• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 200
  • Last Modified:

Limiting VPN Access to only a small section of the network

How Can I limit VPN Access to a small section of my network, in fact I just want users coming in on VPN to access just one machine once they gain entrance into the network.

Thanks
0
Christian_Agard
Asked:
Christian_Agard
  • 2
  • 2
  • 2
  • +1
3 Solutions
 
gabesoCommented:
A good way of doing this is to use a firewall to block incoming packets that aren't for the permitted machine. It depends on the network you have: A firewall would need to be present after the VPN box to do this as they would have to be authenticated first but then any attempt to contact other hosts would be intercepted and blocked.

0
 
Christian_AgardAuthor Commented:
I use ISA2000, and the VPN client from ISA2000.
I created a testusername and it can connect via the VPN, but I saw no where on the Firewall to limit the connection to one machine.

Any ideas?
0
 
gabesoCommented:
I was thinking more of a separate firewall device - it's more secure and easier to configure.

However if you are working with the Microsoft setup that you have... is it not possible to use Active Directory to deny these users access to any of these hosts - something like create a group for all of the vpn users and then make sure that they are only allowed access to the permitted host and denied access to others?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
victornegriCommented:
What VPN are you using? Microsoft? Cisco? etc? On some VPN setups, you can define the destination network. You can enter a subnet mask of 255.255.255.255 to limit their connection to one IP.
0
 
1_UPCommented:
I agree with gabeso that an actual external firewall device(such as a Sonicwall) would be your best bet. Such devices often allow you to determine which segment of the network you would like the VPN to 'terminate' upon. In other words you will have multiple IP ranges(subnets), and the VPN will stop there(it can be a single machine). On a device like the Sonicwall, there are multiple NIC ports(LAN, WAN, DMZ) each with thier own MAC addresses that can be bound to a particular subnet or 'zone'. The VPN will terminate at said zone, and Window Networking(NETBIOS) will not show any other machines, shared drives, etc. except the ones in that zone.
If that is not an option, for cost or other reasons, simply make sure that all other computers shared resources, like mapped drives, are secured by the appropriate Active Directory user permissions. Then if the user looks at the 'Entire Network' he will be able to see the friendly 'NETBIOS' names, but should be unable to access any sensitive resources.
What type of VPN/OS are you using??? As Victonegri suggested there are often parameters with in the Remote Access Server that allow you to control the Destination Network. In WS 2003 go to Manage My Server, click on manage this RAS/VPN server link, go to Remote Access policies and choose Properties on your VPN. Then under the IP tab is an IP filter that will allow you restrict the types of packets sent and received. This should allow you to prevent the VPN client from viewing protected network devices.
I hope this was helpful!!! I am a network admin for a company in NC, and am new to this site and look forward to sharing my knowledge and learning as much as I can from the many skilled experts here!!!
0
 
victornegriCommented:
As mentioned by 1 UP, I have a VPN set up for one of my clients using a Sonicwall TZ170 that allows me to limit the users based on IP address and Port. I currently have multiple users that are only allowed to access the Exchange port on our Exchange server and nothing else. If you're willing to shell out some $$$, the TZ170 with the enhanced OS is a good way to go.
0
 
1_UPCommented:
Hey thanks guys!!! I am very glad to have been able to participate and I very much appreciate the generous points awarded...hope to see you all again soon.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now