Security at remote sites

[howler]

Following on from this post:

http://forums.overclockers.co.uk/showthread.php?t=18035333

We are looking at stepping up security at our remote offices

At the moment our remote users are provided with an ADSL connection, laptop and we supply them with a preconfigured Draytek 2800/2820 with an IPSec VPN to head office

Now there is currently not much to stop them plugging in a home PC into the router and potentially doing some damage

What are my options for restricting devices that can access the VPN, I'm not looking to preclude them from having internet access etc

I'd really like to say that only permitted MAC addresses can access either the VPN or resources on the head office network

Any ideas?

 

[howler]

Juniper SSG 140

 

[howler]

I can lock it down to IP addresses but that does not stop a user at that site giving their home pc the same ip as their laptop

 

[howler]

Use ns-remote on the computer itself for the ipsec connection rather than on the router?

That would work although it is nice to be able to remotely access their router for admin stuff, I guess I could have seperate dial in VPNs for that though

 

[howler]

I am assuming you are working on thier LAN IPs not thier public facing one?

Config the Draytek to serve DHCP with MAC reservations?

Again that is fine but doesn't stop users just giving themselves a static IP

 

[howler]

I have that backup, but unless I happen to actually catch them doing it then it can happen, also if something bad were to happen as a result it creates even more work

 

[howler]

They all know that they will be disciplined it they are caught, however I think they all know it is highly unlikey that they will actually get caught, until the day something bad happens which means a headache for both parties

 

[howler]

Even a low end cisco switch can be set up so that ports are mapped to mac addresses, ie if you try to plug another device in with a different mac address it will disable the port.

Yep that would be great if we deployed Cisco switches into staff home offices, bit pricey and unecessary really

Regarding 802.1X, can someone explain how it all hangs together as I am a little unclear, am I able to get devices plugged into the router to authenticate?

 

[howler]

Right so it would still authenticate the clients hanging off the router and not just authenticate the router itself?

 

[howler]

We don't permit wireless at our home user sites

I know a MAC address can be spoofed but most of these guys are sales or account managers, can't think they would go to those lengths, although after looking at the 802.1x stuff I could authenticate the machines against the domain

I tried finding the netscreen 5 on the Juniper website but couldn't I know for a fact I could do what I want with one of those, would be a bit of an outlay for the company, but its not my money!

 

[howler]

What I am primarly trying to prevent is these sales people who may have their own home laptops or PC's that they plug into our router

 

[howler]

Hey Andy, I was hoping you were going to pop up on msn over the last couple of days

We already have an SSG5 here for another reason, great bit of kit, bit pricey for home user sites, I have used those Draytek modems before, they just work which is nice!

It's looking more and more like I am going to get involved with 802.1x i think

 

[howler]

We supply them with a busniess phone line and ADSL connection, I don't have a problem with them using that connection for some internet browsing, it's a bit unfair to make them get another ADSL connection for personal use

The issue is that any device plugged into the router has access to the VPN tunnel

 

[howler]

Yeah was looking at the VLAN stuff on the Draytek yesterday, its not really a true VLAN, stops traffic between the two VLANs but that is about it

I think I might VLAN a couple of ports of that are for home use and tell them they have to use a specified subnet which I can block on the firewall here