RE: Remote site solution

["Bretten, Andrew P" <andrew.bretten () kroger com>]

Put a Juniper SSG5 at each remote site and build a VPN tunnel from each remote site.

Andy

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Nick Owen
Sent: Wednesday, September 29, 2010 9:19 AM
To: Monah Baki
Cc: security-basics
Subject: Re: Remote site solution

On Mon, Sep 27, 2010 at 4:13 AM, Monah Baki <mbaki () aljolit com> wrote:
> Hi All,
>
> Currently we are trying to come up with a solution for our
> environment. We have around 50 remote sites that have a home DSL
> (Dynamic IP). At HQ, we have a web server that whoever needs to access
> it (via web), must physically be at the remote site. He/she cannot
> access the server from anywhere else.
> Unfortunately, buying a business classs DSL, with a static IP address
> where I am costs more than $300 a month.
> We have a Juniper SRX 240 at HQ that we can use to setup IPSEC, but to
> keep my cost low, what hardware will suffice for the remote sites.
>
> I was thinking setting up a IPS inline and drop all http requests by
> mac addresses not belonging to the ones that we have in the remote
> sites, but then they mentioned if the remote sites are going through
> the ISP proxy, this will not work.
>
> If it cannot be done only with the business class DSL, so be it.

I don't see how using an IP address or mac address is secure.  Both
are easily spoofed. It seems like the tail is wagging the dog here.

What you should do is require remote users to use two-factor
authentication to get a LAN address or require two-factor auth on the
web page. With Apache, you might be able to do a redirect based on the
IP address (something like RewriteCond %{REMOTE_ADDR} ^72\.4\.4\.112$)
and redirect external users to a virtual host that requires a stronger
auth mechanism as documented here:
http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-apache

HTH,

Nick

--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain 
information that is confidential and protected by law from unauthorized disclosure. Any unauthorized review, use, 
disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply 
e-mail and destroy all copies of the original message.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------