VPN Solution Advice

Hi all,

I've just gone through the process of installing and configuring OpenVPN for our Network and all is working perfectly. However after a discussion with the Network Manager we decided we really need some kind of protection from poorly maintained systems connecting to the network and possibly bringing all sorts of malware with them.

I've looked into ways of doing this with OpenVPN but all I can see is advice RE Post_Auth scripts that could possibly pull AV status from software before allowing the connection. Though the issue with this being I don't know what AV the clients will be running and in all likelihood it will be many different varieties as Staff will be using their own devices.

I've looked at using Windows own VPN solutions with Routing and Remote Access though as PPTP is known to be insecure, without implementing PEAP-MS-CHAP-V2 which in turn requires certificates being installed on clients, it's a route I'd rather avoid.

Ideally I'd like a solution that could offer the following;

- Simple connectivity similiar to OpenVPN (they navigate to our URL and logon)
- Ability to interrogate client for status of AV and deny connection if non-compliant
- Some sort of EXE staff can take home and run in order to make the necessary connections and system changes for the connection and interrogation above

Are there any other out there that people may be aware of? Preferably free and software based.

All thoughts are welcome.

Thanks,

K

We only allow VPN on school owned laptops for exactly the reasons above.

You need to be able to do inline anti virus scanning on your VPN -> LAN traffic.

This can be all done via one UTM box. Being completely biased I'd recommend Fortinet's Fortigate product although I'm sure Checkpoint, Paulo Alto and other devices also fit the bill.

Dave

Quote:

---

Originally Posted by Killer_Bot

Hi all,

I've just gone through the process of installing and configuring OpenVPN for our Network and all is working perfectly. However after a discussion with the Network Manager we decided we really need some kind of protection from poorly maintained systems connecting to the network and possibly bringing all sorts of malware with them.

I've looked into ways of doing this with OpenVPN but all I can see is advice RE Post_Auth scripts that could possibly pull AV status from software before allowing the connection. Though the issue with this being I don't know what AV the clients will be running and in all likelihood it will be many different varieties as Staff will be using their own devices.

I've looked at using Windows own VPN solutions with Routing and Remote Access though as PPTP is known to be insecure, without implementing PEAP-MS-CHAP-V2 which in turn requires certificates being installed on clients, it's a route I'd rather avoid.

Ideally I'd like a solution that could offer the following;

- Simple connectivity similiar to OpenVPN (they navigate to our URL and logon)
- Ability to interrogate client for status of AV and deny connection if non-compliant
- Some sort of EXE staff can take home and run in order to make the necessary connections and system changes for the connection and interrogation above

Are there any other out there that people may be aware of? Preferably free and software based.

All thoughts are welcome.

Thanks,

K

---

Quote:

---

Originally Posted by AliG

We only allow VPN on school owned laptops for exactly the reasons above.

---

Just out of interest, how do you restrict this?

How about using Server 2012 and DirectAccess? You can specify a NAP policy that has to be enforced there.

Quote:

---

Originally Posted by pantscat

Just out of interest, how do you restrict this?

---

I would of thought using client certificates would accomplish this.

As for the original issue, this problem extends beyond just VPN and applies to any end client you let on your network that you don't have full control over (think student wifi access and BYOD schemes for example). The tool you are looking for is Network Access Protection and Control. The basic premise is that you have a server on your network that's job it is to interrogate any device coming on your network and ensure it sticks to a policy you set. If it does then the server gives it access, otherwise it gets isolated until such time as the end user conforms to policy.

To implement this you have a several choices, you have easy access to Network Access Policy Server as it comes with Server W2k8. Other than that I've used Packetfence in the past which is a free opensource solution. With either of these solutions you can carry on using OpenVPN for VPN access

Quote:

---

Originally Posted by Geoff

I would of thought using client certificates would accomplish this.

As for the original issue, this problem extends beyond just VPN and applies to any end client you let on your network that you don't have full control over (think student wifi access and BYOD schemes for example). The tool you are looking for is Network Access Protection and Control. The basic premise is that you have a server on your network that's job it is to interrogate any device coming on your network and ensure it sticks to a policy you set. If it does then the server gives it access, otherwise it gets isolated until such time as the end user conforms to policy.

To implement this you have a several choices, you have easy access to Network Access Policy Server as it comes with Server W2k8. Other than that I've used Packetfence in the past which is a free opensource solution. With either of these solutions you can carry on using OpenVPN for VPN access

---

Thanks for all your responses.

I've looked into the solutions suggested and some of it looks like it could work but I can't find how to just integrate the solution with the OpenVPN AS server and only the OpenVPN AS server.

Another solution I've read about is some kind of NAC client on the endpoint devices that staff could just install that would only allow the connection if it met certain conditions.

Any further advice would be welcome.

Quote:

---

Originally Posted by SchoolsBroadband

You need to be able to do inline anti virus scanning on your VPN -> LAN traffic.

This can be all done via one UTM box. Being completely biased I'd recommend Fortinet's Fortigate product although I'm sure Checkpoint, Paulo Alto and other devices also fit the bill.

Dave

---

We have Forefront TMG as our Firewall, can this not do a similar thing? Trying to keep costs low.