RE: Secure remote access for users

["Keenan Smith" <kc () vetcentric com>]

I've been wrestling with this one myself.

The route I've decided to take is an appliance that allows browser-based
access to the back office network through a single point on the network.

The appliance itself has authentication and access lists that can limit the
user to one or many systems.

The firewall only has to be configured to allow https traffic to the
appliance.  The appliance handles all other access issues.

I still have to allow VPN access but to a much smaller number of users.

The three appliances that I've found are: Netilla, Neoteris and Citrix.  For
my application, Citrix was overkill and Neoteris didn't go far enough.  So
I've settled on Netilla.

This solution works for me because most of my users log in, work for a few
minutes to a couple of hours and then log off.  I don't have any full-time
telecommuters.  The browser-based interface would probably be too sluggish
for full-time use.

My thoughts.  Good luck.

KC Smith

-----Original Message-----
From: Steve Bremer [mailto:steveb () nebcoinc com]
Sent: Wednesday, October 23, 2002 2:05 PM
To: security-basics () securityfocus com
Subject: Secure remote access for users


Hi,
        This is a long one, so go get a cup of coffee first!

        We are looking into providing remote access (dial-up, VPN,
or both) to our network for our users.  We would like to hear any and
all advice/recommendations that you have to give about providing
such a service.  Here are some of the issues we're encountering:

- Whos computer should be used?
If we let users log in using their personal PC, that opens up a lot of
potential problems (viruses, trojans, who uses the PC, etc.).   Is it
better to provide laptops that users can check out and that we have
personally locked down? Cost is also an issue, so purchasing
several laptops for this purpose wouldn't be ideal when considering
the initial investment.  However, it may be necessary.
 If we allow our users to use their own PCs, we then have to provide
the necessary software for each person that may want to connect
remotely.  This also means we have to support their PC when
something goes wrong that isn't work related.  The additional
software licenses and the cost of supporting their personal PC will
help make the laptop option sound better.

-Dial in Access -
Dial-in is probably inherently more secure than a VPN over the
Internet because of the more limited exposure, but many of our
potential users could end up having to pay long distance charges to
dial-in.  That would probably never fly.
Do we use dial-back capabilities?  This would work fine for users
dialing in from home, but for those users on the road, it would prove
difficult to implement effectively.  Long distance could also be a
factor here as well.

-VPN Access -
VPN access over the Internet would eliminate long distance charges
for our home users (assuming they don't have to make a long
distance call to reach their ISP).  However, then you have to worry
about securing the PC/laptop from attacks originating from the
Internet while it is connected to our network via the VPN.  However,
it shouldn't be too difficult to install a personal firewall to block all
non-VPN related traffic. Some VPN clients even have packet
filtering capabilities built in.

- Limiting Access -
Once the user connects, what are the best options to limit their
access?  It would be fairly simple to limit their access to specific
hosts through packet filtering.  However, this may not be the most
effective solution since an intruder could compromise a host which
they are allowed to access and use the compromised host to
connect to the rest of the network.
        We could also use something along the lines of Winframe
where the applications actually run on the server that the users
connect to. It's been a long time since I've used it, but it seemed to
work fairly well.  That would limit the users' access to the
applications that we provide on the Winframe server.

-Software-
        General recommendations?  For dial-in access, Winframe
would work great.  I'm sure it can also be used via a VPN by this
time.  Are there any other software packages that are similar in
functionality to winframe?
        I've successfully used SSH Sentinel to connect to a
Linux/Freeswan VPN.  That would be a good option for remote VPN
access, but then we're back to packet filtering to for limiting user
access.
        Perhaps a combination of the above?  Use the VPN for
remote connections, and put a Winframe type software package
after it to help limit access and prevent having to install a lot of
software on users PCs.  A little diagram may be needed here:

Internet----> VPN----> Winframe server----> Internal network.


Hopefully I've provided enough information so that you can get an
idea of what we're after here.  I welcome any and all suggestions.
I'm sure many of you have already setup remote access for your
users, and I'm interested in knowing how would you do it now if you
had a chance to do it all over again after your experience with your
current setup.

Thanks for your input.
Steve Bremer
NEBCO, Inc.