IT Security for remote access standards iso27001

Dear Experts

please let me know if remote users access the hosted applications which is on site through the internet of connection types: DSL/broad band connection or data cards/dongle with the security layer of VPN client access and with YubiKey enabling if this two are taken care will it be within the compliance of ISO27001 standards please suggest,  I want to understand without the MPLS VPN and leased line (site to site vpn)  will it be still possible to meet the iso27001 standards  please suggest.
D_wathiAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Prashant ShrivastavaConsultantCommented:
Hello Mate,

ISO 27001 doesnt care about what type of security/Software you are using as long as you have capability to manage it and control all risks associated with this.

Section A.10 of ISO 27001 covers this but will leave it to you how you manage and control risks.

Kind regards,
Prashant.
0
D_wathiAuthor Commented:
Thank you very much for the reply, can you please suggest the best possible security for remote users to access the corporate applications which is behind the firewall but the remote users will either have broad band connection or Data cards/dongle,
0
D_wathiAuthor Commented:
Hi prashanth, can we think of VPN client access and then access the corporate applications
2. Do you suggest RDP server on one of the VM and remote users login as RDP client and access the applications
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Prashant ShrivastavaConsultantCommented:
It depends on the application - if you are directly publishing it or using it through VPN. if you are using any corporate services the best option is to have Multi factor authentication VPN connection that includes something you know and something you have. this can be supported by password and certificate authentication at a minimum level that will enable your users to have a seamless VPN connection. Also Computer level security can also be provided to protect machines against automatically installing any malware on the machines as well that can compromise security. I can give you all details if you need.
0
D_wathiAuthor Commented:
request to please give details on what type of solution to go for Multi factor authentication and as well computer level this will help me a lot. thanks
0
Prashant ShrivastavaConsultantCommented:
You can always have VPN connection to access corporate application. most companies use that anyways. but implementing multifactor authenticaion is a must have now a days considering increased cyber attacks. if you want to use RDP then there are number of other securities you can implement to protect it like blocking shared resources and clip board transfers.
0
Prashant ShrivastavaConsultantCommented:
It depends on your company budget - the cheapest is user Certificate ( generated manually) and password.
0
D_wathiAuthor Commented:
thanks, VPN access is it okay broad band and dongle users, here we have to allow VPN client and once they login multi factor authentication how to achieve in case of of without the RDP session like work directly as the application is web based ones.
0
Prashant ShrivastavaConsultantCommented:
for providing the solution can you please give me the details how many users are there and how many applications ( numbers only) you want to connect. following that I can give you a solution that will fit for purpose.
0
D_wathiAuthor Commented:
I am really sorry to take much time of yours , considering the budget has not issue can you please help me list of requirement steps please
0
Prashant ShrivastavaConsultantCommented:
if you want to allow without RDP then your VPN client can pass all your traffic to VPN server who can forward request to web servers directly and clients dont need to use RDP. they can use internet explorer from machines and it will be same as sitting in the office.
0
D_wathiAuthor Commented:
let me explain in the head office have to setup an 2 application server both are web based,  thinking on VMware ESXI server with 2 VMS and thinking of hyper converged infrastructure with DR on remote site, and the use of applications within head office can be thin clients OR mac address based allow policy and the worry is for the remote users who works using broad band or dongle connections over all the total users are not more than 10 .
0
Prashant ShrivastavaConsultantCommented:
I am happy to help you in developing this solution - not a problem. Please share your user base/requirement/ design you want then I will suggest you a solution.  - I am happy to help. please do not share any confidential information. just draw and share something that you think should be ideal situation for your business.
0
Prashant ShrivastavaConsultantCommented:
do you just want to access your web based solution or shared drives as well?
0
D_wathiAuthor Commented:
As of now the requirement is of accessing web based if future they may need shared drives but for now web based.
0
Prashant ShrivastavaConsultantCommented:
2 application server both are web based - not a problem
VMware ESXI server with 2 VMS and thinking of hyper converged infrastructure with DR on remote site - not a problem.
Use of applications within head office can be thin clients OR mac address based allow policy - not a prbolem but Mac can be stolen or mirrored.

and the worry is for the remote users - they can use server client based certificate that will allow or disallow users on failed authentication.

This can be a very simple solution.
1. Create web server Private Certificate
2. Create public certificate
3. Make sure server doesn't serve pages/drops connections unless client has public certificate that has been provided by you.
4. install public certificate on client machines
5. Access site with username and password authentication + Public certificate.

This will do your job most easily with full security.
0
Prashant ShrivastavaConsultantCommented:
0
D_wathiAuthor Commented:
thank you very much,  creating the web server private certificate is it to be on the one of the VM in the corporate office , still the user have to login though the VPN and then certificate handshake only then they will have access , OR will there be possibility to install certificate in sonic or cisco firewall will this be taken care at gate way level please suggest
0
Prashant ShrivastavaConsultantCommented:
I am jumping on conference in a short while - please bear with me - i am happy to provide you all explainations about how you can configure this. pretty simple - two levels of authentication first with Certificate and second with username password third with application level access if you want third level of security,
0
Prashant ShrivastavaConsultantCommented:
you dont need VPN for this - Certifcate on Cisco and web servers will do the job,
0
Prashant ShrivastavaConsultantCommented:
but you have to manually install client certificate under user certificate repository that will enable only those users to connect and any other user logging on to the same machine will be disallowed automatically.
0
D_wathiAuthor Commented:
shall I understand like the following
1. application server is web based it is apache web server and backend mysql hence procure the valid certificate and install here
2. another application server is email server which is zimbra email server hosted on premises for this also procure the valid certificate and install the certificates in the client machines, is this correct please suggest
0
Prashant ShrivastavaConsultantCommented:
if you have more than two servers behind Cisco and you want every one to allow both then you just need one set of client server certificate - if you want to have seprate users accessing seprate servers then you need two pairs.
0
Prashant ShrivastavaConsultantCommented:
jumping on a meeting - shall be back shortly
0
nociSoftware EngineerCommented:
VPN is an awful misused name....  VPN may or mayNOT involve encryption.....

IPSEC is a secure VPN technology
OpenVPN the same, try to stick to UDP mode to keep as close to IP nature as possible

Things to avoid:  PPTP DOES NOT encrypt effectively (RC4 encryption uses predictable keys, the technology helps enumerating user accounts and has been conceptualy been broken for 20+ years, and practicaly been broken for about 10 years.

MPLS VPN separate traffic, but do not encrypt.
1
Prashant ShrivastavaConsultantCommented:
I am back - happy to respond to your questions.
0
D_wathiAuthor Commented:
Thanks noci and also thanks prashanth to see you back.  
1. We have to install client server certificate, where to buy and is there any type or name of certificate so that i can discuss about it , each application server is one  VM in the Esxi
2. can you please suggest the best cisco firewall over all users use the application not more than 50 users.
3. remote users of broad brand/dongle access application through the vpn client - first level security, configure application server with certificate this will be second level security and third level application itself will have login,
0
Prashant ShrivastavaConsultantCommented:
You dont need to install certificate on ESXi. certificate is needed only on server side. Also you can have microsoft certificate authority to generate certificate inhouse using  ( this is a good option because your users are internal users and you will have controls on certificate authority).

Link for creating Cert Authority:
https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority

I would suggest try this on test servers first then do the same on live.

Please find the STEPS below:
STEP 0: Generate client server certificate using the authority ( use higher side of encryption).
STEP 1: Install Certificate ( Server) and restrict it to connect only after identifying user's certificate.
STEP 2: Apply folder pertmission on hard drive of resource folder through user group( this will allow only specified users to access your folders and you can add remove at any time)
STEP 3: Enable user permission on Apache Web server by allowing access to only users' group and Add users to the group and configure to challange users for credentials on access.
STEP 4: Publish your web server
STEP 5: Test it without having client certificate - you should be getting errors.
STEP 6: Install client certificate on personal user reposiotry.
STEP 7: Test it with client certificate - you should be fine.

repeat the same on DR if DR is not on VMWare SRM.
Have fun!
0
D_wathiAuthor Commented:
I am really sorry to ask this, certificate will be installed on the application hosted server is this correct, one of the application server is sugarcrm which is running on linux server. now we have to procure certificate and install it on the linux server is this correct.

2.from where to procure the certificate
0
Prashant ShrivastavaConsultantCommented:
Yes the certificate needs to be installed on web server where you have Sugar CRM installed. then server needs to be configured for security as I mentioned above.

2. You can get certificate for free by installing microsoft Certirficate server that I would recommond for testing purposes to start with however I have used this for many live applciations and never got compromised - penetration testings could not crack it despite great deal of trying. If you want to buy it you can buy it from any provider from the list here : https://www.thesslstore.in
0
D_wathiAuthor Commented:
so nice of to give such step by step inputs thanks once again, once installed certificate and only those machines from remote which has public certificate installed will be able to use the web application, with this 2 level security is achieved that one those systems which does have public certificate installed will be denied and those which has pubic certificate still needs application level login, hope I have understood correctly. please correct me if iam wrong.
2. is there any system level security for the remote users like we subscribe for  strongvpn or yubikey does this give one more layer please suggest.
0
Prashant ShrivastavaConsultantCommented:
You are right in saying "once installed certificate and only those machines from remote which has public certificate installed will be able to use the web application, with this 2 level security is achieved that one those systems which does not have public certificate installed will be denied and those which has pubic certificate still needs application level login.

You can always have third level of security that is called file level permissions. also suggest to harden security by shutting down any other site that is not in use on the same server. Security best practices guidelines must be follwed anyways on all servers.

Related to Suger CRM - you must already have application level authentication as well where you configure portal user access. so in this way you have 4 levels of security - two interactive (User auth, Application Auth) and two automatic (Certificate, File Level) - that would be almost impossible for someone to break.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ITIL

From novice to tech pro — start learning today.