Solved

What Common Practices to Protect a Remote Computer from Infecting a LAN via VPN?

Posted on 2014-07-23
20
449 Views
Last Modified: 2016-11-23
We use a Dell SonicWall TZ210 appliance to connect our LAN to the internet and to remotely access our LAN.  We are on a Domain, and our Domain Controller is a Windows Server 2008 Computer.  I'm concerned that a person's home computer might have malware and that the malware could cause problems on our LAN if he/she establishes a VPN connection to our LAN.  Is there a way to only allow a remote user to use remote desktop to remote to his/her local work computer after establishing a VPN connection and not use his/her home computer to do anything else on our LAN except to connect to his/her work computer?  Then essentially the person would be using the work computer (local to the company) and only using his/her own computer at home to control his/her work computer.  Would that reduce/eliminate the chances of an infected remote computer causing problems on our LAN?  Are there other practices used to reduce the chances of a person's remote computer infecting a LAN when a VPN connection is established?
0
Comment
Question by:Declan_Basile
  • 9
  • 7
  • 3
  • +1
20 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 285 total points
Comment Utility
Personally I prefer not to use a VPN for that very reason and use direct RDP using SSL and a session host.  This way with group policy you can block attaching drives and the only thing traversing the connection is screen changes.  It also protects data by keeping it on the corporate network.  Other than taking screen shots the user cannot copy/steal company data.  The performance without the overhead of the VPN is slightly better as well.  RDP is very secure and enabling secure passwords and account lockouts limits password guessing something that you do not have with a VPN unless you configure RADIUS.
0
 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 144 total points
Comment Utility
I would begin employing Application White Listing to prevent anything unwanted from running.  Furthermore, I would make a policy that explicitly states that non-enterprise devices are not to connect to the network.  Use client certificates to enforce it.  Track enterprise-issued devices by MAC address, and if you see a non-enterprise-tracked MAC accessing the network by VPN, you should also have a record of what user has clearly copied their certificate to their personal device.  Discipline them accordingly.
0
 
LVL 1

Author Comment

by:Declan_Basile
Comment Utility
I used a feature of the SonicWall last night that limited the VPN connection to only being able to access one computer on the LAN.  I logged in via the VPN, then remote desktoped to that one computer.  In this setup, would malware on the remote computer be able to infect the local computer and/or the LAN?  It seems to me this setup would minimize the risk but that there's still a chance that the malware could exploit a vulnerability in Remote Desktop and/or send malicious keyboard input to the local computer.  It looks to me like this solution would be as secure as using a direct RDP using SSL because you're only allowing the user to RDP to his own computer after creating a VPN connection.  However, this solution doesn't look like it's as secure as tracking enterprise-issued devices by MAC address.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
The VPN can be limited to one PC which reduces the risk to other computers but still allows additional traffic, such as viruses, between host and client.
0
 
LVL 5

Assisted Solution

by:Sean Jackson
Sean Jackson earned 144 total points
Comment Utility
Yes, if a machine is connected to another through an authenticated session, I can't think of why a bit of malicious code couldn't get across to the other.  It's called pivoting, and it can happen in a corporate environment, a home office, or from the CEO's laptop on a table in a resort in South America back to the main office.  

Your main concern is to make sure all endpoints won't take a virus.  You also need to make sure all users are trained on what to look out for.  Yes, looking at VPN to eliminate risks is good, but lock down the computers that are allowed to connect too.  If a bad machine connects, the VPN offers no additional layer of security.
0
 
LVL 1

Author Comment

by:Declan_Basile
Comment Utility
Is there such a thing as a remote dumb terminal flashed with an encrypted password?  Such a device wouldn't be able to have malware if its soul purpose was to RDP to a computer on a company's LAN and it didn't have the ability to do anything else.
0
 
LVL 5

Expert Comment

by:Sean Jackson
Comment Utility
What OS would it be running?  Who would have physical access to it?  And what good would be accomplished by having a machine you can log on to, then RDP to a computer on the corporate LAN?  Would you not want to work on any documents? Would you not want to browse anything?  

If you have a windows box connecting to another box inside the LAN, even if through VPN, you have potential vectors exposed.

Secure that box and you'll do better.  

And don't let non-corporate devices connect.  See my earlier response.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 285 total points
Comment Utility
>>"Is there such a thing as a remote dumb terminal"
Yes, they are called thin clients.
One option: http://www8.hp.com/ca/en/products/thin-clients/product-detail.html?oid=5378947#!tab%3Dfeatures
They boot to a basic Windows OS with the sole purpose of connecting to a remote system by RDP.  Reboot, and the system refreshes.

As you can see by my profile I have been a big supportedr of VPN's over the years but they are becoming far less common primarily due to 3 reasons:
-problematic in many scenarios, such as many hotels, or NAT'd environments
-one major security flaw a secure tunnel connected to a remote device over which you have no control or protection from viruses and hackers
-performance, or lack of performance

Other options are becoming more popular such as direct RDP using SSL, Branch Cache, and Direct Access.
0
 
LVL 1

Author Comment

by:Declan_Basile
Comment Utility
What OS would it be running?
I'm asking if you know of a device that already exists.  If such a device exist, I'd expect for it to have Linux.
---------------------------------
Who would have physical access to it?
An employee that needs to work remotely.
-----------------------------------------------
And what good would be accomplished by having a machine you can log on to, then RDP to a computer on the corporate LAN?
You wouldn't log into the machine.  The employee would just have to plug a monitor, keyboard and mouse into it, turn it on, select a Wifi Network and it would boot to his work computer's logon screen.
The good that would be accomplished is ...
1.) The device won't be capable of getting a virus because it's not a full blown computer, so it wouldn't be able to infect the work computer or company's LAN.
2.) You wouldn't have  to setup the device to have a user account, disable USB ports, install anti-virus, ensure the anti-virus is kept up to date, etc.  as you would with a laptop.  You would Just have to flash an encrypted password, the company's IP and the work computer's IP into the device.  It would be much simpler.
3.) The device would be cheaper than a full blown computer.
So generally speaking, this solution would be simpler, cheaper, and more secure than traditional solution of using a full blown computer/laptop.
-------------------------------------
Would you not want to work on any documents? Would you not want to browse anything?  
The employee would be remotely using his computer at work, so just like he can work on documents while he is sitting at his computer at work, he'd be able to work on documents while he's using his work computer remotely.
--------------------------------------
Alternatively, the device can be a dumb tablet, i.e. a touch screen monitor that only has the hardware and software necessary to make a secure connection to a computer at work.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 285 total points
Comment Utility
You can get Linux units, you can get a bootable CD with an rdp client and no hard drive, but thin clients are very common in business.  It goes back to the old dumb terminal idea.  Everybody remotes into to a terminal server there is no local data, no local storage, no moving parts like fans,  and the system refreshes upon reboot.  The ones to which I was referring run Windows and basically you use RDP and can in some cases browse the Internet.  You cannot install programs or make any changes.  These are very common in banks and retail outlets.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:Declan_Basile
Comment Utility
I'm familiar with thin clients.  We have about 100 of them on our factory floor.  But do you know of any wireless thin clients that you can flash connection information into (company IP, work computer IP, and password), that will prompt the user to select an available Wifi connection (and Wifi password if necessary) upon booting it, and that will create a secure connection to a computer using the flashed connection information?  Additionally, do you know of any thin clients with the same specification that are built into a touchscreen monitor?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
There are lots of wireless thin clients, and using startup scripts and local group policy they can be locked down and set to automatically connect to a remote system.
Sounds like you are going to a lot of expense just to continue using a VPN.
0
 
LVL 1

Author Comment

by:Declan_Basile
Comment Utility
Thanks Rob.  Just one more question.  What's involved in using direct RDP using SSL and a session host?  I configured port forwarding in the sonicwall and used Remote Desktop to access my work computer from my home computer but don't know if I was using an SSL connection or not.  Would an SSL connection require our company to get an SSL certificate from a Certificate Authority, or is it just a matter of configuring the sonicwall to use SSL?
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 285 total points
Comment Utility
You do need an SSL certificate for the server which runs about $70/year though some are less expensive.  If you don't want to do so, you can generate a self signed certificate on the server but it has to be manualy imported into the connecting PC.  It is added by default if a domain joined PC.  Purchased certs do not need to be manualy added, as they are automatically accepted by Windows.

Basically you run the Remote Desktop Setup wizard on the server and add the Terminal Server Gateway service (RD Gateway Service).  Once done, when connecting to any PC or server on the network, within the rdp client  you specify the computer name in the computer 'box' rather than the site address and under the advanced tab select settings and "Use these RD gateway settings" and enter the site address.

If by any chance you are running Small Business Server or Server Essentials, the gateway service is automatically set up during installation.

TS Gateway Step-by-Step setup guide:
http://technet.microsoft.com/en-us/library/cc771530(v=ws.10).aspx
0
 
LVL 10

Assisted Solution

by:Schuyler Dorsey
Schuyler Dorsey earned 71 total points
Comment Utility
I would HIGHLY recommend against allowing direct RDP access into an internal server from the public internet. You are not reducing risk.. you are basically (sort of) preventing one form of risk but creating more. You open yourself up to direct RDP exploits, RDP bruteforcing and worms on the internet that target RDP.

Especially if your organization has to follow any type of compliance, this would not be allowed. Though you feel so inclined to take this approach, at the bare-minimum, place your RDP server(s) in a DMZ.

For your initial question, the best a most secure way is to keep it where users have to VPN before being able to connect via RDP. Then you can use your ACL to allow them access to the specific ports and IPs they need access to. For example, you could allow them to only access udp 53 of the domain controllers (for DNS) and tcp 3389 of the desktop LAN or RDP server (remote desktop). (Basically just enforce least privilege).

Then I would also configure Group Policy to enforce NTLMv2 authentication to help prevent malware or APT from sniffing these.

Your Sonicwall is a next generation firewall so it should also be scanning that traffic for potential threats. (f it is licensed and configured to do so)
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
If you can tighten down the VPN to restrict those ports or specific traffic I agree it is more secure but brute force attacks on RDP tend to be when you are using port 3389, not 443, SSL, and a TS Gateway.  You also want to make sure you enforce complex passwords and account lockouts.
0
 
LVL 1

Author Closing Comment

by:Declan_Basile
Comment Utility
Thank you for all your comments.  FYI, Clear Cube has a solution similar to what I was asking for.  They use "Zero Clients" to make a hardware connection to a Remote Computer.  I'm currently learning more about it.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Sounds good, thanks Declan.
I'm sure you have checked into it but I thought the ClearCube VPN clients were only USB connections to the blade server or Multipoint.  They do have thin clients though.
0
 
LVL 1

Author Comment

by:Declan_Basile
Comment Utility
Clear Cube's zero clients don't even have an operating system.  Vulnerabilities in an OS, a browser, a VPN client, RDP, etc. can't be exploited because none of that exists.  You're removed from having to deal with all that (and having to keep the thin client up to date - security updates, virus definition updates, etc.).  You need to add a second Ethernet card (a host card) to the computer at work and have a router capable of VPN (or buy a VPN device for $50-60 to connect between the router and zero client).  The general idea is to connect the video, keyboard and mouse with an Ethernet connection instead of USB and VGA or DMI.  It's strictly a hardware connection.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I agree with all comments but my understanding is Zero clients must either have a direct USB connection or use a serial over Ethernet connection.  The latter is extremely fussy about even wiring quality because unlike normal Ethernet there are no packet retransmissions so the connection can be very flaky.  As a result I believe you can only have a reliable connection on a LAN.

Regardless I will let you sort that out.
Cheers!
--Rob
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now