Solved

VPN Remote Access - Security Concerns

Posted on 2016-08-16
10
104 Views
Last Modified: 2017-01-02
I have 25 users who would like to use their Windows 7 PCs from home. I could open 25 ports on my firewall and NAT each to their PC. Or I could setup a VPN like pfSense or Sophos Essentials or a paid solution.

Which is the most secure option or is there a better way.

If I open 25 ports, my firewall starts to look like Swiss cheese.
If I give the users VPN access, their potentially infected home computers could start Crypto Locking everything.

What's the best option here? They only need to RDC to their PC. No access to any other resource directly.

Thank you,
0
Comment
Question by:JohnMan777
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 35

Expert Comment

by:Dan Craciun
ID: 41758677
You could use something like a Mikrotik CCR and setup SSTP for your users. Looks like the most secure VPN option today, aside OpenVPN that requires a client.

Once you have SSTP setup, give them static IPs over VPN and make sure each IP has only the rights it needs.

HTH,
Dan
0
 

Author Comment

by:JohnMan777
ID: 41758878
Can I set each VPN user so they can only RDC to their work PC? Port 3899?
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 41758987
Set up IPSEC VPNs for each user or SSL VPN for each user, and a firewall rule that only allows 3389 is fine.
They will have to connect by IP address rather than name, which is the only downside, although you can get helpful with static host file entries on their PCs at home
Be aware, if you allow drive mapping in the RDS connection, files can still be transferred between clients at home and the work machines.
Ideally, do not give the users Administrator access to their work machines. Once you allow machines not in your control to connect, you are inevitably weakening your security.
There are solutions that give users a "remote desktop" experience with added security, but they tend to be expensive; Cisco have a secure desktop VPN client incorporating A/V and anti malware, so do Fortinet (cheaper), and both are centrally manageable by the VPN firewall. You can set policies that don't allow connections if the A/V isn't running and up to date, for example.
Bottom line, it will be more expensive, it will weaken your security, but you need to assess the risk against the benefits. There is no single answer to what level of risk is acceptable.
0
What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

 
LVL 88

Accepted Solution

by:
rindi earned 167 total points (awarded by participants)
ID: 41759040
If there are windows servers at your site you could enable the remote desktop gateway role on one of the Servers:

https://technet.microsoft.com/en-us/library/cc731150%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396
1
 
LVL 25

Assisted Solution

by:Diverse IT
Diverse IT earned 167 total points (awarded by participants)
ID: 41759162
Hi JohnMan777,

From a security standpoint opening ports if at all possible should be avoided, especially using RDP (aka RDC). Port obfuscation is not security nor does it detour a decent attack. On top of that even if you filter by Source you are still susceptible to MiTM attacks. I'd recommend SonicWALL firewall - best bang for your buck. You can enforce a multitude of security services on any Zone including the VPN. Setup a VPN or SSL-VPN from the SonicWALL. Their gateway security services block crypt viruses and they are one of the most vigilant and regularly updated security dBs in the industry. They can block many zero day exploits at the gateway level too with their rapid response pushed updates. They can even enforce endpoint security on the users home computers ensuring that they are clean before they connect provided you purchase the licensing from SonicWALL for them.

MSFT RDS is another option too which would give you central management, security and access controls. With RDS you would not be opening up the highly attacked port 3389 (RDP) but rather a secure 443 port with encryption and authentication/authorization rules.

Let me know if you have any other questions!
1
 
LVL 8

Assisted Solution

by:J Spoor
J Spoor earned 166 total points (awarded by participants)
ID: 41759185
I suggest a VPN / SSLVPN setup.
As diverseit said, SonicWALL offers security on top by means of Gateway AV and Intrusion Prevention Service (IPS), they are also an IPSec VPN and SSL-VPN concentrator.

View  the SonicWALL webui and features on http://livedemo.sonicwall.com or http://ngfw-demo.com
0
 
LVL 88

Expert Comment

by:rindi
ID: 41938351
A remote desktop gateway is just as secure as a VPN, if not more secure.
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 41938394
Yes, because of NPS. However, you can run MFA with SonicWALL VPNs so that pretty much levels the playing surface. Regardless RDS (which includes RD gateway) is a great solution and I feel more intuitive.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This program is used to assist in finding and resolving common problems with wireless connections.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question