The short answer is no, LabTutor Server must not be set up to allow incoming connections from the internet. The background and reasons for this are as follows.
LabTutor Server centrally stores and manages student data, experiments and related information, and delivers this content to LabTutor Client. It is designed for high performance over fast local networks, so that students can record data at high sampling rates, watch high resolution video clips and enjoy the rich interactive learning environment that LabTutor provides.
Because we have LabTutor Online for content delivered over the internet and LabTutor Server for content delivered over a local network, we have been able to make the best trade-offs in each product for those two very different environments.
For example, on LabTutor Server videos are delivered directly from Server to the Client. We chose the right streaming approach based on knowing we have a fast local network and do not have to deal with a low bandwidth, high latency internet connection. For LabTutor Online we use a Content Delivery Network – a vast network of video servers spread across the world to optimise delivery wherever the student might be accessing the video from. Taking the best approach for each environment helps ensure a good student experience.
Like all other aspects, we have optimised security for the intended use. LabTutor Server is run and accessed only within the institution, so the design and the frequent security audits we undertake do not need to account for malicious behaviour that is readily identified and dealt with in that environment (such as denial of service attacks). LabTutor Server is run on a machine administrated by the institution, which means the security precautions taken with the Windows operating system and firewalls will vary from institution to institution depending on their IT policies and the care with which the computer was deployed.
In contrast, LabTutor Online is a fully managed service provided by ADInstruments and accepts connections from the internet. As such security is a primary concern. We consider security aspects at every stage of the development and actively monitor the servers for any signs of abuse. Keeping internet servers secure takes diligence and planning and at times rapid deployment of updates or security patches. Because we manage hundreds of servers there is economy in scale in providing a good level of security, allowing us to be very proactive.
LabTutor Server and the Internet
Because LabTutor Server is not designed to run outside the institution’s local network, there are issues with doing so. Primarily there is the security concern – allowing incoming internet connections to a Windows computer without having carefully audited the security on the machine would be unwise. Also, while we take reasonable security precautions with LabTutor Server (for example to ensure that students are not able to gain access to other student’s work), we cannot guarantee that it will continue to operate well if exposed to the internet. A secondary concern is performance – many aspects of LabTutor Server assume the connection from Client to Server is over a fast local network, meaning performance may be poor over the internet and it may affect other students trying to use the system.
Related Changes in LabTutor 4.3 and Beyond
Because some institutions have exposed LabTutor Server to the internet unintentionally, and because doing so puts their computer at risk of being compromised due to malicious activity, we are adding features in LabTutor Server to detect this situation.
In LabTutor 4.3 (or later) a warning will be displayed in the administrative pages if incoming connections are permitted from the Internet. We are also adding the check into two utilities: LabTutor NetChecker and LabTutor Server Installation Advisor.
This will help ensure that LabTutor Server is being used in a safe way and that students will enjoy a good experience with the software.
Institutions generally do not allow computers to accept incoming connections initiated outside their network. If LabTutor Server is accepting those connections it is likely because the firewall configuration has been modified to explicitly allow it (or the machine has been placed in a ‘DMZ’). Reverting the change (or moving the server into the internal network zone) should solve the problem.
It is still important that LabTutor Server is permitted outgoing connections to the internet. This is so that LabTutor Server can get experiments and updates from adinstruments.com, and so that it can connect to LabTutor Online. These connections are always initiated by LabTutor Server.
To provide limited off-campus access to LabTutor Server (for example to allow lecturers to configure courses from home) there are two approaches that could be considered. Both effectively make the remote machine part of the local network. They are:
1) Using a Virtual Private Network (VPN).
2) Using a Secure Shell (SSH) Tunnel.
ADInstruments does not provide support for configuring connections of these types but your local IT person should be able to help. If configured correctly these methods should not be a significant security risk, although performance may still be an issue depending on the internet connection.