Inbound internet access to desktops

IL17 · ‎12-11-2018

As a general rule of thumb I recommend enterprise endpoints use private IP addressing and use a hide nat. I have encountered an organization which uses publically routeable IP addresses for their desktops. In addition they allow (upon request) inbound connectivity from vendors/other organizations/support teams/etc. I generally would say if inbound access is needed, it must be done through a VPN and the enterprise endpoint must be segmented from the rest of the network. Or set a policy where if a device requires inbound access from the internet, that device must be moved to the corporate DMZ. I am having difficulty locating a best practice security document which explains the risk of exposing endpoints directly to the internet and mitigation strategies. Am I off in recommending stopping the practice of allowing direct connectivity from the internet? Any documentation would be greatly appreciated.

Dennis Mink · ‎12-11-2018

Funny you say that about using public IP addresses in an internal segment, it stems from back in the day when IP was fairly new, they would just buy a whole batch of public IP addresses, unaware of RFC1918. either way it doesnt have to be a problem just treat them as private IP with Address hiding though nat overload, and like you said DMZ deployments.

another way of granting 3rd party access to your network, is through a secure portal. F5's APM is very good at that, and can do 2FA authentication as well. S2S VPNs only when constant connectivity is required.

Please remember to rate useful posts, by clicking on the stars below.