1 |
Mick <michaelkintzios@×××××.com> writes: |
2 |
|
3 |
> On Saturday 16 Jan 2016 09:39:24 Alan McKinnon wrote: |
4 |
>> On 16/01/2016 06:17, Grant wrote: |
5 |
>> > I'm considering allowing some employees to work from home but I'm |
6 |
>> > concerned about the security implications. Currently everybody shows up |
7 |
>> > and logs into their locked down Gentoo system and from there is able to |
8 |
>> > access the company webapps which are restricted to the office IP |
9 |
>> > address. I guess I would have to allow webapp access from any IP for |
10 |
>> > those users and trust that their computer is secure? Should that not be |
11 |
>> > scary? |
12 |
>> > |
13 |
>> > - Grant |
14 |
>> |
15 |
>> I have experience in this area. I work at ISPs where working from home |
16 |
>> is routine and required for overnight standby. |
17 |
>> |
18 |
>> You need a VPN, I'd recommend OpenVPN. It's easy to set up and offers |
19 |
>> the security levels you need. Use the Layer3 routing option that uses |
20 |
>> tun drivers (not tap) and issue the certificates to the users yourself. |
21 |
>> Then allow your servers to accept connections from the VPN range as well |
22 |
>> as the internal office range |
23 |
>> |
24 |
>> As for the security levels of their personal machines, tell them what |
25 |
>> you require and from that point on you really have to trust your people |
26 |
>> so be security aware and with the program. |
27 |
> |
28 |
> Some other alternatives and thoughts to solutions already proposed are: |
29 |
> |
30 |
> 1. Only allow access through the office firewall and webapp servers to the IP |
31 |
> addresses of your employees. This would only work if your employees have |
32 |
> static IP addresses and are few in number - otherwise you are creating an |
33 |
> administrative burden. I assume that the client connection to the webapp |
34 |
> server will be over some secure protocol, e.g. SSH, SSL/TLS. Otherwise, |
35 |
> you'll need an encrypted tunnel (see below). |
36 |
> |
37 |
> 2. Instead of OpenVPN which has been recommended I suggest that you take a |
38 |
> look at IPSec with IKEv2. IPSec + IKEv2 provides higher throughout because |
39 |
> encryption/decryption is performed in the kernel, rather than userspace and |
40 |
> because it allows for multi-threading, which last time I looked OpenVPN does |
41 |
> not. In addition, IKEv2 employs the MOBIKE protocol which allows mobile |
42 |
> client roaming. Changing client IP addresses is handled automatically, |
43 |
> without having to restart manually the VPN session. All this said, if your |
44 |
> use case has low throughput demand then OpenVPN would work fine. In both |
45 |
> cases, use strong encryption. |
46 |
> |
47 |
> 3. If you go with OpenVPN, following Alan's suggestion to use tun instead of |
48 |
> tap, I should add that if you have deployed MSWindows or other clients and |
49 |
> services with non-IP protocols, then you'll probably need a tap bridge to make |
50 |
> sure that all services can get through. The client machines will then become |
51 |
> part of your LAN. Depending on client numbers you may need more than one VLAN |
52 |
> segment and multiple OpenVPN servers. |
53 |
> |
54 |
> 4. An easier and simpler alternative may be to run SSH SOCKS proxy on the |
55 |
> server and proxychains on the clients. Any software run with proxychains on |
56 |
> the client will be tunnelled via SSH to the server and from a network |
57 |
> perspective will be connected to the office LAN. Webapps should be able to |
58 |
> run quite efficiently in this way and connect to the LAN server. Public key |
59 |
> authentication and an SSH high port should keep pests away. |
60 |
|
61 |
Suppose you use a VPN connection. How do does the client (employee) |
62 |
secure their own network and the machine they're using to work remotely |
63 |
then? |
64 |
|
65 |
What's the Linux equivalent of RDP sessions? Some sort of VNC seems to |
66 |
usually require a lot of bandwidth, and I wouldn't know how to run it as |
67 |
a service so that someone could just start a client (like rdesktop) and |
68 |
log in to the server as they can do with Windoze servers. --- I only |
69 |
found x11rdp which appears to be incompatible with current X servers. |
70 |
|
71 |
Then there's LTSP. Letting aside that there are no thin clients with |
72 |
sufficient graphics performance: would it be possible to do that over a |
73 |
VPN connection, provided that the VPN connection doesn't put the rest of |
74 |
the network on the client side at risk? |
75 |
|
76 |
Having that said, I'm finding OpenVNC anything but easy to set up. How |
77 |
is that with IPsec and IKEv2? |
78 |
|
79 |
Proxychains sounds interesting. Is it possible to run rdesktop through |
80 |
that? |