| 1 |
On Saturday 16 Jan 2016 09:39:24 Alan McKinnon wrote: |
| 2 |
> On 16/01/2016 06:17, Grant wrote: |
| 3 |
> > I'm considering allowing some employees to work from home but I'm |
| 4 |
> > concerned about the security implications. Currently everybody shows up |
| 5 |
> > and logs into their locked down Gentoo system and from there is able to |
| 6 |
> > access the company webapps which are restricted to the office IP |
| 7 |
> > address. I guess I would have to allow webapp access from any IP for |
| 8 |
> > those users and trust that their computer is secure? Should that not be |
| 9 |
> > scary? |
| 10 |
> > |
| 11 |
> > - Grant |
| 12 |
> |
| 13 |
> I have experience in this area. I work at ISPs where working from home |
| 14 |
> is routine and required for overnight standby. |
| 15 |
> |
| 16 |
> You need a VPN, I'd recommend OpenVPN. It's easy to set up and offers |
| 17 |
> the security levels you need. Use the Layer3 routing option that uses |
| 18 |
> tun drivers (not tap) and issue the certificates to the users yourself. |
| 19 |
> Then allow your servers to accept connections from the VPN range as well |
| 20 |
> as the internal office range |
| 21 |
> |
| 22 |
> As for the security levels of their personal machines, tell them what |
| 23 |
> you require and from that point on you really have to trust your people |
| 24 |
> so be security aware and with the program. |
| 25 |
|
| 26 |
Some other alternatives and thoughts to solutions already proposed are: |
| 27 |
|
| 28 |
1. Only allow access through the office firewall and webapp servers to the IP |
| 29 |
addresses of your employees. This would only work if your employees have |
| 30 |
static IP addresses and are few in number - otherwise you are creating an |
| 31 |
administrative burden. I assume that the client connection to the webapp |
| 32 |
server will be over some secure protocol, e.g. SSH, SSL/TLS. Otherwise, |
| 33 |
you'll need an encrypted tunnel (see below). |
| 34 |
|
| 35 |
2. Instead of OpenVPN which has been recommended I suggest that you take a |
| 36 |
look at IPSec with IKEv2. IPSec + IKEv2 provides higher throughout because |
| 37 |
encryption/decryption is performed in the kernel, rather than userspace and |
| 38 |
because it allows for multi-threading, which last time I looked OpenVPN does |
| 39 |
not. In addition, IKEv2 employs the MOBIKE protocol which allows mobile |
| 40 |
client roaming. Changing client IP addresses is handled automatically, |
| 41 |
without having to restart manually the VPN session. All this said, if your |
| 42 |
use case has low throughput demand then OpenVPN would work fine. In both |
| 43 |
cases, use strong encryption. |
| 44 |
|
| 45 |
3. If you go with OpenVPN, following Alan's suggestion to use tun instead of |
| 46 |
tap, I should add that if you have deployed MSWindows or other clients and |
| 47 |
services with non-IP protocols, then you'll probably need a tap bridge to make |
| 48 |
sure that all services can get through. The client machines will then become |
| 49 |
part of your LAN. Depending on client numbers you may need more than one VLAN |
| 50 |
segment and multiple OpenVPN servers. |
| 51 |
|
| 52 |
4. An easier and simpler alternative may be to run SSH SOCKS proxy on the |
| 53 |
server and proxychains on the clients. Any software run with proxychains on |
| 54 |
the client will be tunnelled via SSH to the server and from a network |
| 55 |
perspective will be connected to the office LAN. Webapps should be able to |
| 56 |
run quite efficiently in this way and connect to the LAN server. Public key |
| 57 |
authentication and an SSH high port should keep pests away. |
| 58 |
|
| 59 |
-- |
| 60 |
Regards, |
| 61 |
Mick |
Archives