Nice assessment Ben. Sent from my hand held...
-----Original Message----- From: "Ben Scott" <mailvor...@gmail.com> To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com> Sent: 4/30/09 5:37 PM Subject: Re: Remote access options On Thu, Apr 30, 2009 at 11:39 AM, Joe Heaton <jhea...@etp.ca.gov> wrote: > With the “pandemic”, I’ve been tasked with coming up with a plan for remote > access, in order to keep the business running, in case of having to have > people stay home. Really, there are two high-level problems here: P1. Getting secure network transport from the field to the office P2. Running stuff that doesn't play nice over a WAN The solution to P1 should address: P1a. Protecting the transport from sniffing P1b. Authenticating the user and/or computer in the field P1c. Protecting the office network from bad things that might be on the client The reason P2 comes into play is that a lot of stuff seems to assume your network will have a < 20 ms RTT. That isn't the case for most Internet connections. Unfortunately, that "lot of stuff" includes Windows Explorer and Microsoft Office. Browsing a file share over an Internet link is typically painfully slow. One category of solutions to P1 are VPNs. Technologically speaking, there's not much difference between an IPsec VPN and an "SSL VPN". The latter just typically include some kind of Java applet or ActiveX control that automatically installs via a web page. Pondering the wisdom or folly of automatically distributing your secure remote access solution via a web browser to a random computer is left as an exercise for the reader. Solving P1a is pretty much a no-brainer these days. Lots of good crypto out there. The hard part is securing the endpoint (P1b and P1c), which is outside the encryption tunnel. For P1b, whether you want passwords or strong authentication (certificates, OTP fobs, etc.) is up to you. In this day and age, I really think passwords are too weak for remote access for all but the smallest of organizations. But a lot of places still use them for remote access, because doing more means more work, and security is usually seen as something to get around, rather than something that should be embraced. For P1c: Any kind of VPN tunnel (SSL, IPsec, OpenVPN, etc.) can be controlled with a firewall. If you're not strongly managing your VPN clients, this is highly recommended. For example, allow only RDP (TCP/3389) through the VPN tunnel to your network. As an additional measure for P1c, some remote access packages also include software which is supposed to make sure the client is "clean", i.e., has up-to-date anti-virus or whatever. I don't trust these things. I've seen way too many home computers swarming with malware but which AV software said was fine. My opinion; others disagree; YMMV. For P1, we use OpenVPN (free). We only allow company-owned, strongly-managed computers to connect via VPN. X.509 public key certificates are used to authenticate client computers. It works pretty well -- for P1. Does nothing for P2. There are two general approaches to P2: Remote control or WAN acceleration. Remote control means things like RDP, VNC, etc. You bypass the slowness by running the software on the LAN and shipping the display over the WAN. If there are a bunch of desktop PCs on the LAN, and the field computers can use those, you're in good shape. Our big problem is that many of the people who want remote access are using their company laptop, so there's nothing to RDP to. Sometimes they can use desktop PCs. I want to get a dedicated Terminal Server but no budget so far. :-( Citrix is essentially a solution to P1 and P2 packaged up in the same product. They use the remote control method for P2, obviously. WAN acceleration does some kind of magic at the network layer to "fool" things into working faster. I've read several accounts that say the good ones really do work. The problem is they're fiercely expensive. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
