Solved

VPN Remote Access - Security Concerns

Posted on 2016-08-16
10
93 Views
Last Modified: 2017-01-02
I have 25 users who would like to use their Windows 7 PCs from home. I could open 25 ports on my firewall and NAT each to their PC. Or I could setup a VPN like pfSense or Sophos Essentials or a paid solution.

Which is the most secure option or is there a better way.

If I open 25 ports, my firewall starts to look like Swiss cheese.
If I give the users VPN access, their potentially infected home computers could start Crypto Locking everything.

What's the best option here? They only need to RDC to their PC. No access to any other resource directly.

Thank you,
0
Comment
Question by:JohnMan777
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 35

Expert Comment

by:Dan Craciun
ID: 41758677
You could use something like a Mikrotik CCR and setup SSTP for your users. Looks like the most secure VPN option today, aside OpenVPN that requires a client.

Once you have SSTP setup, give them static IPs over VPN and make sure each IP has only the rights it needs.

HTH,
Dan
0
 

Author Comment

by:JohnMan777
ID: 41758878
Can I set each VPN user so they can only RDC to their work PC? Port 3899?
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 41758987
Set up IPSEC VPNs for each user or SSL VPN for each user, and a firewall rule that only allows 3389 is fine.
They will have to connect by IP address rather than name, which is the only downside, although you can get helpful with static host file entries on their PCs at home
Be aware, if you allow drive mapping in the RDS connection, files can still be transferred between clients at home and the work machines.
Ideally, do not give the users Administrator access to their work machines. Once you allow machines not in your control to connect, you are inevitably weakening your security.
There are solutions that give users a "remote desktop" experience with added security, but they tend to be expensive; Cisco have a secure desktop VPN client incorporating A/V and anti malware, so do Fortinet (cheaper), and both are centrally manageable by the VPN firewall. You can set policies that don't allow connections if the A/V isn't running and up to date, for example.
Bottom line, it will be more expensive, it will weaken your security, but you need to assess the risk against the benefits. There is no single answer to what level of risk is acceptable.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 88

Accepted Solution

by:
rindi earned 167 total points (awarded by participants)
ID: 41759040
If there are windows servers at your site you could enable the remote desktop gateway role on one of the Servers:

https://technet.microsoft.com/en-us/library/cc731150%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396
1
 
LVL 25

Assisted Solution

by:Diverse IT
Diverse IT earned 167 total points (awarded by participants)
ID: 41759162
Hi JohnMan777,

From a security standpoint opening ports if at all possible should be avoided, especially using RDP (aka RDC). Port obfuscation is not security nor does it detour a decent attack. On top of that even if you filter by Source you are still susceptible to MiTM attacks. I'd recommend SonicWALL firewall - best bang for your buck. You can enforce a multitude of security services on any Zone including the VPN. Setup a VPN or SSL-VPN from the SonicWALL. Their gateway security services block crypt viruses and they are one of the most vigilant and regularly updated security dBs in the industry. They can block many zero day exploits at the gateway level too with their rapid response pushed updates. They can even enforce endpoint security on the users home computers ensuring that they are clean before they connect provided you purchase the licensing from SonicWALL for them.

MSFT RDS is another option too which would give you central management, security and access controls. With RDS you would not be opening up the highly attacked port 3389 (RDP) but rather a secure 443 port with encryption and authentication/authorization rules.

Let me know if you have any other questions!
1
 
LVL 8

Assisted Solution

by:J Spoor
J Spoor earned 166 total points (awarded by participants)
ID: 41759185
I suggest a VPN / SSLVPN setup.
As diverseit said, SonicWALL offers security on top by means of Gateway AV and Intrusion Prevention Service (IPS), they are also an IPSec VPN and SSL-VPN concentrator.

View  the SonicWALL webui and features on http://livedemo.sonicwall.com or http://ngfw-demo.com
0
 
LVL 88

Expert Comment

by:rindi
ID: 41938351
A remote desktop gateway is just as secure as a VPN, if not more secure.
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 41938394
Yes, because of NPS. However, you can run MFA with SonicWALL VPNs so that pretty much levels the playing surface. Regardless RDS (which includes RD gateway) is a great solution and I feel more intuitive.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question