• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 130
  • Last Modified:

VPN Remote Access - Security Concerns

I have 25 users who would like to use their Windows 7 PCs from home. I could open 25 ports on my firewall and NAT each to their PC. Or I could setup a VPN like pfSense or Sophos Essentials or a paid solution.

Which is the most secure option or is there a better way.

If I open 25 ports, my firewall starts to look like Swiss cheese.
If I give the users VPN access, their potentially infected home computers could start Crypto Locking everything.

What's the best option here? They only need to RDC to their PC. No access to any other resource directly.

Thank you,
0
JohnMan777
Asked:
JohnMan777
3 Solutions
 
Dan CraciunIT ConsultantCommented:
You could use something like a Mikrotik CCR and setup SSTP for your users. Looks like the most secure VPN option today, aside OpenVPN that requires a client.

Once you have SSTP setup, give them static IPs over VPN and make sure each IP has only the rights it needs.

HTH,
Dan
0
 
JohnMan777Author Commented:
Can I set each VPN user so they can only RDC to their work PC? Port 3899?
0
 
Gareth Tomlinson CISSPNetwork and Security ManagerCommented:
Set up IPSEC VPNs for each user or SSL VPN for each user, and a firewall rule that only allows 3389 is fine.
They will have to connect by IP address rather than name, which is the only downside, although you can get helpful with static host file entries on their PCs at home
Be aware, if you allow drive mapping in the RDS connection, files can still be transferred between clients at home and the work machines.
Ideally, do not give the users Administrator access to their work machines. Once you allow machines not in your control to connect, you are inevitably weakening your security.
There are solutions that give users a "remote desktop" experience with added security, but they tend to be expensive; Cisco have a secure desktop VPN client incorporating A/V and anti malware, so do Fortinet (cheaper), and both are centrally manageable by the VPN firewall. You can set policies that don't allow connections if the A/V isn't running and up to date, for example.
Bottom line, it will be more expensive, it will weaken your security, but you need to assess the risk against the benefits. There is no single answer to what level of risk is acceptable.
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
rindiCommented:
If there are windows servers at your site you could enable the remote desktop gateway role on one of the Servers:

https://technet.microsoft.com/en-us/library/cc731150%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396
1
 
Blue Street TechLast KnightsCommented:
Hi JohnMan777,

From a security standpoint opening ports if at all possible should be avoided, especially using RDP (aka RDC). Port obfuscation is not security nor does it detour a decent attack. On top of that even if you filter by Source you are still susceptible to MiTM attacks. I'd recommend SonicWALL firewall - best bang for your buck. You can enforce a multitude of security services on any Zone including the VPN. Setup a VPN or SSL-VPN from the SonicWALL. Their gateway security services block crypt viruses and they are one of the most vigilant and regularly updated security dBs in the industry. They can block many zero day exploits at the gateway level too with their rapid response pushed updates. They can even enforce endpoint security on the users home computers ensuring that they are clean before they connect provided you purchase the licensing from SonicWALL for them.

MSFT RDS is another option too which would give you central management, security and access controls. With RDS you would not be opening up the highly attacked port 3389 (RDP) but rather a secure 443 port with encryption and authentication/authorization rules.

Let me know if you have any other questions!
1
 
J SpoorTMECommented:
I suggest a VPN / SSLVPN setup.
As diverseit said, SonicWALL offers security on top by means of Gateway AV and Intrusion Prevention Service (IPS), they are also an IPSec VPN and SSL-VPN concentrator.

View  the SonicWALL webui and features on http://livedemo.sonicwall.com or http://ngfw-demo.com
0
 
rindiCommented:
A remote desktop gateway is just as secure as a VPN, if not more secure.
0
 
Blue Street TechLast KnightsCommented:
Yes, because of NPS. However, you can run MFA with SonicWALL VPNs so that pretty much levels the playing surface. Regardless RDS (which includes RD gateway) is a great solution and I feel more intuitive.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Tackle projects and never again get stuck behind a technical roadblock.
Join Now