Secure remote access for users

["Steve Bremer" <steveb () nebcoinc com>]

Hi,
        This is a long one, so go get a cup of coffee first!

        We are looking into providing remote access (dial-up, VPN, 
or both) to our network for our users.  We would like to hear any and 
all advice/recommendations that you have to give about providing 
such a service.  Here are some of the issues we're encountering:

- Whos computer should be used?  
If we let users log in using their personal PC, that opens up a lot of 
potential problems (viruses, trojans, who uses the PC, etc.).   Is it 
better to provide laptops that users can check out and that we have 
personally locked down? Cost is also an issue, so purchasing 
several laptops for this purpose wouldn't be ideal when considering 
the initial investment.  However, it may be necessary.
 If we allow our users to use their own PCs, we then have to provide 
the necessary software for each person that may want to connect 
remotely.  This also means we have to support their PC when 
something goes wrong that isn't work related.  The additional 
software licenses and the cost of supporting their personal PC will 
help make the laptop option sound better. 

-Dial in Access -  
Dial-in is probably inherently more secure than a VPN over the 
Internet because of the more limited exposure, but many of our 
potential users could end up having to pay long distance charges to 
dial-in.  That would probably never fly.  
Do we use dial-back capabilities?  This would work fine for users 
dialing in from home, but for those users on the road, it would prove 
difficult to implement effectively.  Long distance could also be a 
factor here as well.

-VPN Access -
VPN access over the Internet would eliminate long distance charges 
for our home users (assuming they don't have to make a long 
distance call to reach their ISP).  However, then you have to worry 
about securing the PC/laptop from attacks originating from the 
Internet while it is connected to our network via the VPN.  However, 
it shouldn't be too difficult to install a personal firewall to block all 
non-VPN related traffic. Some VPN clients even have packet 
filtering capabilities built in.    

- Limiting Access -
Once the user connects, what are the best options to limit their 
access?  It would be fairly simple to limit their access to specific 
hosts through packet filtering.  However, this may not be the most 
effective solution since an intruder could compromise a host which 
they are allowed to access and use the compromised host to 
connect to the rest of the network.  
        We could also use something along the lines of Winframe 
where the applications actually run on the server that the users 
connect to. It's been a long time since I've used it, but it seemed to 
work fairly well.  That would limit the users' access to the 
applications that we provide on the Winframe server.

-Software-
        General recommendations?  For dial-in access, Winframe 
would work great.  I'm sure it can also be used via a VPN by this 
time.  Are there any other software packages that are similar in 
functionality to winframe? 
        I've successfully used SSH Sentinel to connect to a 
Linux/Freeswan VPN.  That would be a good option for remote VPN 
access, but then we're back to packet filtering to for limiting user 
access.
        Perhaps a combination of the above?  Use the VPN for 
remote connections, and put a Winframe type software package 
after it to help limit access and prevent having to install a lot of 
software on users PCs.  A little diagram may be needed here:

Internet----> VPN----> Winframe server----> Internal network.
 

Hopefully I've provided enough information so that you can get an 
idea of what we're after here.  I welcome any and all suggestions.  
I'm sure many of you have already setup remote access for your 
users, and I'm interested in knowing how would you do it now if you 
had a chance to do it all over again after your experience with your 
current setup.

Thanks for your input.
Steve Bremer
NEBCO, Inc.