RE: Secure remote access for users
From: Nero, Nick (Nick.Nero@disney.com)Date: 10/28/02
- Previous message: Thomas Mandl: "Howto Hide squid version string"
- Maybe in reply to: Steve Bremer: "Secure remote access for users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Oct 2002 14:01:44 -0500 From: "Nero, Nick" <Nick.Nero@disney.com> To: <security-basics@securityfocus.com>
Someone else has probably already suggested this . .. But what you
really need for this is a Citrix/Terminal Server. It is the best way to
make sure that files/code (virus', worms . . ) don't go between the two
networks. Also, the idea that no files are actually being exchanged
should put the security honchos there at ease. I would look into
security it with RSA's SecurID at the most and an SSL cert at the VERY
least.
This is cheap, doesn't require dedicated hardware (outside of the
server) and should allow your people to do what they need to do remotely
with very little bandwidth.
Nick Nero, CISSP, MCSE, CCNA, CCA
The Walt Disney Company
-----Original Message-----
From: schultz_young_assoc@ureach.com
[mailto:schultz_young_assoc@ureach.com]
Sent: Thursday, October 24, 2002 4:31 PM
To: security-basics@securityfocus.com
Subject: Re: Secure remote access for users
In-Reply-To: <3DB69E87.2962.471CC04@localhost>
From my experiences, I suggest the following:
Cisco VPN 3000 concentrator - using IPSec + IKE + Diffie-Helman
key exchange + 3DES encryption - for the VPN end-point.
Cisco VPN Client 3.6x for the client software with like
configuration (of course).
The company-owned / managed laptops are a good idea in most
ways except capital expenditure - but, much less hassle to 'own
the image' allowed on the machine. Or, as you noted, they
could use their own equipment.
Either way, the following gives you tight control over what is
allowed, consistent behavior while the client is attached, and
very decent security.
The above HW/SW combination provides the ability for fully pre-
configured client access to your VPN end point and includes
ZoneLab's ZoneAlarm Pro built into the client. You can then
force - through the 3000's config - the client to run the FW
component. Also, enforce 'no split-tunneling'. This forces
all traffic through the VPN to your end-point - no access to
their local ISP for local internet access. Your users can get
access to the internet through their normal method - this also
helps enforce web content inspection and proxying / denying
disallowed content (if you do that already).
Next, if you have to provide dial-in, you can accomplish the
same thing as noted above for VPN AND, additionally, the Secure
Remote Access Dial, all in one box - something like a Cisco
3660-series router, PRI-T1 module, Mica Modem digital modem
card (up to 60 modems or so in that chassis = 60 concurrent
connections). Then add the AIM-VPN hardware encryption module
and you get hardware-accelerated encryption and this whole
bundle meets FIPS-140 and Common Criteria EAL-4 Government /
Industry certifications (respectively) (attention to the
details of the certified configs is necessary, but very
obtainable). The same VPN Client 3.6x works against either end-
point platform.
Also, for the dial-in, most sites implement an 800 / toll-free
number for their users.
All of the above should be configured to authenticate users
against a RADIUS or TACACS+ server, preferably with an
additional authentication layer (hence the name '2-factor
authentication') such as RSA's ACE/Server with the randomly-
generated token code the user carries with them (something they
know - a password + something they have - the token and code).
I am sure there are other options in the open-source
community. However, complexity of installation and
management, as well as availability of knowledgable Linux/Unix
on-site staff to monitor security and devices may be an issue.
Hope this helps.
Best Regards,
Eric R. Young - CCNP, CCDP, MCSE
Network Engineer / Owner
Schultz, Young & Associates
Ph./Fx. 877.651.8016
Email: Schultz_Young_Assoc@ureach.com
VCard: www.ureach.com\schultz_young_assoc
>Hi,
> This is a long one, so go get a cup of coffee first!
>
> We are looking into providing remote access (dial-up, VPN,
>or both) to our network for our users. We would like to hear any and
>all advice/recommendations that you have to give about providing
>such a service. Here are some of the issues we're encountering:
>
>- Whos computer should be used?
>If we let users log in using their personal PC, that opens up a lot of
>potential problems (viruses, trojans, who uses the PC, etc.). Is it
>better to provide laptops that users can check out and that we have
>personally locked down? Cost is also an issue, so purchasing
>several laptops for this purpose wouldn't be ideal when considering
>the initial investment. However, it may be necessary.
- Previous message: Thomas Mandl: "Howto Hide squid version string"
- Maybe in reply to: Steve Bremer: "Secure remote access for users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
