Security Basics mailing list archives
Secure remote access for users
From: "Steve Bremer" <steveb () nebcoinc com>
Date: Wed, 23 Oct 2002 13:05:11 -0500
Hi, This is a long one, so go get a cup of coffee first! We are looking into providing remote access (dial-up, VPN, or both) to our network for our users. We would like to hear any and all advice/recommendations that you have to give about providing such a service. Here are some of the issues we're encountering: - Whos computer should be used? If we let users log in using their personal PC, that opens up a lot of potential problems (viruses, trojans, who uses the PC, etc.). Is it better to provide laptops that users can check out and that we have personally locked down? Cost is also an issue, so purchasing several laptops for this purpose wouldn't be ideal when considering the initial investment. However, it may be necessary. If we allow our users to use their own PCs, we then have to provide the necessary software for each person that may want to connect remotely. This also means we have to support their PC when something goes wrong that isn't work related. The additional software licenses and the cost of supporting their personal PC will help make the laptop option sound better. -Dial in Access - Dial-in is probably inherently more secure than a VPN over the Internet because of the more limited exposure, but many of our potential users could end up having to pay long distance charges to dial-in. That would probably never fly. Do we use dial-back capabilities? This would work fine for users dialing in from home, but for those users on the road, it would prove difficult to implement effectively. Long distance could also be a factor here as well. -VPN Access - VPN access over the Internet would eliminate long distance charges for our home users (assuming they don't have to make a long distance call to reach their ISP). However, then you have to worry about securing the PC/laptop from attacks originating from the Internet while it is connected to our network via the VPN. However, it shouldn't be too difficult to install a personal firewall to block all non-VPN related traffic. Some VPN clients even have packet filtering capabilities built in. - Limiting Access - Once the user connects, what are the best options to limit their access? It would be fairly simple to limit their access to specific hosts through packet filtering. However, this may not be the most effective solution since an intruder could compromise a host which they are allowed to access and use the compromised host to connect to the rest of the network. We could also use something along the lines of Winframe where the applications actually run on the server that the users connect to. It's been a long time since I've used it, but it seemed to work fairly well. That would limit the users' access to the applications that we provide on the Winframe server. -Software- General recommendations? For dial-in access, Winframe would work great. I'm sure it can also be used via a VPN by this time. Are there any other software packages that are similar in functionality to winframe? I've successfully used SSH Sentinel to connect to a Linux/Freeswan VPN. That would be a good option for remote VPN access, but then we're back to packet filtering to for limiting user access. Perhaps a combination of the above? Use the VPN for remote connections, and put a Winframe type software package after it to help limit access and prevent having to install a lot of software on users PCs. A little diagram may be needed here: Internet----> VPN----> Winframe server----> Internal network. Hopefully I've provided enough information so that you can get an idea of what we're after here. I welcome any and all suggestions. I'm sure many of you have already setup remote access for your users, and I'm interested in knowing how would you do it now if you had a chance to do it all over again after your experience with your current setup. Thanks for your input. Steve Bremer NEBCO, Inc.
Current thread:
- Secure remote access for users Steve Bremer (Oct 24)
- RE: Secure remote access for users Keenan Smith (Oct 25)
- <Possible follow-ups>
- RE: Secure remote access for users Eric Young (Oct 25)
- Re: Secure remote access for users schultz_young_assoc (Oct 25)
- RE: Secure remote access for users Nero, Nick (Oct 28)