RE: Secure remote access for users

[Eric Young <schultz_young_assoc () ureach com>]

> From my experiences, I suggest the following:

Cisco VPN 3000 concentrator - using IPSec + IKE + Diffie-Helman 
key exchange + 3DES encryption - for the VPN end-point.
Cisco VPN Client 3.6x for the client software with like 
configuration (of course).

The company-owned / managed laptops are a good idea in most 
ways except capital expenditure – but, much less hassle to ‘own 
the image’ allowed on the machine.  Or, as you noted, they 
could use their own equipment.

Either way, the following gives you tight control over what is 
allowed, consistent behavior while the client is attached, and 
very decent security.  

The above HW/SW combination provides the ability for fully pre-
configured client access to your VPN end point and includes 
ZoneLab’s ZoneAlarm Pro built into the client.  You can then 
force – through the 3000’s config – the client to run the FW 
component.  Also, enforce ‘no split-tunneling’.  This forces 
all traffic through the VPN to your end-point – no access to 
their local ISP for local internet access.  Your users can get 
access to the internet through their normal method – this also 
helps enforce web content inspection and proxying / denying 
disallowed content (if you do that already).

Next, if you have to provide dial-in, you can accomplish the 
same thing as noted above for VPN AND, additionally, the Secure 
Remote Access Dial, all in one box - something like a Cisco 
3660-series router, PRI-T1 module, Mica Modem digital modem 
card (up to 60 modems or so in that chassis = 60 concurrent 
connections).  Then add the AIM-VPN hardware encryption module 
and you get hardware-accelerated encryption and this whole 
bundle meets FIPS-140 and Common Criteria EAL-4 Government / 
Industry certifications (respectively) (attention to the 
details of the certified configs is necessary, but very 
obtainable).  The same VPN Client 3.6x works against either end-
point platform.

Also, for the dial-in, most sites implement an 800 / toll-free 
number for their users.

All of the above should be required to authenticate users 
against a RADIUS or TACACS+ server, preferably with an 
additional authentication layer (hence the name '2-factor 
authentication') such as RSA's ACE/Server with the randomly-
generated token code the user carries with them (something they 
know - a password + something they have - the token and code).

I am sure there are other options in the open-source 
community.  However, complexity of installation and  
management, as well as availability of knowledgable Linux/Unix 
on-site staff to monitor security and devices may be an issue.

Hope this helps.


Best Regards,


Eric R. Young - CCNP, CCDP, MCSE
Network Engineer / Owner
Schultz, Young & Associates
Ph./Fx. 877.651.8016
Email:  Schultz_Young_Assoc () ureach com
VCard:  www.ureach.com\schultz_young_assoc
Steve,



-----Original Message-----
From: Steve Bremer [mailto:steveb () nebcoinc com] 
Sent: Wednesday, October 23, 2002 11:05 AM
To: security-basics () securityfocus com
Subject: Secure remote access for users

Hi,
        This is a long one, so go get a cup of coffee first!

        We are looking into providing remote access (dial-up, 
VPN, 
or both) to our network for our users.  We would like to hear 
any and 
all advice/recommendations that you have to give about 
providing 
such a service.  Here are some of the issues we're encountering:

- Whos computer should be used?  
If we let users log in using their personal PC, that opens up a 
lot of 
potential problems (viruses, trojans, who uses the PC, etc.).   
Is it 
better to provide laptops that users can check out and that we 
have 
personally locked down? Cost is also an issue, so purchasing 
several laptops for this purpose wouldn't be ideal when 
considering 
the initial investment.  However, it may be necessary.
 If we allow our users to use their own PCs, we then have to 
provide 
the necessary software for each person that may want to connect 
remotely.  This also means we have to support their PC when 
something goes wrong that isn't work related.  The additional 
software licenses and the cost of supporting their personal PC 
will 
help make the laptop option sound better. 

-Dial in Access -  
Dial-in is probably inherently more secure than a VPN over the 
Internet because of the more limited exposure, but many of our 
potential users could end up having to pay long distance 
charges to 
dial-in.  That would probably never fly.  
Do we use dial-back capabilities?  This would work fine for 
users 
dialing in from home, but for those users on the road, it would 
prove 
difficult to implement effectively.  Long distance could also 
be a 
factor here as well.

-VPN Access -
VPN access over the Internet would eliminate long distance 
charges 
for our home users (assuming they don't have to make a long 
distance call to reach their ISP).  However, then you have to 
worry 
about securing the PC/laptop from attacks originating from the 
Internet while it is connected to our network via the VPN.  
However, 
it shouldn't be too difficult to install a personal firewall to 
block all 
non-VPN related traffic. Some VPN clients even have packet 
filtering capabilities built in.    

- Limiting Access -
Once the user connects, what are the best options to limit 
their 
access?  It would be fairly simple to limit their access to 
specific 
hosts through packet filtering.  However, this may not be the 
most 
effective solution since an intruder could compromise a host 
which 
they are allowed to access and use the compromised host to 
connect to the rest of the network.  
        We could also use something along the lines of Winframe 
where the applications actually run on the server that the 
users 
connect to. It's been a long time since I've used it, but it 
seemed to 
work fairly well.  That would limit the users' access to the 
applications that we provide on the Winframe server.

-Software-
        General recommendations?  For dial-in access, Winframe 
would work great.  I'm sure it can also be used via a VPN by 
this 
time.  Are there any other software packages that are similar 
in 
functionality to winframe? 
        I've successfully used SSH Sentinel to connect to a 
Linux/Freeswan VPN.  That would be a good option for remote VPN 
access, but then we're back to packet filtering to for limiting 
user 
access.
        Perhaps a combination of the above?  Use the VPN for 
remote connections, and put a Winframe type software package 
after it to help limit access and prevent having to install a 
lot of 
software on users PCs.  A little diagram may be needed here:

Internet----> VPN----> Winframe server----> Internal network.
 

Hopefully I've provided enough information so that you can get 
an 
idea of what we're after here.  I welcome any and all 
suggestions.  
I'm sure many of you have already setup remote access for your 
users, and I'm interested in knowing how would you do it now if 
you 
had a chance to do it all over again after your experience with 
your 
current setup.

Thanks for your input.
Steve Bremer
NEBCO, Inc. 

  


________________________________________________
Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag