Security at remote sites

howler · 29 Jul 2009 at 16:13

Following on from this post:

http://forums.overclockers.co.uk/showthread.php?t=18035333

We are looking at stepping up security at our remote offices

At the moment our remote users are provided with an ADSL connection, laptop and we supply them with a preconfigured Draytek 2800/2820 with an IPSec VPN to head office

Now there is currently not much to stop them plugging in a home PC into the router and potentially doing some damage

What are my options for restricting devices that can access the VPN, I'm not looking to preclude them from having internet access etc

I'd really like to say that only permitted MAC addresses can access either the VPN or resources on the head office network

Any ideas?

Sin_Chase · 29 Jul 2009 at 16:21

What hardware is your head office on?

howler · 29 Jul 2009 at 16:21

Juniper SSG 140

SMN · 29 Jul 2009 at 16:21

Can X.509 do this?

Sin_Chase · 29 Jul 2009 at 16:25

Never ever worked with Junipers but on Sonicwall appliances you can lock down VPN traffic on a rule basis as you would any other.

howler · 29 Jul 2009 at 16:27

I can lock it down to IP addresses but that does not stop a user at that site giving their home pc the same ip as their laptop

Sp00n · 29 Jul 2009 at 16:31

Use ns-remote on the computer itself for the ipsec connection rather than on the router?

Sin_Chase · 29 Jul 2009 at 16:32

I am assuming you are working on thier LAN IPs not thier public facing one?

Config the Draytek to serve DHCP with MAC reservations?

howler · 29 Jul 2009 at 16:34

Sp00n said:
Use ns-remote on the computer itself for the ipsec connection rather than on the router?

That would work although it is nice to be able to remotely access their router for admin stuff, I guess I could have seperate dial in VPNs for that though

howler · 29 Jul 2009 at 16:35

Sin_Chase said:
I am assuming you are working on thier LAN IPs not thier public facing one?

Config the Draytek to serve DHCP with MAC reservations?

Again that is fine but doesn't stop users just giving themselves a static IP

mr.bond · 29 Jul 2009 at 17:17

Whilst you're going through the process of finding out the technical solution, work on the human one. Get backup from the management to ensure people don't plug in any none-work devices in the first place.

howler · 29 Jul 2009 at 17:34

I have that backup, but unless I happen to actually catch them doing it then it can happen, also if something bad were to happen as a result it creates even more work

mr.bond · 29 Jul 2009 at 18:02

Ensure then until such a time as you've got a technical solution that your IT Management communicate that if it does happen, and said user is caught, they'll be handed over to HR and disciplined.

The company where I work used to have a similar problem, the IT Management got right behind stopping it and comminicating that it was a definite NO to do this. Although we've got a 'rouge system sensor' (McAfee) it very, very, rarely reports unknown devices. It doesn't stop them having network access but gives some visibility of what's out there.

howler · 30 Jul 2009 at 08:50

They all know that they will be disciplined it they are caught, however I think they all know it is highly unlikey that they will actually get caught, until the day something bad happens which means a headache for both parties

oddjob62 · 30 Jul 2009 at 10:18

Even a low end cisco switch can be set up so that ports are mapped to mac addresses, ie if you try to plug another device in with a different mac address it will disable the port.

DRZ · 30 Jul 2009 at 11:03

802.1X authentication? Machines without a certificate wont be granted access to the network?

howler · 30 Jul 2009 at 11:37

oddjob62 said:
Even a low end cisco switch can be set up so that ports are mapped to mac addresses, ie if you try to plug another device in with a different mac address it will disable the port.

Yep that would be great if we deployed Cisco switches into staff home offices, bit pricey and unecessary really

Regarding 802.1X, can someone explain how it all hangs together as I am a little unclear, am I able to get devices plugged into the router to authenticate?

DRZ · 30 Jul 2009 at 12:00

I'm not 100% with it tbh, but I'd imagine that you'd have a RADIUS server down your VPN, your 802.1X-aware routers would hand off the authentication down the tunnel. There are numerous different ways of doing it with AD etc too (still using 802.1X), machine accounts and user accounts must match in order for them to be granted access, MAC addresses tied to accounts and a few other bits and bobs.

It is certainly the technology you want to read into.

howler · 30 Jul 2009 at 12:04

Right so it would still authenticate the clients hanging off the router and not just authenticate the router itself?

mdjmcnally · 30 Jul 2009 at 15:32

Lots of switches do 802.1x authentication. Even brands such as Netgear and Dlink do this.

With the 802.1x then the machines connecting into it would need to be authenticated. This would talk back to a RADIUS Server at Head Office across the VPN so would not need extra hardware other then the switch itself.

I see that the 2820n does 802.1x for the wireless you might want to see if it can do on the wired as well.

As you use Juniper at main office it might be worth looking at putting SSG5's at the remote area's as well.

I know the old NS-5GT's came in a model where you could split the device so that there was a work network and a guest or home network.

I believe that there may be an SSG-5 equivalent config. That way they could put a home laptop on the guest/home and not have access over the VPN.