Firstly, appologies if this is the incorrect NG - if there is one better suited please advise and I'll report there.
I am an overworked under paid sysadmin (I know I'm not the only one!) and am looking to implement a solution to allow staff to work from home, but one that does not pose an unacceptable risk to Company network security.
The solution I am evaluating consists of the following:
Firewall (GNATbox) acting as VPN host which is connected to Company network.
VPN clienton authorised Company PCs of staff who are allowed to work from home. Each client has individual shared secret, and username/password combo which must be enterred which matches that on firewall (i.e. if laptop stolen we can remove VPN access).
Software firewall on Company PCs (Officescan) which restricts machine to traffic (inbound/outbound) of Company WAN and VPN host IP (i.e. external ip of firewall). The policies of this firewall are centrally managed and not overridable by user.
So a staff member goes home, connects their laptop to broadband at home, can only talk to our firewall (not the internet directly) and establishes VPN. All Internet, email etc must go through Company systems (i.e. over VPN first) which means we can monitor usage, block sites, protect (?) staff from p*rn etc.
This should mean staff can access Company resources from home using the Internet, but can not use torrents, messenger etc. It also should mean that although they are connected to the Internet and have internal Company network access at the same time the internal network is secure
- rather than if the client had no firewall it could be compromised from the Internet which would then comrpise the internal network as the Corp firewall would be effectively bypassed.
I like this because as far as I can see it works and is acceptable security wise.
I don't like this because it means we're going to need a fat pipe with a lot of upstream bandwidth to serve these broadband connected VPN clients, as well as a lot of downstream bandwidth (possibly different line) to pull down their Internet requests before we can send it to them. Policy wise this works but it doesn't seem an efficient way from a network traffic perspective.
I'm also not sure that in the real world different broadband providers might need the firewall policy relaxing somewhat - dhcp for starters - anything else which will make my life difficult?
I'd appreciate a second opinion on the above - if it's the wrong way to appropach this or presents serious risks please tell me :)