1 |
On Saturday 16 Jan 2016 09:39:24 Alan McKinnon wrote: |
2 |
> On 16/01/2016 06:17, Grant wrote: |
3 |
> > I'm considering allowing some employees to work from home but I'm |
4 |
> > concerned about the security implications. Currently everybody shows up |
5 |
> > and logs into their locked down Gentoo system and from there is able to |
6 |
> > access the company webapps which are restricted to the office IP |
7 |
> > address. I guess I would have to allow webapp access from any IP for |
8 |
> > those users and trust that their computer is secure? Should that not be |
9 |
> > scary? |
10 |
> > |
11 |
> > - Grant |
12 |
> |
13 |
> I have experience in this area. I work at ISPs where working from home |
14 |
> is routine and required for overnight standby. |
15 |
> |
16 |
> You need a VPN, I'd recommend OpenVPN. It's easy to set up and offers |
17 |
> the security levels you need. Use the Layer3 routing option that uses |
18 |
> tun drivers (not tap) and issue the certificates to the users yourself. |
19 |
> Then allow your servers to accept connections from the VPN range as well |
20 |
> as the internal office range |
21 |
> |
22 |
> As for the security levels of their personal machines, tell them what |
23 |
> you require and from that point on you really have to trust your people |
24 |
> so be security aware and with the program. |
25 |
|
26 |
Some other alternatives and thoughts to solutions already proposed are: |
27 |
|
28 |
1. Only allow access through the office firewall and webapp servers to the IP |
29 |
addresses of your employees. This would only work if your employees have |
30 |
static IP addresses and are few in number - otherwise you are creating an |
31 |
administrative burden. I assume that the client connection to the webapp |
32 |
server will be over some secure protocol, e.g. SSH, SSL/TLS. Otherwise, |
33 |
you'll need an encrypted tunnel (see below). |
34 |
|
35 |
2. Instead of OpenVPN which has been recommended I suggest that you take a |
36 |
look at IPSec with IKEv2. IPSec + IKEv2 provides higher throughout because |
37 |
encryption/decryption is performed in the kernel, rather than userspace and |
38 |
because it allows for multi-threading, which last time I looked OpenVPN does |
39 |
not. In addition, IKEv2 employs the MOBIKE protocol which allows mobile |
40 |
client roaming. Changing client IP addresses is handled automatically, |
41 |
without having to restart manually the VPN session. All this said, if your |
42 |
use case has low throughput demand then OpenVPN would work fine. In both |
43 |
cases, use strong encryption. |
44 |
|
45 |
3. If you go with OpenVPN, following Alan's suggestion to use tun instead of |
46 |
tap, I should add that if you have deployed MSWindows or other clients and |
47 |
services with non-IP protocols, then you'll probably need a tap bridge to make |
48 |
sure that all services can get through. The client machines will then become |
49 |
part of your LAN. Depending on client numbers you may need more than one VLAN |
50 |
segment and multiple OpenVPN servers. |
51 |
|
52 |
4. An easier and simpler alternative may be to run SSH SOCKS proxy on the |
53 |
server and proxychains on the clients. Any software run with proxychains on |
54 |
the client will be tunnelled via SSH to the server and from a network |
55 |
perspective will be connected to the office LAN. Webapps should be able to |
56 |
run quite efficiently in this way and connect to the LAN server. Public key |
57 |
authentication and an SSH high port should keep pests away. |
58 |
|
59 |
-- |
60 |
Regards, |
61 |
Mick |