VPN home worker implementation

Firstly, appologies if this is the incorrect NG - if there is one better suited please advise and I'll report there.

I am an overworked under paid sysadmin (I know I'm not the only one!) and am looking to implement a solution to allow staff to work from home, but one that does not pose an unacceptable risk to Company network security.

The solution I am evaluating consists of the following:

Firewall (GNATbox) acting as VPN host which is connected to Company network.

VPN client

formatting link
on authorised Company PCs of staff who are allowed to work from home. Each client has individual shared secret, and username/password combo which must be enterred which matches that on firewall (i.e. if laptop stolen we can remove VPN access).

Software firewall on Company PCs (Officescan) which restricts machine to traffic (inbound/outbound) of Company WAN and VPN host IP (i.e. external ip of firewall). The policies of this firewall are centrally managed and not overridable by user.

So a staff member goes home, connects their laptop to broadband at home, can only talk to our firewall (not the internet directly) and establishes VPN. All Internet, email etc must go through Company systems (i.e. over VPN first) which means we can monitor usage, block sites, protect (?) staff from p*rn etc.

This should mean staff can access Company resources from home using the Internet, but can not use torrents, messenger etc. It also should mean that although they are connected to the Internet and have internal Company network access at the same time the internal network is secure

- rather than if the client had no firewall it could be compromised from the Internet which would then comrpise the internal network as the Corp firewall would be effectively bypassed.

I like this because as far as I can see it works and is acceptable security wise.

I don't like this because it means we're going to need a fat pipe with a lot of upstream bandwidth to serve these broadband connected VPN clients, as well as a lot of downstream bandwidth (possibly different line) to pull down their Internet requests before we can send it to them. Policy wise this works but it doesn't seem an efficient way from a network traffic perspective.

I'm also not sure that in the real world different broadband providers might need the firewall policy relaxing somewhat - dhcp for starters - anything else which will make my life difficult?

I'd appreciate a second opinion on the above - if it's the wrong way to appropach this or presents serious risks please tell me :)



Reply to
Loading thread data ...

Thanks for the feedback. Different ideas as well as improvements to my solution is exactly what I want.

I can see that for a lot of Companies that would be ideal (and is probably what they use).

For me though this I don't think this would work:

- All the staff that would home (or indeed mobile) work have Company laptops so there wouldn't be anything to remote desktop to - unless we went with Terminal Services. Corporate policy is not to use MS Windows Servers unless there is no choice :) Is there an alternative?

- The network file access benefit of RD isn't so much of an issue as a) they have laptops and carry data with them, and b) our WAN is too slow for mapped drives so this would only benefit staff (20%?) whose local file server was on the same LAN as the Terminal Services server.

Also, with a remote desktop connection am I right in thinking that it usually isn't as responsive as a local session?

I can certainly see there are advantages if you want to allow any PC to RD, or mapped drives are a viable consideration. It would significantly reduce upstream bandwidth issues of big emails (though presumably staff would want to integrate with Outlook on their laptop) and Internet - also easier to plan how big a link for how many people and stop one from hogging all the bandwidth.

Thanks again for the ideas - with a different infrastructure that would be the way to go :)

Reply to

Why not setup a solution with a firewall appliance at your company border (public IP/connection) then have users PPTP into that from any computer they own or you provide.

Inside the firewall you would create a rule that lets them use Remote Desktop to connect to their workstation in the office and only to that device. Since Remote desktop only consumes about 30kbps you can support a few more users than a normal VPN to the LAN session with drive maps would take.

You can also, as a better solution, do the firewall VPN as the end-point and then allow RD to a dedicated Terminal Services box and then have more control over them.

Our firewalls allow you to have one user/password per user for the firewall VPN authentication and it doesn't have to have anything to do with the domain/network, and we can limit the Firewall User to specific ports/IP inside the LAN/DMZ.

Reply to

If you are not doing Windows for the servers then we need to know what you are using for the server OS.

If they carry their files with them on laptops, then what is the requirement for local company access? What will the users be doing once they VPN into the company?

It depends, with a T1 or a business class Cable modem / DSL modem (which can be much faster than a T1), I've not seen any problems. I have one remote office that uses 4 people over RD to the home office, they have a

512kbps upstream and a 3mbps downstream, the home office has 2mbps down/2mbps up and there is no hesitation, but it's not as fast as being local - unless you count the fact that pulling a 200 page crystal report across a VPN takes about 20 minutes, doing it through a Terminal Services session takes about 4 seconds.

I don't let my clients use VPN's like that if I can help it - VNC or RD to the local desktop in their office - with a firm firewall rule that ONLY allows the authenticated user to reach their specific workstation in the office. For the few that have a FULL VPN, we provide the laptop, AV, anti-spyware, local User mode, etc... They also VPN into the firewall to authenticate using the LOGON USING DIALUP option of XP Prof, then it logs them into the domain normally - we use firewall rules that only allow them to reach the servers and network printers and the email server in the DMZ - they can not reach other workstations or devices outside their firewall scope.

That can be a problem, but it's not as much a problem as you think.

With the methods we use, we've never had a customer compromised, not ever, and we plan on keeping it that way.

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.