VPN home worker implementation
lanwanhr_at_yahoo.com
Date: 07/27/05
- Next message: Rick Ng Chi Wah: "NAT question"
- Previous message: Jim: "Re: Possible security problem?"
- Next in thread: Leythos: "Re: VPN home worker implementation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 27 Jul 2005 09:01:08 -0700
Firstly, appologies if this is the incorrect NG - if there is one
better suited please advise and I'll report there.
I am an overworked under paid sysadmin (I know I'm not the only one!)
and am looking to implement a solution to allow staff to work from
home, but one that does not pose an unacceptable risk to Company
network security.
The solution I am evaluating consists of the following:
Firewall (GNATbox) acting as VPN host which is connected to Company
network.
VPN client (www.greenbow.com) on authorised Company PCs of staff who
are allowed to work from home. Each client has individual shared
secret, and username/password combo which must be enterred which
matches that on firewall (i.e. if laptop stolen we can remove VPN
access).
Software firewall on Company PCs (Officescan) which restricts machine
to traffic (inbound/outbound) of Company WAN and VPN host IP (i.e.
external ip of firewall). The policies of this firewall are centrally
managed and not overridable by user.
So a staff member goes home, connects their laptop to broadband at
home, can only talk to our firewall (not the internet directly) and
establishes VPN. All Internet, email etc must go through Company
systems (i.e. over VPN first) which means we can monitor usage, block
sites, protect (?) staff from porn etc.
This should mean staff can access Company resources from home using the
Internet, but can not use torrents, messenger etc. It also should mean
that although they are connected to the Internet and have internal
Company network access at the same time the internal network is secure
- rather than if the client had no firewall it could be compromised
from the Internet which would then comrpise the internal network as the
Corp firewall would be effectively bypassed.
I like this because as far as I can see it works and is acceptable
security wise.
I don't like this because it means we're going to need a fat pipe with
a lot of upstream bandwidth to serve these broadband connected VPN
clients, as well as a lot of downstream bandwidth (possibly different
line) to pull down their Internet requests before we can send it to
them. Policy wise this works but it doesn't seem an efficient way from
a network traffic perspective.
I'm also not sure that in the real world different broadband providers
might need the firewall policy relaxing somewhat - dhcp for starters -
anything else which will make my life difficult?
I'd appreciate a second opinion on the above - if it's the wrong way to
appropach this or presents serious risks please tell me :)
Cheers
Tim
- Next message: Rick Ng Chi Wah: "NAT question"
- Previous message: Jim: "Re: Possible security problem?"
- Next in thread: Leythos: "Re: VPN home worker implementation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
