IT Security for remote access standards iso27001

D_wathi used Ask the Experts™
Dear Experts

please let me know if remote users access the hosted applications which is on site through the internet of connection types: DSL/broad band connection or data cards/dongle with the security layer of VPN client access and with YubiKey enabling if this two are taken care will it be within the compliance of ISO27001 standards please suggest,  I want to understand without the MPLS VPN and leased line (site to site vpn)  will it be still possible to meet the iso27001 standards  please suggest.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hello Mate,

ISO 27001 doesnt care about what type of security/Software you are using as long as you have capability to manage it and control all risks associated with this.

Section A.10 of ISO 27001 covers this but will leave it to you how you manage and control risks.

Kind regards,


Thank you very much for the reply, can you please suggest the best possible security for remote users to access the corporate applications which is behind the firewall but the remote users will either have broad band connection or Data cards/dongle,


Hi prashanth, can we think of VPN client access and then access the corporate applications
2. Do you suggest RDP server on one of the VM and remote users login as RDP client and access the applications
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

It depends on the application - if you are directly publishing it or using it through VPN. if you are using any corporate services the best option is to have Multi factor authentication VPN connection that includes something you know and something you have. this can be supported by password and certificate authentication at a minimum level that will enable your users to have a seamless VPN connection. Also Computer level security can also be provided to protect machines against automatically installing any malware on the machines as well that can compromise security. I can give you all details if you need.


request to please give details on what type of solution to go for Multi factor authentication and as well computer level this will help me a lot. thanks
You can always have VPN connection to access corporate application. most companies use that anyways. but implementing multifactor authenticaion is a must have now a days considering increased cyber attacks. if you want to use RDP then there are number of other securities you can implement to protect it like blocking shared resources and clip board transfers.
It depends on your company budget - the cheapest is user Certificate ( generated manually) and password.


thanks, VPN access is it okay broad band and dongle users, here we have to allow VPN client and once they login multi factor authentication how to achieve in case of of without the RDP session like work directly as the application is web based ones.
for providing the solution can you please give me the details how many users are there and how many applications ( numbers only) you want to connect. following that I can give you a solution that will fit for purpose.


I am really sorry to take much time of yours , considering the budget has not issue can you please help me list of requirement steps please
if you want to allow without RDP then your VPN client can pass all your traffic to VPN server who can forward request to web servers directly and clients dont need to use RDP. they can use internet explorer from machines and it will be same as sitting in the office.


let me explain in the head office have to setup an 2 application server both are web based,  thinking on VMware ESXI server with 2 VMS and thinking of hyper converged infrastructure with DR on remote site, and the use of applications within head office can be thin clients OR mac address based allow policy and the worry is for the remote users who works using broad band or dongle connections over all the total users are not more than 10 .
I am happy to help you in developing this solution - not a problem. Please share your user base/requirement/ design you want then I will suggest you a solution.  - I am happy to help. please do not share any confidential information. just draw and share something that you think should be ideal situation for your business.
do you just want to access your web based solution or shared drives as well?


As of now the requirement is of accessing web based if future they may need shared drives but for now web based.
2 application server both are web based - not a problem
VMware ESXI server with 2 VMS and thinking of hyper converged infrastructure with DR on remote site - not a problem.
Use of applications within head office can be thin clients OR mac address based allow policy - not a prbolem but Mac can be stolen or mirrored.

and the worry is for the remote users - they can use server client based certificate that will allow or disallow users on failed authentication.

This can be a very simple solution.
1. Create web server Private Certificate
2. Create public certificate
3. Make sure server doesn't serve pages/drops connections unless client has public certificate that has been provided by you.
4. install public certificate on client machines
5. Access site with username and password authentication + Public certificate.

This will do your job most easily with full security.


thank you very much,  creating the web server private certificate is it to be on the one of the VM in the corporate office , still the user have to login though the VPN and then certificate handshake only then they will have access , OR will there be possibility to install certificate in sonic or cisco firewall will this be taken care at gate way level please suggest
I am jumping on conference in a short while - please bear with me - i am happy to provide you all explainations about how you can configure this. pretty simple - two levels of authentication first with Certificate and second with username password third with application level access if you want third level of security,
you dont need VPN for this - Certifcate on Cisco and web servers will do the job,
but you have to manually install client certificate under user certificate repository that will enable only those users to connect and any other user logging on to the same machine will be disallowed automatically.


shall I understand like the following
1. application server is web based it is apache web server and backend mysql hence procure the valid certificate and install here
2. another application server is email server which is zimbra email server hosted on premises for this also procure the valid certificate and install the certificates in the client machines, is this correct please suggest
if you have more than two servers behind Cisco and you want every one to allow both then you just need one set of client server certificate - if you want to have seprate users accessing seprate servers then you need two pairs.
jumping on a meeting - shall be back shortly
nociSoftware Engineer
Distinguished Expert 2018
VPN is an awful misused name....  VPN may or mayNOT involve encryption.....

IPSEC is a secure VPN technology
OpenVPN the same, try to stick to UDP mode to keep as close to IP nature as possible

Things to avoid:  PPTP DOES NOT encrypt effectively (RC4 encryption uses predictable keys, the technology helps enumerating user accounts and has been conceptualy been broken for 20+ years, and practicaly been broken for about 10 years.

MPLS VPN separate traffic, but do not encrypt.
I am back - happy to respond to your questions.


Thanks noci and also thanks prashanth to see you back.  
1. We have to install client server certificate, where to buy and is there any type or name of certificate so that i can discuss about it , each application server is one  VM in the Esxi
2. can you please suggest the best cisco firewall over all users use the application not more than 50 users.
3. remote users of broad brand/dongle access application through the vpn client - first level security, configure application server with certificate this will be second level security and third level application itself will have login,
You dont need to install certificate on ESXi. certificate is needed only on server side. Also you can have microsoft certificate authority to generate certificate inhouse using  ( this is a good option because your users are internal users and you will have controls on certificate authority).

Link for creating Cert Authority:

I would suggest try this on test servers first then do the same on live.

Please find the STEPS below:
STEP 0: Generate client server certificate using the authority ( use higher side of encryption).
STEP 1: Install Certificate ( Server) and restrict it to connect only after identifying user's certificate.
STEP 2: Apply folder pertmission on hard drive of resource folder through user group( this will allow only specified users to access your folders and you can add remove at any time)
STEP 3: Enable user permission on Apache Web server by allowing access to only users' group and Add users to the group and configure to challange users for credentials on access.
STEP 4: Publish your web server
STEP 5: Test it without having client certificate - you should be getting errors.
STEP 6: Install client certificate on personal user reposiotry.
STEP 7: Test it with client certificate - you should be fine.

repeat the same on DR if DR is not on VMWare SRM.
Have fun!


I am really sorry to ask this, certificate will be installed on the application hosted server is this correct, one of the application server is sugarcrm which is running on linux server. now we have to procure certificate and install it on the linux server is this correct.

2.from where to procure the certificate
Yes the certificate needs to be installed on web server where you have Sugar CRM installed. then server needs to be configured for security as I mentioned above.

2. You can get certificate for free by installing microsoft Certirficate server that I would recommond for testing purposes to start with however I have used this for many live applciations and never got compromised - penetration testings could not crack it despite great deal of trying. If you want to buy it you can buy it from any provider from the list here :


so nice of to give such step by step inputs thanks once again, once installed certificate and only those machines from remote which has public certificate installed will be able to use the web application, with this 2 level security is achieved that one those systems which does have public certificate installed will be denied and those which has pubic certificate still needs application level login, hope I have understood correctly. please correct me if iam wrong.
2. is there any system level security for the remote users like we subscribe for  strongvpn or yubikey does this give one more layer please suggest.
You are right in saying "once installed certificate and only those machines from remote which has public certificate installed will be able to use the web application, with this 2 level security is achieved that one those systems which does not have public certificate installed will be denied and those which has pubic certificate still needs application level login.

You can always have third level of security that is called file level permissions. also suggest to harden security by shutting down any other site that is not in use on the same server. Security best practices guidelines must be follwed anyways on all servers.

Related to Suger CRM - you must already have application level authentication as well where you configure portal user access. so in this way you have 4 levels of security - two interactive (User auth, Application Auth) and two automatic (Certificate, File Level) - that would be almost impossible for someone to break.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial