Strategies for securing VPN Access?
October 30, 2006 3:19 AM
I'd be interested in hearing strategies for allowing employees' personal computers access to a company VPN.
The company I work for allows VPN access (using Cisco VPN) to our network for a number of employees. This could be to enable them to work from home, or to work on the road, or it could be to enable them to access systems in an emergency. Obviously people that use the VPN on the road, such as sales people, are provided with a laptop. However many users will be accessing the VPN using their own home PC. I, for example, use my home computer to connect to the network and then use just Remote Desktop to certain machines.
Naturally the company is nervous about allowing VPN access to computers that are outside of their control, as this opens up a route for viruses to get in. So I'd be interested in hearing solutions for mitigating the dangers that this brings (on a Windows 2003 platform).
Some ideas:
Only allow access on the Remote Desktop port?
Windows 2003 Quarantine (would require a move away from Cisco obviously).
Any more?
BTW, I'm a software developer, not a network expert, and I'm not responsible for securing the VPN. I've asked this question because the other day I expressed surprise that the only solution IT have come up with to resolve this was to buy everyone another computer for their home, so I've been asked to suggest alternatives.
The company I work for allows VPN access (using Cisco VPN) to our network for a number of employees. This could be to enable them to work from home, or to work on the road, or it could be to enable them to access systems in an emergency. Obviously people that use the VPN on the road, such as sales people, are provided with a laptop. However many users will be accessing the VPN using their own home PC. I, for example, use my home computer to connect to the network and then use just Remote Desktop to certain machines.
Naturally the company is nervous about allowing VPN access to computers that are outside of their control, as this opens up a route for viruses to get in. So I'd be interested in hearing solutions for mitigating the dangers that this brings (on a Windows 2003 platform).
Some ideas:
Only allow access on the Remote Desktop port?
Windows 2003 Quarantine (would require a move away from Cisco obviously).
Any more?
BTW, I'm a software developer, not a network expert, and I'm not responsible for securing the VPN. I've asked this question because the other day I expressed surprise that the only solution IT have come up with to resolve this was to buy everyone another computer for their home, so I've been asked to suggest alternatives.
Citrix is sort of in the business of providing home users secure access to applications and data on the trusted business network. True file and resource sharing from untrusted machines, even through VPN connections is always going to be problematic from a security standpoint. Then again, there is always some level of risk/reward, or convenience/prudence, or practicality/utility that needs to be negotiated between business users and network administration in these type situations.
It wouldn't be unreasonable to prohibit file transfer and file sharing to untrusted machines, if Citrix servers could access files and provide trusted application hosting to remote untrusted machines, and this is a compromise enough companies make that it has emerged as something of a standard in the corporate world. Another means of doing similar things at lower cost is to set up and run VNC clients [or any of a multitude of commercial lookalikes] to trusted workstations in the corporate network (again no file sharing is happening, just remote operation of trusted machines via VPN and a remote desktop operation).
posted by paulsc at 4:32 AM on October 30, 2006
It wouldn't be unreasonable to prohibit file transfer and file sharing to untrusted machines, if Citrix servers could access files and provide trusted application hosting to remote untrusted machines, and this is a compromise enough companies make that it has emerged as something of a standard in the corporate world. Another means of doing similar things at lower cost is to set up and run VNC clients [or any of a multitude of commercial lookalikes] to trusted workstations in the corporate network (again no file sharing is happening, just remote operation of trusted machines via VPN and a remote desktop operation).
posted by paulsc at 4:32 AM on October 30, 2006
Place the external VPN connected clients on a separate firewalled network so that they can only connect directly to hosts and services you specify.
This way you can easily monitor and identify all traffic going over the VPN to your servers, which is essentially the same as controlling the computer they are using as far as your systems are concerned.
I suppose you could also supply everyone with antivirus and spyware tools too.
You can also (I think) get Windows to authenticate to a domain controller over a VPN, for even more intrusion into your employees privacy! (I mean that in a totally non-snarky way :)
This is all fairly complicated and I've never implemented it my self - hence the lack of precise details - I'm just fairly sure it's all possible.
posted by public at 5:48 AM on October 30, 2006
This way you can easily monitor and identify all traffic going over the VPN to your servers, which is essentially the same as controlling the computer they are using as far as your systems are concerned.
I suppose you could also supply everyone with antivirus and spyware tools too.
You can also (I think) get Windows to authenticate to a domain controller over a VPN, for even more intrusion into your employees privacy! (I mean that in a totally non-snarky way :)
This is all fairly complicated and I've never implemented it my self - hence the lack of precise details - I'm just fairly sure it's all possible.
posted by public at 5:48 AM on October 30, 2006
I work for a very very large software company. We have a system where everyone has a smart card and reader, and can VPN to our corporate network, as long as the computer in question meets certain criteria (OS = WinXP Pro or better, corp approved AV installed, up to date on patches, etc. )
It frequently takes about 10 minutes to log on, but once you are in, you can do whatever you need (I end up rdp'ing to one of my work machines). We are starting to get access to a terminal services gateway (see http://www.msterminalservices.org/articles/Overview-Longhorn-Servers-Terminal-Service-Gateway-Part1.html), which will reduce the requirements required to log in.
posted by stupidcomputernickname at 6:57 AM on October 30, 2006
It frequently takes about 10 minutes to log on, but once you are in, you can do whatever you need (I end up rdp'ing to one of my work machines). We are starting to get access to a terminal services gateway (see http://www.msterminalservices.org/articles/Overview-Longhorn-Servers-Terminal-Service-Gateway-Part1.html), which will reduce the requirements required to log in.
posted by stupidcomputernickname at 6:57 AM on October 30, 2006
Well I doubt it will pass muster with your security guys (I know it wouldn't with ours), but I've been using Hamachi to access my systems at work, essentially bypassing our own VPN solution.
Best part is it creates its own virtual network adapter, so you can have separate firewall rules for what can be accessed at either end. Poke holes for just the services you need, rather than giving carte blanche to anyone who VPNs in.
posted by JaredSeth at 1:11 PM on October 30, 2006
Best part is it creates its own virtual network adapter, so you can have separate firewall rules for what can be accessed at either end. Poke holes for just the services you need, rather than giving carte blanche to anyone who VPNs in.
posted by JaredSeth at 1:11 PM on October 30, 2006
This thread is closed to new comments.
posted by ThFullEffect at 4:21 AM on October 30, 2006