On Saturday 16 Jan 2016 09:39:24 Alan McKinnon wrote: > On 16/01/2016 06:17, Grant wrote: > > I'm considering allowing some employees to work from home but I'm > > concerned about the security implications. Currently everybody shows up > > and logs into their locked down Gentoo system and from there is able to > > access the company webapps which are restricted to the office IP > > address. I guess I would have to allow webapp access from any IP for > > those users and trust that their computer is secure? Should that not be > > scary? > > > > - Grant > > I have experience in this area. I work at ISPs where working from home > is routine and required for overnight standby. > > You need a VPN, I'd recommend OpenVPN. It's easy to set up and offers > the security levels you need. Use the Layer3 routing option that uses > tun drivers (not tap) and issue the certificates to the users yourself. > Then allow your servers to accept connections from the VPN range as well > as the internal office range > > As for the security levels of their personal machines, tell them what > you require and from that point on you really have to trust your people > so be security aware and with the program.
Some other alternatives and thoughts to solutions already proposed are: 1. Only allow access through the office firewall and webapp servers to the IP addresses of your employees. This would only work if your employees have static IP addresses and are few in number - otherwise you are creating an administrative burden. I assume that the client connection to the webapp server will be over some secure protocol, e.g. SSH, SSL/TLS. Otherwise, you'll need an encrypted tunnel (see below). 2. Instead of OpenVPN which has been recommended I suggest that you take a look at IPSec with IKEv2. IPSec + IKEv2 provides higher throughout because encryption/decryption is performed in the kernel, rather than userspace and because it allows for multi-threading, which last time I looked OpenVPN does not. In addition, IKEv2 employs the MOBIKE protocol which allows mobile client roaming. Changing client IP addresses is handled automatically, without having to restart manually the VPN session. All this said, if your use case has low throughput demand then OpenVPN would work fine. In both cases, use strong encryption. 3. If you go with OpenVPN, following Alan's suggestion to use tun instead of tap, I should add that if you have deployed MSWindows or other clients and services with non-IP protocols, then you'll probably need a tap bridge to make sure that all services can get through. The client machines will then become part of your LAN. Depending on client numbers you may need more than one VLAN segment and multiple OpenVPN servers. 4. An easier and simpler alternative may be to run SSH SOCKS proxy on the server and proxychains on the clients. Any software run with proxychains on the client will be tunnelled via SSH to the server and from a network perspective will be connected to the office LAN. Webapps should be able to run quite efficiently in this way and connect to the LAN server. Public key authentication and an SSH high port should keep pests away. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
