Mick <michaelkintz...@gmail.com> writes: > On Saturday 16 Jan 2016 09:39:24 Alan McKinnon wrote: >> On 16/01/2016 06:17, Grant wrote: >> > I'm considering allowing some employees to work from home but I'm >> > concerned about the security implications. Currently everybody shows up >> > and logs into their locked down Gentoo system and from there is able to >> > access the company webapps which are restricted to the office IP >> > address. I guess I would have to allow webapp access from any IP for >> > those users and trust that their computer is secure? Should that not be >> > scary? >> > >> > - Grant >> >> I have experience in this area. I work at ISPs where working from home >> is routine and required for overnight standby. >> >> You need a VPN, I'd recommend OpenVPN. It's easy to set up and offers >> the security levels you need. Use the Layer3 routing option that uses >> tun drivers (not tap) and issue the certificates to the users yourself. >> Then allow your servers to accept connections from the VPN range as well >> as the internal office range >> >> As for the security levels of their personal machines, tell them what >> you require and from that point on you really have to trust your people >> so be security aware and with the program. > > Some other alternatives and thoughts to solutions already proposed are: > > 1. Only allow access through the office firewall and webapp servers to the > IP > addresses of your employees. This would only work if your employees have > static IP addresses and are few in number - otherwise you are creating an > administrative burden. I assume that the client connection to the webapp > server will be over some secure protocol, e.g. SSH, SSL/TLS. Otherwise, > you'll need an encrypted tunnel (see below). > > 2. Instead of OpenVPN which has been recommended I suggest that you take a > look at IPSec with IKEv2. IPSec + IKEv2 provides higher throughout because > encryption/decryption is performed in the kernel, rather than userspace and > because it allows for multi-threading, which last time I looked OpenVPN does > not. In addition, IKEv2 employs the MOBIKE protocol which allows mobile > client roaming. Changing client IP addresses is handled automatically, > without having to restart manually the VPN session. All this said, if your > use case has low throughput demand then OpenVPN would work fine. In both > cases, use strong encryption. > > 3. If you go with OpenVPN, following Alan's suggestion to use tun instead of > tap, I should add that if you have deployed MSWindows or other clients and > services with non-IP protocols, then you'll probably need a tap bridge to > make > sure that all services can get through. The client machines will then become > part of your LAN. Depending on client numbers you may need more than one > VLAN > segment and multiple OpenVPN servers. > > 4. An easier and simpler alternative may be to run SSH SOCKS proxy on the > server and proxychains on the clients. Any software run with proxychains on > the client will be tunnelled via SSH to the server and from a network > perspective will be connected to the office LAN. Webapps should be able to > run quite efficiently in this way and connect to the LAN server. Public key > authentication and an SSH high port should keep pests away.
Suppose you use a VPN connection. How do does the client (employee) secure their own network and the machine they're using to work remotely then? What's the Linux equivalent of RDP sessions? Some sort of VNC seems to usually require a lot of bandwidth, and I wouldn't know how to run it as a service so that someone could just start a client (like rdesktop) and log in to the server as they can do with Windoze servers. --- I only found x11rdp which appears to be incompatible with current X servers. Then there's LTSP. Letting aside that there are no thin clients with sufficient graphics performance: would it be possible to do that over a VPN connection, provided that the VPN connection doesn't put the rest of the network on the client side at risk? Having that said, I'm finding OpenVNC anything but easy to set up. How is that with IPsec and IKEv2? Proxychains sounds interesting. Is it possible to run rdesktop through that?
