering our companies progress. I also don't want to check on the server every week, it has been running for months without too much maintenance which is how I prefer to keep it.

[matmair]

@Guusggg do you need further assistance or can you choose an answer so that this is not left open?

[Guusggg]

@matmair No, my issue is solved. Thank you! Sorry for leaving this open!