Require a vpn connection

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hey Mike, just thought I'd start another thread rather than getting way off topic in the other one.

Do you have any idea or a way to implement this other than leaving it up to the user?

The reason I'm asking is that it's an idea that I've wanted to put in place for a while for our laptop users, to require them to connect via vpn and then so their surfing etc through the company network and protection rather than through their home network connections.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Well, you'd leave their proxy settings alone, and you'd require that they use VPN client software to connect to your network. All that would have to be set up on their laptops ahead of time. There are plenty of solutions out there... Cisco and Sonicwall are the two I'm most familiar with.

There's also SSL-VPN technology that you can use to eliminate the requirement for client software, but since that requires a Web connection, I'm not sure how you would need to implement it to solve your particular problem.

 

At the moment we have it so that users make a vpn connection to the firewall. After that they get the dhcp address and are then part of the network.

I know a friend of mine got a laptop from the large pharma company that he started working for and it was set up so that everytime he connected to a network (home, public, starbucks etc) the vpn made the connection to their network and he could go online. It was all automatic and he had no other choice.

That's the sort of thing I'd also like to do. The idea of the CEO sitting in an airport somewhere surfing over wifi really scares me for some reason.

I was just wondering (with your spook background ) if you knew of a way to enforce this.

 

Exactly right! Always have to weigh the tradeoffs between security and usability. Repped.

 

Setting it up is the easy part... enforcing it is the hard part. My gut instinct would be to use a GPO to lock it down so they can't change settings.

You're right to be concerned. We had some transcriptionists using company PCs at home. They connected to the office either by VPN client app or by SSL-VPN. Unfortunately, when they weren't on the VPN, they could browse anywhere. Some of them would routinely bring their PC in to be reimaged (as we saw on the AV scan reports that their PCs were infected). A simple lockdown so they couldn't browse without connecting might have solved the problem... but red tape from management kept that from happening for months.

 

GPOs = lock down IE to prevent user's arsing around with proxy settings.
Disable split-tunnelling to prevent them routing internet traffic through their home network whilst VPNed in.
Look into an SSL VPN - not cheap, but by far the most easy to enforce and flexible

 

LAWL

Just noticed Sparky has basically said exactly the same thing as me... I'll get me coat!

 

Thanks for the great advice guys.

 

Some solutions just work.

 

Cant remember who said it on the other thread, but the last company I worked for used a Citrix access gateway for remote users, and a proxy internally, and they used a registry file which amended the proxy server settings and labelled them inside and outside company and put on the users desktop, so the users knew what it was about.

It was also part of the induction for laptop users and explained in a printed howto guide that they took with them, so the training part we covered.

Also finally we locked down internet explorer using the content adviser to only allow access to the secure page that the CAG used, and also to the address 192.168.0.1 which we used for wireless access on various sites (They installed broadband via a wireless router for site managers), so if we had an issue with the wireless their we could access the routers config.

This also forced users to only surf through the content filtered proxy server as well.

We were looking at logmein before i left so they could do remote support so id imagine that site was added at some point as well, but im not there anymore lol