Re: Secure remote access for users

[<schultz_young_assoc () ureach com>]

In-Reply-To: <3DB69E87.2962.471CC04@localhost>

> From my experiences, I suggest the following:

Cisco VPN 3000 concentrator - using IPSec + IKE + Diffie-Helman 
key exchange + 3DES encryption - for the VPN end-point.
Cisco VPN Client 3.6x for the client software with like 
configuration (of course).

The company-owned / managed laptops are a good idea in most 
ways except capital expenditure – but, much less hassle to ‘own 
the image’ allowed on the machine.  Or, as you noted, they 
could use their own equipment.

Either way, the following gives you tight control over what is 
allowed, consistent behavior while the client is attached, and 
very decent security.  

The above HW/SW combination provides the ability for fully pre-
configured client access to your VPN end point and includes 
ZoneLab’s ZoneAlarm Pro built into the client.  You can then 
force – through the 3000’s config – the client to run the FW 
component.  Also, enforce ‘no split-tunneling’.  This forces 
all traffic through the VPN to your end-point – no access to 
their local ISP for local internet access.  Your users can get 
access to the internet through their normal method – this also 
helps enforce web content inspection and proxying / denying 
disallowed content (if you do that already).

Next, if you have to provide dial-in, you can accomplish the 
same thing as noted above for VPN AND, additionally, the Secure 
Remote Access Dial, all in one box - something like a Cisco 
3660-series router, PRI-T1 module, Mica Modem digital modem 
card (up to 60 modems or so in that chassis = 60 concurrent 
connections).  Then add the AIM-VPN hardware encryption module 
and you get hardware-accelerated encryption and this whole 
bundle meets FIPS-140 and Common Criteria EAL-4 Government / 
Industry certifications (respectively) (attention to the 
details of the certified configs is necessary, but very 
obtainable).  The same VPN Client 3.6x works against either end-
point platform.

Also, for the dial-in, most sites implement an 800 / toll-free 
number for their users.

All of the above should be configured to authenticate users 
against a RADIUS or TACACS+ server, preferably with an 
additional authentication layer (hence the name '2-factor 
authentication') such as RSA's ACE/Server with the randomly-
generated token code the user carries with them (something they 
know - a password + something they have - the token and code).

I am sure there are other options in the open-source 
community.  However, complexity of installation and  
management, as well as availability of knowledgable Linux/Unix 
on-site staff to monitor security and devices may be an issue.

Hope this helps.


Best Regards,


Eric R. Young - CCNP, CCDP, MCSE
Network Engineer / Owner
Schultz, Young & Associates
Ph./Fx. 877.651.8016
Email:  Schultz_Young_Assoc () ureach com
VCard:  www.ureach.com\schultz_young_assoc







> Hi,
>       This is a long one, so go get a cup of coffee first!
>
>       We are looking into providing remote access (dial-up, VPN, 
> or both) to our network for our users.  We would like to hear any and 
> all advice/recommendations that you have to give about providing 
> such a service.  Here are some of the issues we're encountering:
>
> - Whos computer should be used?  
> If we let users log in using their personal PC, that opens up a lot of 
> potential problems (viruses, trojans, who uses the PC, etc.).   Is it 
> better to provide laptops that users can check out and that we have 
> personally locked down? Cost is also an issue, so purchasing 
> several laptops for this purpose wouldn't be ideal when considering 
> the initial investment.  However, it may be necessary.