Internet Related/Filtering/Firewall Thread, VPN Solution Advice in Technical; Hi all,
I've just gone through the process of installing and configuring OpenVPN for our Network and all is working ...
28th January 2013, 04:41 PM #1
VPN Solution Advice
I've just gone through the process of installing and configuring OpenVPN for our Network and all is working perfectly. However after a discussion with the Network Manager we decided we really need some kind of protection from poorly maintained systems connecting to the network and possibly bringing all sorts of malware with them.
I've looked into ways of doing this with OpenVPN but all I can see is advice RE Post_Auth scripts that could possibly pull AV status from software before allowing the connection. Though the issue with this being I don't know what AV the clients will be running and in all likelihood it will be many different varieties as Staff will be using their own devices.
I've looked at using Windows own VPN solutions with Routing and Remote Access though as PPTP is known to be insecure, without implementing PEAP-MS-CHAP-V2 which in turn requires certificates being installed on clients, it's a route I'd rather avoid.
Ideally I'd like a solution that could offer the following;
- Simple connectivity similiar to OpenVPN (they navigate to our URL and logon)
- Ability to interrogate client for status of AV and deny connection if non-compliant
- Some sort of EXE staff can take home and run in order to make the necessary connections and system changes for the connection and interrogation above
Are there any other out there that people may be aware of? Preferably free and software based.
All thoughts are welcome.
IDG Tech News
28th January 2013, 07:18 PM #2
- Rep Power
We only allow VPN on school owned laptops for exactly the reasons above.
28th January 2013, 09:30 PM #3
You need to be able to do inline anti virus scanning on your VPN -> LAN traffic.
This can be all done via one UTM box. Being completely biased I'd recommend Fortinet's Fortigate product although I'm sure Checkpoint, Paulo Alto and other devices also fit the bill.
Originally Posted by Killer_Bot
29th January 2013, 09:58 AM #4
Just out of interest, how do you restrict this?
Originally Posted by AliG
29th January 2013, 10:03 AM #5
How about using Server 2012 and DirectAccess? You can specify a NAP policy that has to be enforced there.
29th January 2013, 10:21 AM #6
I would of thought using client certificates would accomplish this.
Originally Posted by pantscat
As for the original issue, this problem extends beyond just VPN and applies to any end client you let on your network that you don't have full control over (think student wifi access and BYOD schemes for example). The tool you are looking for is Network Access Protection and Control. The basic premise is that you have a server on your network that's job it is to interrogate any device coming on your network and ensure it sticks to a policy you set. If it does then the server gives it access, otherwise it gets isolated until such time as the end user conforms to policy.
To implement this you have a several choices, you have easy access to Network Access Policy Server as it comes with Server W2k8. Other than that I've used Packetfence in the past which is a free opensource solution. With either of these solutions you can carry on using OpenVPN for VPN access
Thanks to Geoff from:
Killer_Bot (30th January 2013)
30th January 2013, 11:39 AM #7
Thanks for all your responses.
Originally Posted by Geoff
I've looked into the solutions suggested and some of it looks like it could work but I can't find how to just integrate the solution with the OpenVPN AS server and only the OpenVPN AS server.
Another solution I've read about is some kind of NAC client on the endpoint devices that staff could just install that would only allow the connection if it met certain conditions.
Any further advice would be welcome.
30th January 2013, 11:42 AM #8
We have Forefront TMG as our Firewall, can this not do a similar thing? Trying to keep costs low.
Originally Posted by SchoolsBroadband
By lew_bob in forum AV and Multimedia Related
Last Post: 31st January 2011, 10:46 AM
By chazzy2501 in forum Windows 7
Last Post: 20th January 2011, 01:57 PM
By FN-GM in forum Wireless Networks
Last Post: 15th February 2009, 09:57 AM
By projector1 in forum Wireless Networks
Last Post: 6th October 2006, 09:10 PM
By BKGarry in forum Wireless Networks
Last Post: 4th October 2006, 10:16 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread