Security at remote sites

MAC addresses can be spoofed. They add some degree of security but not a huge amount. You also need to consider what could happen if someone stole that router (or just cloned it)... not good! And what about someone wardriving and using the connection (wifi keys are not that hard to crack - even WPA can be broken now).

Also what happens if the user gets a virus on his machine, or any other on his network? You'd get it inside the company pretty quickly.

I've worked at a couple of very large banks. What they have done is allowed you to use your own broadband connection but supplied a laptop. These have VPN installed and is a two key system - each user has a unique pin number and a Securid keytag. The keytag rotates numbers every few seconds. To logon the user has to enter a combination of their userid, uniqiue pin and the rotating securid number. Because the securid number changes constantly and can only be used in conjunction with the pin, you would need both to gain access.

And if someone breaks into the LAN then they still can't access your network.
 
We don't permit wireless at our home user sites

I know a MAC address can be spoofed but most of these guys are sales or account managers, can't think they would go to those lengths, although after looking at the 802.1x stuff I could authenticate the machines against the domain

I tried finding the netscreen 5 on the Juniper website but couldn't I know for a fact I could do what I want with one of those, would be a bit of an outlay for the company, but its not my money!
 
Last edited:
howler said:
We don't permit wireless at our home user sites

I know a MAC address can be spoofed but most of these guys are sales or account managers, can't think they would go to those lengths, although after looking at the 802.1x stuff I could authenticate the machines against the domain

I tried finding the netscreen 5 on the Juniper website but couldn't I know for a fact I could do what I want with one of those, would be a bit of an outlay for the company, but its not my money!
Click to expand...

It's not the sales or account managers you need to worry about - in fact you are supplying them with a connection so they are already on the network. You don't need to protect yourself against them. It's people deliberately trying to get onto your network that you need to worry about. They will have a far higher tecnical ability.
 
What I am primarly trying to prevent is these sales people who may have their own home laptops or PC's that they plug into our router
 
hey howler, how's it going?

if you could stretch to ssg5's then that would be pretty sweet, fair bit more expensive than the draytek's you are using currently though i suspect! :(

the old 5gt feature mentioned earlier was work : home, and it was a 'port mode' that you could change on any of the different models of the 5's. you could also use dmz, and extended dmz, but you had to buy additional licenses to unlock the latter two features.

i used the work : home mode quite a few times, both in some of our sites that had private : public networks for basic internet access, and also a couple where people had them at home and we created a vpn from the work side and left them to do what they liked on the home side; as you could not create policies to permit traffic from home:work, which was nice.

the new ssg5 units are way more flexible right out of the box, with 7 interfaces, and each interface can be it's own zone if you really wanted it to, or you can combine ports into bridge groups and assign that to a zone, effectively creating a built-in switch. fairly sure they support dot1x too, so if you are looking at really small sites then you might not even need an additional switch, you could just setup an auth server accessible over the vpn, and then away you go...i think, check the c&e guides though.

the only thing i would say about the ssg5's, however, is that there is no model with an adsl model built in, so you would have to use an external ethernet : adsl modem. draytek do a good one, i did some proof of concept work with them a couple of weeks back, although in the end i plumped for ssg20's with the adsl-pim modules instead.

hope this helps! take it easy buddy.
 
cannot remember for the life of me how or what we did but ages ago at my last work we had something like certificate based network port authentication, 802.1x stuff maybe?

If a machine didn't have the certificate it wasn't allowed on the network, obviously you need the network hardware to support it.
 
Hey Andy, I was hoping you were going to pop up on msn over the last couple of days

We already have an SSG5 here for another reason, great bit of kit, bit pricey for home user sites, I have used those Draytek modems before, they just work which is nice!

It's looking more and more like I am going to get involved with 802.1x i think
 
howler said:
What I am primarly trying to prevent is these sales people who may have their own home laptops or PC's that they plug into our router
Click to expand...

If I was one of your salesman then I'd insist you installed a separate phone line/broadband for your router. Otherwise you'd prevent them using their own line for themselves.

I still think you're trying to secure the wrong component. It's the laptop itself that needs to be secured, not the router.
 
We supply them with a busniess phone line and ADSL connection, I don't have a problem with them using that connection for some internet browsing, it's a bit unfair to make them get another ADSL connection for personal use

The issue is that any device plugged into the router has access to the VPN tunnel
 
Yeah was looking at the VLAN stuff on the Draytek yesterday, its not really a true VLAN, stops traffic between the two VLANs but that is about it

I think I might VLAN a couple of ports of that are for home use and tell them they have to use a specified subnet which I can block on the firewall here
 
You must log in or register to reply here.
Back
Top Bottom