| 1 |
Mick <michaelkintzios@×××××.com> writes: |
| 2 |
|
| 3 |
> On Saturday 16 Jan 2016 09:39:24 Alan McKinnon wrote: |
| 4 |
>> On 16/01/2016 06:17, Grant wrote: |
| 5 |
>> > I'm considering allowing some employees to work from home but I'm |
| 6 |
>> > concerned about the security implications. Currently everybody shows up |
| 7 |
>> > and logs into their locked down Gentoo system and from there is able to |
| 8 |
>> > access the company webapps which are restricted to the office IP |
| 9 |
>> > address. I guess I would have to allow webapp access from any IP for |
| 10 |
>> > those users and trust that their computer is secure? Should that not be |
| 11 |
>> > scary? |
| 12 |
>> > |
| 13 |
>> > - Grant |
| 14 |
>> |
| 15 |
>> I have experience in this area. I work at ISPs where working from home |
| 16 |
>> is routine and required for overnight standby. |
| 17 |
>> |
| 18 |
>> You need a VPN, I'd recommend OpenVPN. It's easy to set up and offers |
| 19 |
>> the security levels you need. Use the Layer3 routing option that uses |
| 20 |
>> tun drivers (not tap) and issue the certificates to the users yourself. |
| 21 |
>> Then allow your servers to accept connections from the VPN range as well |
| 22 |
>> as the internal office range |
| 23 |
>> |
| 24 |
>> As for the security levels of their personal machines, tell them what |
| 25 |
>> you require and from that point on you really have to trust your people |
| 26 |
>> so be security aware and with the program. |
| 27 |
> |
| 28 |
> Some other alternatives and thoughts to solutions already proposed are: |
| 29 |
> |
| 30 |
> 1. Only allow access through the office firewall and webapp servers to the IP |
| 31 |
> addresses of your employees. This would only work if your employees have |
| 32 |
> static IP addresses and are few in number - otherwise you are creating an |
| 33 |
> administrative burden. I assume that the client connection to the webapp |
| 34 |
> server will be over some secure protocol, e.g. SSH, SSL/TLS. Otherwise, |
| 35 |
> you'll need an encrypted tunnel (see below). |
| 36 |
> |
| 37 |
> 2. Instead of OpenVPN which has been recommended I suggest that you take a |
| 38 |
> look at IPSec with IKEv2. IPSec + IKEv2 provides higher throughout because |
| 39 |
> encryption/decryption is performed in the kernel, rather than userspace and |
| 40 |
> because it allows for multi-threading, which last time I looked OpenVPN does |
| 41 |
> not. In addition, IKEv2 employs the MOBIKE protocol which allows mobile |
| 42 |
> client roaming. Changing client IP addresses is handled automatically, |
| 43 |
> without having to restart manually the VPN session. All this said, if your |
| 44 |
> use case has low throughput demand then OpenVPN would work fine. In both |
| 45 |
> cases, use strong encryption. |
| 46 |
> |
| 47 |
> 3. If you go with OpenVPN, following Alan's suggestion to use tun instead of |
| 48 |
> tap, I should add that if you have deployed MSWindows or other clients and |
| 49 |
> services with non-IP protocols, then you'll probably need a tap bridge to make |
| 50 |
> sure that all services can get through. The client machines will then become |
| 51 |
> part of your LAN. Depending on client numbers you may need more than one VLAN |
| 52 |
> segment and multiple OpenVPN servers. |
| 53 |
> |
| 54 |
> 4. An easier and simpler alternative may be to run SSH SOCKS proxy on the |
| 55 |
> server and proxychains on the clients. Any software run with proxychains on |
| 56 |
> the client will be tunnelled via SSH to the server and from a network |
| 57 |
> perspective will be connected to the office LAN. Webapps should be able to |
| 58 |
> run quite efficiently in this way and connect to the LAN server. Public key |
| 59 |
> authentication and an SSH high port should keep pests away. |
| 60 |
|
| 61 |
Suppose you use a VPN connection. How do does the client (employee) |
| 62 |
secure their own network and the machine they're using to work remotely |
| 63 |
then? |
| 64 |
|
| 65 |
What's the Linux equivalent of RDP sessions? Some sort of VNC seems to |
| 66 |
usually require a lot of bandwidth, and I wouldn't know how to run it as |
| 67 |
a service so that someone could just start a client (like rdesktop) and |
| 68 |
log in to the server as they can do with Windoze servers. --- I only |
| 69 |
found x11rdp which appears to be incompatible with current X servers. |
| 70 |
|
| 71 |
Then there's LTSP. Letting aside that there are no thin clients with |
| 72 |
sufficient graphics performance: would it be possible to do that over a |
| 73 |
VPN connection, provided that the VPN connection doesn't put the rest of |
| 74 |
the network on the client side at risk? |
| 75 |
|
| 76 |
Having that said, I'm finding OpenVNC anything but easy to set up. How |
| 77 |
is that with IPsec and IKEv2? |
| 78 |
|
| 79 |
Proxychains sounds interesting. Is it possible to run rdesktop through |
| 80 |
that? |
Archives