General discussion

Locked

Securing VPN remote users.

By sselinger ·
Question of the Day:

I am wondering what other organizations are doing regarding VPN security issues. I have had a hard time finding resources that talk about securing VPN users. Alot of sites say that VPN's fix security holes but it seems like they just introduce more security issues for remote users.
Here are the questions I am wondering about:
1)Who are your remote users? ie) company owned machines or individual owned machines.
2)How do you protect against viruses from remote VPN users? Please be very detailed.
3)How do you install applications on remote users computers and how to you update and support these appliations.
4) Do you use terminal services such as Windows 2000 or Citrix Metaframe for applications?
5) How did you determine the server and bandwidth requirements for terminal server connections.
6) Have you used terminal services through a browser and what were your experiences?
7) If you use Citrix over Windows 2000 please explain the benefits you have found of Citrix compared to Windows 2000.
URL's of good security resources that talk about securing remote VPN users. I am not looking for sites that say that a VPN fixes all of my security concerns because it does not. In fact VPNs create even more security concerns.
What software are you using for virus's and/or remote user firewall software.

Here is my plan,

Have users connect to corporate network via the VPN. During each logon McAfee thin clint would puch out new virus definitions and would report viruses detected. Once this was complete the use could then connect to the terminal server for applications.

Thanks!

This conversation is currently closed to new comments.

94 total posts (Page 1 of 10)   01 | 02 | 03 | 04 | 05   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Securing VPN remote users.

by michael.picher In reply to Securing VPN remote users ...

I've setup many VPNs for customers and find connections to individual computers to be a lot of overhead.

The VPNs that work best are typically point to point connections for WAN connectivity. The VPN gets setup with hardware devices and stays setup.

When you give VPN client software to a user to install on their home computer you never know what they'll have for equipment, if it's infected, etc... Also probably only 2 to 5% of the users will be able to get it installed. And then they'll expect you to fix their home computer when your VPN software or virus software "breaks it".

The approach I'm recommending is to install VPN client software on equipment owned by the organization only. This is gear that you can control the configuration and virus protection on.

If users need access to resources from devices other than company owned resources they should be using Terminal Server or Citrix web clients (again so you don't have to setup software on an unsupported machine).Make sure that connections are secure and I would recommending using some security token type devices (like those from RSA) for authentication.

Mike

Collapse -

Securing VPN remote users.

by sselinger In reply to Securing VPN remote users ...

These are things that I already knew about VPN's. Please answer the question posted.

Collapse -

Securing VPN remote users.

by turambar386 In reply to Securing VPN remote users ...

Hey there. I dunno if I can answer all these questions in 1930 chars, but I'll give it a try...

1) Employees using either their own or company supplied systems.
2) We decided to not shoulder the expense and support of anti-virus software. Before employees get VPN access, they must sign an agreement stating that they have current AV software installed and that they maintain it regularly. they are required to tell us the brand and version of the software. This seemed to make sense since many of our employees already had AV software.
3) out of band on CDs
4) yes (metaframe), but a subset of VPN users have full IP access to the network.
5) we didn't.
6) no (dial up only)
7) server resides on NT only
-> http://networkmagazine.com/article/NMG20010518S0006
http://www.infosecuritymag.com/articles/may01/cover.shtml
http://www.itworld.com/Sec/2211/CWD010326firewalls/
9) As I said, we aren't supplying AV software
to remote users. We are using personal firewall software, however, and this is very important. For ourselves, we are using the 'Secure Client' feature built into the Checkpoint VPN client. If you are not using a Checkpoint VPN Gateway, that's no use to you. Symantec's 'Desktop Firewall' software appears to be a good product to fill this need.
Hope this helps!

Collapse -

Securing VPN remote users.

by sselinger In reply to Securing VPN remote users ...

The question was auto-closed by TechRepublic

Collapse -

Securing VPN remote users.

by bluewizard In reply to Securing VPN remote users ...

Q.1)Who are your remote users?
A. Doesn't matter. You should consider everyone as a hazard and secure yourself accordingly
Q.2)How do you protect against viruses
A. The same way as anything else. Put good antivirus software on all your serversand keep it up to date
Q.3)How do you install applications on remote users computers
A. I wouldn't do this. I would provide acces to centrally held copies of software - see below.
Q.4) Do you use terminal services
A. Yes Tarantella - see www.tarantella.com
Q.5) How did you determine the server and bandwidth
A. This depends on the application. Tarantella runs Adaptive IP which makes very good use of the available bandwidth. I have had very good resultrs from modem connections
Q.6) Have you used terminal services through a browser
A. That's what Tarantella does. It works wonderfully well.
Q.7) If you use Citrix
A. I haven't used Citrix but when I assesed both I found Tarantella to be better tahn Citrix and much less expensive.
Q. URL's of good security resources .
A. In some ways VPNs do solve more security problems than they create because you will be configuring the VPN from firewall to firewall and you will be setting the security policy of both ends. See www.netscreen.com for example
Q. What software are you using for virus's and/or remote user firewall software.
A. We use McAfee office edition but there are others. For firewalls I would use Checkpoint 4.1 at your central site running of course on it's own server. For your remote clients use a hardware firewall like NetScreen (see above). They are faster and cheaper than software for small sites.

Collapse -

Securing VPN remote users.

by sselinger In reply to Securing VPN remote users ...

The question was auto-closed by TechRepublic

Collapse -

Securing VPN remote users.

by Stillatit In reply to Securing VPN remote users ...

1. We connect all of our offices and all remote home users via vpn. Most are company-owned machines, a very few are personal.

2. All of our machines run Symantic anti-virus. We have a corporate license for all of the company-owned PC's and all personal machines which connect to us. (Pricing is by seat.) The server for the anti-virus software updates all computers at least weekly.

3. All company-owned machines are configured by our IT department. Personal machines are usually configured byus as well, with a few exceptions. Our help desk supports all applications. When updates are needed, we generally load the update on our server and all users pull a copy. (Depends on what the update is.)

4. We use Citrix Metaframe for our main applications. We use seamless windows so that users see the application window, with no remote desktop window.

5. Sizing is generally by seat-of-the-pants. We guesstimate 6K in bandwith per user, and load up a dual-cpu server with as much memory as it can hold. If things seem to slow down, we will add a server.

(continued in comment)

Collapse -

Securing VPN remote users.

by Stillatit In reply to Securing VPN remote users ...

(continued)

6. We have tried services in a browser, but did not like it. Most of our users don't really know that they are using a terminal server, and we like to keep it that way.

7. We use Citrix over NT4. The main benefits of Citrix are seamless windows, added stability of connection and superior administrative utilities.

8. (no spaces or line breaks in any urls)
http://support.microsoft.com/support/kb/articles/Q255/7/84.ASP

You can read any sites you want, but the bottom line is that outgoing vpn does not add any security holes, since it is typically not set up to receive connections. Passwords and data between the client and server are typically encrypted, typically with 128-bit encryption. If you are really concerned about it, add a personal firewall on each machine, set to block everything you are worried about. (A virus is much more likely to come in via email, so this is probably overkill, but you must make your own risk tolarance decisions.)

Good luck.

Collapse -

Securing VPN remote users.

by sselinger In reply to Securing VPN remote users ...

The question was auto-closed by TechRepublic

Collapse -

Securing VPN remote users.

by estebandelatorre In reply to Securing VPN remote users ...

1)Who are your remote users?
ANyone that have correctly instaled and configured the VPN client software and Ip addresses (usually from the internet, because it is a private comunication using a public line, That's a VPN!)
2)How do you protect against viruses from remote VPN users?
Remote/external users logs in to your network server or set of servers. Once he is connected, the comunication between your server and his pc is safe, so you should keep safe from his pc just as you do against any other private (in your lan) workstation
An antivirus at the server, an e-mail antivirus, etc, etc,. There is no posibilities to get infected FROM ANY other internet side machine.
3)How do you install applications on remote users computers and howto you update and support these appliations.
Applications should be WEB like, client server, or remote control apps. Set up a private internal web site an make an app like
those that you can download software. Make an install downloadable script file and provive enought help on line. The users must install the software itself.
4) Do you use terminal services such as Windows 2000. YES!!!
These are the most common and secure methods to move applications say from DOS to WEB like sessions. Printing is Ughhh!!!
5) How did you determine the server and bandwidth requirements for terminal server connections.
TRY and TEST. Line BW is not an issue, Give 8K per connection, but resources at the server, definitelly yes. Again, it's all depends on your aplication, so setup a T2K server and start accessing it. There is so many info to track...

Back to Security Forum
94 total posts (Page 1 of 10)   01 | 02 | 03 | 04 | 05   Next

Related Discussions

Related Forums