Solved

VPN Remote Access - Security Concerns

Posted on 2016-08-16
10
97 Views
Last Modified: 2017-01-02
I have 25 users who would like to use their Windows 7 PCs from home. I could open 25 ports on my firewall and NAT each to their PC. Or I could setup a VPN like pfSense or Sophos Essentials or a paid solution.

Which is the most secure option or is there a better way.

If I open 25 ports, my firewall starts to look like Swiss cheese.
If I give the users VPN access, their potentially infected home computers could start Crypto Locking everything.

What's the best option here? They only need to RDC to their PC. No access to any other resource directly.

Thank you,
0
Comment
Question by:JohnMan777
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 35

Expert Comment

by:Dan Craciun
ID: 41758677
You could use something like a Mikrotik CCR and setup SSTP for your users. Looks like the most secure VPN option today, aside OpenVPN that requires a client.

Once you have SSTP setup, give them static IPs over VPN and make sure each IP has only the rights it needs.

HTH,
Dan
0
 

Author Comment

by:JohnMan777
ID: 41758878
Can I set each VPN user so they can only RDC to their work PC? Port 3899?
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 41758987
Set up IPSEC VPNs for each user or SSL VPN for each user, and a firewall rule that only allows 3389 is fine.
They will have to connect by IP address rather than name, which is the only downside, although you can get helpful with static host file entries on their PCs at home
Be aware, if you allow drive mapping in the RDS connection, files can still be transferred between clients at home and the work machines.
Ideally, do not give the users Administrator access to their work machines. Once you allow machines not in your control to connect, you are inevitably weakening your security.
There are solutions that give users a "remote desktop" experience with added security, but they tend to be expensive; Cisco have a secure desktop VPN client incorporating A/V and anti malware, so do Fortinet (cheaper), and both are centrally manageable by the VPN firewall. You can set policies that don't allow connections if the A/V isn't running and up to date, for example.
Bottom line, it will be more expensive, it will weaken your security, but you need to assess the risk against the benefits. There is no single answer to what level of risk is acceptable.
0
Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

 
LVL 88

Accepted Solution

by:
rindi earned 167 total points (awarded by participants)
ID: 41759040
If there are windows servers at your site you could enable the remote desktop gateway role on one of the Servers:

https://technet.microsoft.com/en-us/library/cc731150%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396
1
 
LVL 25

Assisted Solution

by:Diverse IT
Diverse IT earned 167 total points (awarded by participants)
ID: 41759162
Hi JohnMan777,

From a security standpoint opening ports if at all possible should be avoided, especially using RDP (aka RDC). Port obfuscation is not security nor does it detour a decent attack. On top of that even if you filter by Source you are still susceptible to MiTM attacks. I'd recommend SonicWALL firewall - best bang for your buck. You can enforce a multitude of security services on any Zone including the VPN. Setup a VPN or SSL-VPN from the SonicWALL. Their gateway security services block crypt viruses and they are one of the most vigilant and regularly updated security dBs in the industry. They can block many zero day exploits at the gateway level too with their rapid response pushed updates. They can even enforce endpoint security on the users home computers ensuring that they are clean before they connect provided you purchase the licensing from SonicWALL for them.

MSFT RDS is another option too which would give you central management, security and access controls. With RDS you would not be opening up the highly attacked port 3389 (RDP) but rather a secure 443 port with encryption and authentication/authorization rules.

Let me know if you have any other questions!
1
 
LVL 8

Assisted Solution

by:J Spoor
J Spoor earned 166 total points (awarded by participants)
ID: 41759185
I suggest a VPN / SSLVPN setup.
As diverseit said, SonicWALL offers security on top by means of Gateway AV and Intrusion Prevention Service (IPS), they are also an IPSec VPN and SSL-VPN concentrator.

View  the SonicWALL webui and features on http://livedemo.sonicwall.com or http://ngfw-demo.com
0
 
LVL 88

Expert Comment

by:rindi
ID: 41938351
A remote desktop gateway is just as secure as a VPN, if not more secure.
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 41938394
Yes, because of NPS. However, you can run MFA with SonicWALL VPNs so that pretty much levels the playing surface. Regardless RDS (which includes RD gateway) is a great solution and I feel more intuitive.
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question