Help with Network Security

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi Guys,

A bit of background; Over here at my place we have created an ASP.NET intranet application that our field agents will access via PPTP VPN from netbooks we're giving them.

What im worried about is our network security. At the moment the VPN lets traffic across any port (while we're in testing) but im looking to lock this down to only port 80 on the server that hosts the intranet site. (I cant see what else they'd need open to do the job required?).

The netbooks currently VPN in, pickup an IP at our firewall after logging on after using username/password combo. They then open the intranet site and work away.

Im hoping someone with some VPN/Security experience can help me out!

Thanks

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

can you not just specify what ports to use and not to use in the firewall settings?

 

Depends if you have other applications that require other ports to be open you would make your decision based on something like that... You could always allow only port 80 (HTTP) and/or 443(HTTPS) but that is if that's only what you need open.

 

Yep!! We can indeed, and thats what I plan to do.

My concern is that this is an area i've not worked in before so im thinking that there are potentially issues out there that im not even thinking of. There will eventually be around 40-50 guys out there VPN'ing in over this connection to get access to the intranet so I want to be as sure as I can with the Security etc..

 

As far as the VPN is concerned, I can only see them needing port 80. Im going to be locking it down to that tonight after hours and testing it all to ensure it all still works. Will that be pretty secure as far as allowing remote users in over that port to the single server thats hosting the site?

 

Some apps they use may require specific ports are open like for securty updates etc and I think some sites that they may go could require specific ports too. You could set it in port settings not to allow any ports over 2000 or something.

Better to get the specs of the apps these people may be using so you can know for definet what they use. Any ports that are not used can be blocked and should cause any issues as far as I can see.

 

I'm not sure if your budget allows, but why not go for an SSL VPN Appliance like a SonicWall MRS4200? You could then couple this with Two Factor Authentication using a Key Fob or a on there mobile phone that generates a random number.

This way you open up 443 to the SSL VPN Appliance and you then you publish whatever they are allowed to see onto the SSL VPN Appliance, in this case the intranet. So they will only ever have access to that on Port 80.

In would work like this:

- They go to a URL https://vpn.craigiesdomain.com/portal/craigie

- Login with there AD username and password or Two Factor

- They then see the intranet web site as a link.

 

Unfortunately our budget is pretty much zero; we're basicly being asked to work with what we have! Its a shame because that way of doing it sounds pretty cool!

What i've managed to do is lockdown the VPN In and Out on our Watchguard to only allow port 80, and only to and from the server that is hosting the intranet site. I cant see much else I can do to lock it down to be honest?