Solved

VPN Remote Access - Security Concerns

Posted on 2016-08-16
7
29 Views
Last Modified: 2016-09-05
I have 25 users who would like to use their Windows 7 PCs from home. I could open 25 ports on my firewall and NAT each to their PC. Or I could setup a VPN like pfSense or Sophos Essentials or a paid solution.

Which is the most secure option or is there a better way.

If I open 25 ports, my firewall starts to look like Swiss cheese.
If I give the users VPN access, their potentially infected home computers could start Crypto Locking everything.

What's the best option here? They only need to RDC to their PC. No access to any other resource directly.

Thank you,
0
Comment
Question by:JohnMan777
7 Comments
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 41758677
You could use something like a Mikrotik CCR and setup SSTP for your users. Looks like the most secure VPN option today, aside OpenVPN that requires a client.

Once you have SSTP setup, give them static IPs over VPN and make sure each IP has only the rights it needs.

HTH,
Dan
0
 

Author Comment

by:JohnMan777
ID: 41758878
Can I set each VPN user so they can only RDC to their work PC? Port 3899?
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 41758987
Set up IPSEC VPNs for each user or SSL VPN for each user, and a firewall rule that only allows 3389 is fine.
They will have to connect by IP address rather than name, which is the only downside, although you can get helpful with static host file entries on their PCs at home
Be aware, if you allow drive mapping in the RDS connection, files can still be transferred between clients at home and the work machines.
Ideally, do not give the users Administrator access to their work machines. Once you allow machines not in your control to connect, you are inevitably weakening your security.
There are solutions that give users a "remote desktop" experience with added security, but they tend to be expensive; Cisco have a secure desktop VPN client incorporating A/V and anti malware, so do Fortinet (cheaper), and both are centrally manageable by the VPN firewall. You can set policies that don't allow connections if the A/V isn't running and up to date, for example.
Bottom line, it will be more expensive, it will weaken your security, but you need to assess the risk against the benefits. There is no single answer to what level of risk is acceptable.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 87

Expert Comment

by:rindi
ID: 41759040
If there are windows servers at your site you could enable the remote desktop gateway role on one of the Servers:

https://technet.microsoft.com/en-us/library/cc731150%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396
1
 
LVL 24

Expert Comment

by:diverseit
ID: 41759162
Hi JohnMan777,

From a security standpoint opening ports if at all possible should be avoided, especially using RDP (aka RDC). Port obfuscation is not security nor does it detour a decent attack. On top of that even if you filter by Source you are still susceptible to MiTM attacks. I'd recommend SonicWALL firewall - best bang for your buck. You can enforce a multitude of security services on any Zone including the VPN. Their gateway security services block crypt viruses and they are one of the most vigilant and regularly updated security dBs in the industry. They can block many zero day exploits at the gateway level too with their rapid response pushed updates.

MSFT RDS is another option too which would give you central management, security and access controls. With RDS you would not be opening up the highly attacked port 3389 (RDP) but rather a secure 443 port with encryption and authentication/authorization rules.

Let me know if you have any other questions!
1
 
LVL 6

Accepted Solution

by:
J Spoor earned 500 total points (awarded by participants)
ID: 41759185
I suggest a VPN / SSLVPN setup.
As diverseit said, SonicWALL offers security on top by means of Gateway AV and Intrusion Prevention Service (IPS), they are also an IPSec VPN and SSL-VPN concentrator.

View  the SonicWALL webui and features on http://livedemo.sonicwall.com or http://ngfw-demo.com
0
 
LVL 6

Expert Comment

by:J Spoor
ID: 41784458
abandoned question
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Resolve DNS query failed errors for Exchange
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now