Security Basics mailing list archives
Re: Secure remote access for users
From: <schultz_young_assoc () ureach com>
Date: 24 Oct 2002 20:31:24 -0000
In-Reply-To: <3DB69E87.2962.471CC04@localhost>
From my experiences, I suggest the following:
Cisco VPN 3000 concentrator - using IPSec + IKE + Diffie-Helman key exchange + 3DES encryption - for the VPN end-point. Cisco VPN Client 3.6x for the client software with like configuration (of course). The company-owned / managed laptops are a good idea in most ways except capital expenditure but, much less hassle to own the image allowed on the machine. Or, as you noted, they could use their own equipment. Either way, the following gives you tight control over what is allowed, consistent behavior while the client is attached, and very decent security. The above HW/SW combination provides the ability for fully pre- configured client access to your VPN end point and includes ZoneLabs ZoneAlarm Pro built into the client. You can then force through the 3000s config the client to run the FW component. Also, enforce no split-tunneling. This forces all traffic through the VPN to your end-point no access to their local ISP for local internet access. Your users can get access to the internet through their normal method this also helps enforce web content inspection and proxying / denying disallowed content (if you do that already). Next, if you have to provide dial-in, you can accomplish the same thing as noted above for VPN AND, additionally, the Secure Remote Access Dial, all in one box - something like a Cisco 3660-series router, PRI-T1 module, Mica Modem digital modem card (up to 60 modems or so in that chassis = 60 concurrent connections). Then add the AIM-VPN hardware encryption module and you get hardware-accelerated encryption and this whole bundle meets FIPS-140 and Common Criteria EAL-4 Government / Industry certifications (respectively) (attention to the details of the certified configs is necessary, but very obtainable). The same VPN Client 3.6x works against either end- point platform. Also, for the dial-in, most sites implement an 800 / toll-free number for their users. All of the above should be configured to authenticate users against a RADIUS or TACACS+ server, preferably with an additional authentication layer (hence the name '2-factor authentication') such as RSA's ACE/Server with the randomly- generated token code the user carries with them (something they know - a password + something they have - the token and code). I am sure there are other options in the open-source community. However, complexity of installation and management, as well as availability of knowledgable Linux/Unix on-site staff to monitor security and devices may be an issue. Hope this helps. Best Regards, Eric R. Young - CCNP, CCDP, MCSE Network Engineer / Owner Schultz, Young & Associates Ph./Fx. 877.651.8016 Email: Schultz_Young_Assoc () ureach com VCard: www.ureach.com\schultz_young_assoc
Hi, This is a long one, so go get a cup of coffee first! We are looking into providing remote access (dial-up, VPN, or both) to our network for our users. We would like to hear any and all advice/recommendations that you have to give about providing such a service. Here are some of the issues we're encountering: - Whos computer should be used? If we let users log in using their personal PC, that opens up a lot of potential problems (viruses, trojans, who uses the PC, etc.). Is it better to provide laptops that users can check out and that we have personally locked down? Cost is also an issue, so purchasing several laptops for this purpose wouldn't be ideal when considering the initial investment. However, it may be necessary.
Current thread:
- Secure remote access for users Steve Bremer (Oct 24)
- RE: Secure remote access for users Keenan Smith (Oct 25)
- <Possible follow-ups>
- RE: Secure remote access for users Eric Young (Oct 25)
- Re: Secure remote access for users schultz_young_assoc (Oct 25)
- RE: Secure remote access for users Nero, Nick (Oct 28)