1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Require a vpn connection

Discussion in 'Computer Security' started by nugget, Nov 3, 2008.

  1. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    Hey Mike, just thought I'd start another thread rather than getting way off topic in the other one.

    Do you have any idea or a way to implement this other than leaving it up to the user?

    The reason I'm asking is that it's an idea that I've wanted to put in place for a while for our laptop users, to require them to connect via vpn and then so their surfing etc through the company network and protection rather than through their home network connections.
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  2. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Well, you'd leave their proxy settings alone, and you'd require that they use VPN client software to connect to your network. All that would have to be set up on their laptops ahead of time. There are plenty of solutions out there... Cisco and Sonicwall are the two I'm most familiar with.

    There's also SSL-VPN technology that you can use to eliminate the requirement for client software, but since that requires a Web connection, I'm not sure how you would need to implement it to solve your particular problem.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  3. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    VPN traffic can be locked down at some wireless hotspots which could be a hassle for your users. No VPN = No access to proxy = No web browsing = Angry user.

    SSL VPN gets around this however in some cases you need to access the web interface of the SSL box to connect so if you cant get a valid web connection first then no VPN connection to the proxy. You might be able to add the SSL VPN URL as an expception in IE so it bypasses the proxy though.

    Another issue is performance, remember that the web traffic will have to go from the website to your office, through the proxy and then back out to the laptop. Might be worth testing this before the users start connecting.

    Lots to think about! :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  4. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    At the moment we have it so that users make a vpn connection to the firewall. After that they get the dhcp address and are then part of the network.

    I know a friend of mine got a laptop from the large pharma company that he started working for and it was set up so that everytime he connected to a network (home, public, starbucks etc) the vpn made the connection to their network and he could go online. It was all automatic and he had no other choice.

    That's the sort of thing I'd also like to do. The idea of the CEO sitting in an airport somewhere surfing over wifi really scares me for some reason.

    I was just wondering (with your spook background :twisted: ) if you knew of a way to enforce this.
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  5. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Exactly right! Always have to weigh the tradeoffs between security and usability. Repped.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  6. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    If you force the use of a proxy (take out the tab in IE through a GPO so it cant be changed) and for your VPN disable split tunneling then the web traffic will have to go through the proxy.

    Like I said before though, test before you upset all the users! :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  7. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Setting it up is the easy part... enforcing it is the hard part. My gut instinct would be to use a GPO to lock it down so they can't change settings.

    You're right to be concerned. We had some transcriptionists using company PCs at home. They connected to the office either by VPN client app or by SSL-VPN. Unfortunately, when they weren't on the VPN, they could browse anywhere. Some of them would routinely bring their PC in to be reimaged (as we saw on the AV scan reports that their PCs were infected). A simple lockdown so they couldn't browse without connecting might have solved the problem... but red tape from management kept that from happening for months.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  8. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    GPOs = lock down IE to prevent user's arsing around with proxy settings.
    Disable split-tunnelling to prevent them routing internet traffic through their home network whilst VPNed in.
    Look into an SSL VPN - not cheap, but by far the most easy to enforce and flexible
     
    Certifications: A few
    WIP: None - f*** 'em
  9. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    LAWL

    Just noticed Sparky has basically said exactly the same thing as me... I'll get me coat!
     
    Certifications: A few
    WIP: None - f*** 'em
  10. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    Thanks for the great advice guys.
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  11. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Some solutions just work. :thumbleft
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  12. kevicho

    kevicho Gigabyte Poster

    1,219
    58
    116
    Cant remember who said it on the other thread, but the last company I worked for used a Citrix access gateway for remote users, and a proxy internally, and they used a registry file which amended the proxy server settings and labelled them inside and outside company and put on the users desktop, so the users knew what it was about.

    It was also part of the induction for laptop users and explained in a printed howto guide that they took with them, so the training part we covered.

    Also finally we locked down internet explorer using the content adviser to only allow access to the secure page that the CAG used, and also to the address 192.168.0.1 which we used for wireless access on various sites (They installed broadband via a wireless router for site managers), so if we had an issue with the wireless their we could access the routers config.

    This also forced users to only surf through the content filtered proxy server as well.

    We were looking at logmein before i left so they could do remote support so id imagine that site was added at some point as well, but im not there anymore lol
     
    Certifications: A+, Net+, MCSA Server 2003, 2008, Windows XP & 7 , ITIL V3 Foundation
    WIP: CCNA Renewal

Share This Page

Loading...