RE: Secure remote access for users

["Nero, Nick" <Nick.Nero () disney com>]

Someone else has probably already suggested this . .. But what you
really need for this is a Citrix/Terminal Server.  It is the best way to
make sure that files/code (virus', worms . . ) don't go between the two
networks. Also, the idea that no files are actually being exchanged
should put the security honchos there at ease.  I would look into
security it with RSA's SecurID at the most and an SSL cert at the VERY
least.  

This is cheap, doesn't require dedicated hardware (outside of the
server) and should allow your people to do what they need to do remotely
with very little bandwidth.

Nick Nero, CISSP, MCSE, CCNA, CCA
The Walt Disney Company

-----Original Message-----
From: schultz_young_assoc () ureach com
[mailto:schultz_young_assoc () ureach com] 
Sent: Thursday, October 24, 2002 4:31 PM
To: security-basics () securityfocus com
Subject: Re: Secure remote access for users


In-Reply-To: <3DB69E87.2962.471CC04@localhost>

> From my experiences, I suggest the following:



Cisco VPN 3000 concentrator - using IPSec + IKE + Diffie-Helman 

key exchange + 3DES encryption - for the VPN end-point.

Cisco VPN Client 3.6x for the client software with like 

configuration (of course).



The company-owned / managed laptops are a good idea in most 

ways except capital expenditure - but, much less hassle to 'own 

the image' allowed on the machine.  Or, as you noted, they 

could use their own equipment.



Either way, the following gives you tight control over what is 

allowed, consistent behavior while the client is attached, and 

very decent security.  



The above HW/SW combination provides the ability for fully pre-

configured client access to your VPN end point and includes 

ZoneLab's ZoneAlarm Pro built into the client.  You can then 

force - through the 3000's config - the client to run the FW 

component.  Also, enforce 'no split-tunneling'.  This forces 

all traffic through the VPN to your end-point - no access to 

their local ISP for local internet access.  Your users can get 

access to the internet through their normal method - this also 

helps enforce web content inspection and proxying / denying 

disallowed content (if you do that already).



Next, if you have to provide dial-in, you can accomplish the 

same thing as noted above for VPN AND, additionally, the Secure 

Remote Access Dial, all in one box - something like a Cisco 

3660-series router, PRI-T1 module, Mica Modem digital modem 

card (up to 60 modems or so in that chassis = 60 concurrent 

connections).  Then add the AIM-VPN hardware encryption module 

and you get hardware-accelerated encryption and this whole 

bundle meets FIPS-140 and Common Criteria EAL-4 Government / 

Industry certifications (respectively) (attention to the 

details of the certified configs is necessary, but very 

obtainable).  The same VPN Client 3.6x works against either end-

point platform.



Also, for the dial-in, most sites implement an 800 / toll-free 

number for their users.



All of the above should be configured to authenticate users 

against a RADIUS or TACACS+ server, preferably with an 

additional authentication layer (hence the name '2-factor 

authentication') such as RSA's ACE/Server with the randomly-

generated token code the user carries with them (something they 

know - a password + something they have - the token and code).



I am sure there are other options in the open-source 

community.  However, complexity of installation and  

management, as well as availability of knowledgable Linux/Unix 

on-site staff to monitor security and devices may be an issue.



Hope this helps.





Best Regards,





Eric R. Young - CCNP, CCDP, MCSE

Network Engineer / Owner

Schultz, Young & Associates

Ph./Fx. 877.651.8016

Email:  Schultz_Young_Assoc () ureach com

VCard:  www.ureach.com\schultz_young_assoc















> Hi,

>       This is a long one, so go get a cup of coffee first!

>

>       We are looking into providing remote access (dial-up, VPN,

> or both) to our network for our users.  We would like to hear any and

> all advice/recommendations that you have to give about providing

> such a service.  Here are some of the issues we're encountering:

>

> - Whos computer should be used?

> If we let users log in using their personal PC, that opens up a lot of

> potential problems (viruses, trojans, who uses the PC, etc.).   Is it 

> better to provide laptops that users can check out and that we have

> personally locked down? Cost is also an issue, so purchasing

> several laptops for this purpose wouldn't be ideal when considering

> the initial investment.  However, it may be necessary.