Modeblue

The office perimeter can be the most vunerable area of the smb network, it is the access gateway for the world – friends and foe. As an ever increasing number of users require external access, how can you stay secure without hindering legitimate users? Every user has a different need for VPN access, and there are many different requirements in different businesses.
Here is my view on how you can use the VPN to help secure your network:

Some internal employees need access to the entire internal network.

This is becoming normal in the smb, most executive users now work from home or on the road, at least occasionally. The key security factor here is how you view the VPN; I think of access to the “Full VPN” like access to the office. I would not allow any member of staff to bring a home laptop in & plug it direct to the LAN (we have a guest network for that with internet access only) and therefore we will not provide a VPN client for laptops that are not controlled by the IT department. Anyone who needs access to data from an external location is given a corporate laptop (either as their PC if they use it regularly, or on loan as necessary if they are occasional users). Limiting which machines have access is acceptable to the business; if you need full VPN access, you need a work laptop, which is built and managed by corporate IT.
The VPN itself uses domain name and a computer certificate to authenticate the machine is valid & and a directory logon (or internal CA cert) to authenticate the user.

Some external contractors & suppliers need access to restricted resources.

The above is very secure, however it leaves an inconvenient grey area between the www and the trusted lan. The majority of these “grey” users are contractors, temps or testers, who are trusted with a limited selection of resources in the LAN. The resources may want to be kept from WAN access, and the users may not have static IP addresses, or trusted machines secured down by the IT dept. As these users only need access to websites, ftp servers, and the like, they should be locked down to those ports and IP addresses.This access has traditionally been the place of the DMZ, sometimes locked down by IP address, sometimes secured by user authentication, usually available only on those ports required and traditionally on a separate subnet from the internal LAN. However, using a DMZlike this, it can be difficult to meet the requirements outlined.This is where the DMZVPN comes in, a separate subnet (like a DMZ) accessible via an SSL VPN client. A user connects to an SSL web page and gets prompted to authenticate – once logged in, they are connected to the DMZVPN and locked into that subnet with access to only those resources sanctioned and secured by the IT team.Depending on the resources, a specific subnet separated from the LAN may not be needed, just assign the DMZVPN users a small subnet within the LAN and lock them down to that subnet in the VPN. The DMZVPN can fill the grey area with limited access, locked down as required and with access to any device, without having to migrate it to a new area of the network.

Majority of employees need access to webmail only.

Users want to send / receive mail when out of the office. This is one of the few areas of the network that usually needs to be accessible to the WAN – it could be locked to the DMZVPN, however this would be an additional step for users to get in. This choice would be down to the security needs of the company.As long as the webmail front end is set up securely (plenty of articles around on how to achieve this), and login attempts are being logged and reviewed, then I see no problem with granting this access in the average office.

WAN users need access to the External services

All the external services (that’s resources to be available to the outside world) should be hosted in the datacenter, with a VPN to the office LAN, but no permissions or trust from the Hosting environment. I will write more on security in this environment at a later date, but ideally only these would be open to the WAN user:* Mail – Port 25 to a hardened mail server for incoming mail that receives, scans and forwards mail to the office over a secure site-to-site VPN.

• Web – Port 80 / 443 for websites (webservers are seperated from databases by another firewall)

.Good security is a senisible balance between functionality and protection. The key point here is to have as few resources as possible accessible from the WAN without hampering usability. And those that are available should require high levels of authentication and multiple layers of security, all done with minimum impact to the user.
In an ideal world, I would have the bare minimum visible to the outside world – just the VPN authentication ports. Some people have dismissed this idea as incompatible with their business, but if there are services that are to be visible on the internet, they should be hosted in a secured & managed datacenter which cannot gain access to the vital internal systems of the business.