Solved

VPN Remote Access

Posted on 2006-06-29
5
294 Views
Last Modified: 2010-04-18
Hi All,

I want to setup remote access for staff at home to login and access a program. The problem is that I have been told that by using a VPN on it's own, the network will be at the mercy of the users security updates, service packs, virus definitions and general health of their machine.

I was told that using Terminal Server and purchasing TS CALs for each staff member was the safest way to go.

Can someone please tell me how most people setup remote access to give protection from outside viruses and give best remote access speed?

Please give me some detailed information, because I am confused, and my boss wants to know why he has to pay for a TS CAL for each staff member and a Windows Server CAL for each staff member when he thinks we should just use VPN. Is VPN on its own safe?

Thankyou
0
Comment
Question by:JSCHS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 48

Assisted Solution

by:Jay_Jay70
Jay_Jay70 earned 250 total points
ID: 17015616
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm

http://www.onecomputerguy.com/networking/xp_vpn.htm

ports needed are at the bottom


or you can install terminal services but it is a lot more expensive
0
 

Author Comment

by:JSCHS
ID: 17015651
Sorry, to be more clear, I have already setup a VPN client and have access into the network. The question I am proposing is should I now tell all staff how to get in. The reason I ask this question is if there computer is riddled with viruses etc then our network will surely be affected.

This is why I am asking for help. How do I protect my network from Viruses etc from users at home.

Thats why I suggested Terminal Services, because a user simply logs into the terminal server and uses its virus protection, security etc.

Please help
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17015730
if you have a decent AV on your server it should look after you

however, if you know the machine is riddled the no way would i let them in
0
 
LVL 2

Accepted Solution

by:
SkUllbloCk earned 250 total points
ID: 17016766
Jay_jay70 was right in what he said, the crux of the matter is if you want remote access, then you are already opening up a door for security issues, but you should already know that, and have weighed up both the pro's and cons's of having the VPN.

The best and cheapest solution is to setup the VPN with the highest possible security, and only probably use some sort of key distribution (pre-shared key is what we use) with some rather strict rules setup for who has access, what ports, and what media are allowed before the client is granted access to the server. L2TP over IPSec is a very good idea, and try limit the authentication challenge to one thing. (MS-CHAP v2) i reccomend.
But then we still come to the problem of virus's coming from the client machine. AS Jay_jay said, make sure you have a good corporate AV in place for both the client and home systems.
make sure the user that logs on from home has limited permissions on the server, use the deny permission rather then the "no permission" strategy for shares and resources that the client doesn't need access to.

Run AV scans and Malware scans everyday on the server (scheduled) to make sure that you are properly protected.
Make sure you have proper backup policy's in place.

Ideally the terminal idea is the safest, but it is indefinitely more expensive.

So here is what i suggest. find out the cost involved for the terminal solution, weigh it up against the chances of a virus on the client home system, determine the value of your data integrity, and what the downtime cost would be of restoring the server if it is compromised.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question