+ Post New Thread
Results 1 to 8 of 8
Internet Related/Filtering/Firewall Thread, VPN Solution Advice in Technical; Hi all, I've just gone through the process of installing and configuring OpenVPN for our Network and all is working ...
  1. #1
    Killer_Bot's Avatar
    Join Date
    Dec 2009
    Location
    Great Britain
    Posts
    73
    Thank Post
    5
    Thanked 13 Times in 12 Posts
    Rep Power
    12

    VPN Solution Advice

    Hi all,

    I've just gone through the process of installing and configuring OpenVPN for our Network and all is working perfectly. However after a discussion with the Network Manager we decided we really need some kind of protection from poorly maintained systems connecting to the network and possibly bringing all sorts of malware with them.

    I've looked into ways of doing this with OpenVPN but all I can see is advice RE Post_Auth scripts that could possibly pull AV status from software before allowing the connection. Though the issue with this being I don't know what AV the clients will be running and in all likelihood it will be many different varieties as Staff will be using their own devices.

    I've looked at using Windows own VPN solutions with Routing and Remote Access though as PPTP is known to be insecure, without implementing PEAP-MS-CHAP-V2 which in turn requires certificates being installed on clients, it's a route I'd rather avoid.

    Ideally I'd like a solution that could offer the following;

    - Simple connectivity similiar to OpenVPN (they navigate to our URL and logon)
    - Ability to interrogate client for status of AV and deny connection if non-compliant
    - Some sort of EXE staff can take home and run in order to make the necessary connections and system changes for the connection and interrogation above

    Are there any other out there that people may be aware of? Preferably free and software based.

    All thoughts are welcome.

    Thanks,

    K

  2. #2

    Join Date
    Mar 2008
    Location
    Midlands
    Posts
    119
    Thank Post
    0
    Thanked 21 Times in 20 Posts
    Rep Power
    17
    We only allow VPN on school owned laptops for exactly the reasons above.

  3. #3

    Join Date
    Apr 2012
    Location
    Leeds
    Posts
    300
    Thank Post
    0
    Thanked 67 Times in 53 Posts
    Rep Power
    36
    You need to be able to do inline anti virus scanning on your VPN -> LAN traffic.

    This can be all done via one UTM box. Being completely biased I'd recommend Fortinet's Fortigate product although I'm sure Checkpoint, Paulo Alto and other devices also fit the bill.

    Dave


    Quote Originally Posted by Killer_Bot View Post
    Hi all,

    I've just gone through the process of installing and configuring OpenVPN for our Network and all is working perfectly. However after a discussion with the Network Manager we decided we really need some kind of protection from poorly maintained systems connecting to the network and possibly bringing all sorts of malware with them.

    I've looked into ways of doing this with OpenVPN but all I can see is advice RE Post_Auth scripts that could possibly pull AV status from software before allowing the connection. Though the issue with this being I don't know what AV the clients will be running and in all likelihood it will be many different varieties as Staff will be using their own devices.

    I've looked at using Windows own VPN solutions with Routing and Remote Access though as PPTP is known to be insecure, without implementing PEAP-MS-CHAP-V2 which in turn requires certificates being installed on clients, it's a route I'd rather avoid.

    Ideally I'd like a solution that could offer the following;

    - Simple connectivity similiar to OpenVPN (they navigate to our URL and logon)
    - Ability to interrogate client for status of AV and deny connection if non-compliant
    - Some sort of EXE staff can take home and run in order to make the necessary connections and system changes for the connection and interrogation above

    Are there any other out there that people may be aware of? Preferably free and software based.

    All thoughts are welcome.

    Thanks,

    K

  4. #4

    Join Date
    Oct 2005
    Posts
    829
    Thank Post
    51
    Thanked 111 Times in 101 Posts
    Rep Power
    64
    Quote Originally Posted by AliG View Post
    We only allow VPN on school owned laptops for exactly the reasons above.
    Just out of interest, how do you restrict this?

  5. #5

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,684
    Thank Post
    516
    Thanked 2,452 Times in 1,898 Posts
    Blog Entries
    24
    Rep Power
    832
    How about using Server 2012 and DirectAccess? You can specify a NAP policy that has to be enforced there.

  6. #6

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    Quote Originally Posted by pantscat View Post
    Just out of interest, how do you restrict this?
    I would of thought using client certificates would accomplish this.

    As for the original issue, this problem extends beyond just VPN and applies to any end client you let on your network that you don't have full control over (think student wifi access and BYOD schemes for example). The tool you are looking for is Network Access Protection and Control. The basic premise is that you have a server on your network that's job it is to interrogate any device coming on your network and ensure it sticks to a policy you set. If it does then the server gives it access, otherwise it gets isolated until such time as the end user conforms to policy.

    To implement this you have a several choices, you have easy access to Network Access Policy Server as it comes with Server W2k8. Other than that I've used Packetfence in the past which is a free opensource solution. With either of these solutions you can carry on using OpenVPN for VPN access

  7. Thanks to Geoff from:

    Killer_Bot (30th January 2013)

  8. #7
    Killer_Bot's Avatar
    Join Date
    Dec 2009
    Location
    Great Britain
    Posts
    73
    Thank Post
    5
    Thanked 13 Times in 12 Posts
    Rep Power
    12
    Quote Originally Posted by Geoff View Post
    I would of thought using client certificates would accomplish this.

    As for the original issue, this problem extends beyond just VPN and applies to any end client you let on your network that you don't have full control over (think student wifi access and BYOD schemes for example). The tool you are looking for is Network Access Protection and Control. The basic premise is that you have a server on your network that's job it is to interrogate any device coming on your network and ensure it sticks to a policy you set. If it does then the server gives it access, otherwise it gets isolated until such time as the end user conforms to policy.

    To implement this you have a several choices, you have easy access to Network Access Policy Server as it comes with Server W2k8. Other than that I've used Packetfence in the past which is a free opensource solution. With either of these solutions you can carry on using OpenVPN for VPN access
    Thanks for all your responses.

    I've looked into the solutions suggested and some of it looks like it could work but I can't find how to just integrate the solution with the OpenVPN AS server and only the OpenVPN AS server.

    Another solution I've read about is some kind of NAC client on the endpoint devices that staff could just install that would only allow the connection if it met certain conditions.

    Any further advice would be welcome.

  9. #8
    Killer_Bot's Avatar
    Join Date
    Dec 2009
    Location
    Great Britain
    Posts
    73
    Thank Post
    5
    Thanked 13 Times in 12 Posts
    Rep Power
    12
    Quote Originally Posted by SchoolsBroadband View Post
    You need to be able to do inline anti virus scanning on your VPN -> LAN traffic.

    This can be all done via one UTM box. Being completely biased I'd recommend Fortinet's Fortigate product although I'm sure Checkpoint, Paulo Alto and other devices also fit the bill.

    Dave
    We have Forefront TMG as our Firewall, can this not do a similar thing? Trying to keep costs low.

SHARE:
+ Post New Thread

Similar Threads

  1. Radio room software solutions advice
    By lew_bob in forum AV and Multimedia Related
    Replies: 2
    Last Post: 31st January 2011, 09:46 AM
  2. Replies: 0
    Last Post: 20th January 2011, 12:57 PM
  3. VPN Solution
    By FN-GM in forum Wireless Networks
    Replies: 15
    Last Post: 15th February 2009, 08:57 AM
  4. vpn links advice required
    By projector1 in forum Wireless Networks
    Replies: 3
    Last Post: 6th October 2006, 08:10 PM
  5. FREE vpn Solutions
    By BKGarry in forum Wireless Networks
    Replies: 20
    Last Post: 4th October 2006, 09:16 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •