Re: VPN Security

_Chris_ · ‎03-02-2020

Hello

I have a general question on VPN and best practices when it comes to how to deploy it. I have had other jobs where VPN is already setup and deployed to users and devices within our domain/AD. At this new place, we are still working it out, but the difference here is the supervisor wants to roll out the VPN client to users that will be connecting from their personal devices (PC's). My concern is letting these devices that are not in our domain into our network. As I've said every where else I worked, WE MAINTAINED those devices, made sure they were patched, up to date antivirus and things like that.

We are using Global Protect and I know it can check for those things before allowing a connection. I've mentioned things like mapped drives and GPO will not work since they are not assets owned by our org and not within our domain but he said he would not support the idea of buying laptops for remote users ¯\_(ツ)_/¯

What do you all think? Do you work in an environment where they let personal computers VPN into a domain? With today's VPN technology is this practice considered safe? Is it safer to allow only devices already existing in the domain?

Rob Ingram · ‎03-02-2020

Hi,
I'd normally classify the users connectivity from personal devices (BYOD) differently from a Corporate asset. In doing so you could apply different ACLs restricting access. You could run Posture checking to enforce a minimum standard (AV, AM, Firewall etc). You could run Cisco Umbrella and ensure all DNS requests a legitmate and checked for malware, phishing etc.

There are plenty of things you can do to limit the potential damage, but there is in some instances a cost involved.

HTH

Sheraz.Salim · ‎03-02-2020

it depends on each company policy. do worry too much having a good security is good. but if the company does not want to invest that their problem you done the right think tell them what is the best way to do it.

give you an example. Alpha company give their employee laptop with AD join and all patching updates etc. they think they are secure on the network side. however on anyconnect side for user authentication they using LDAP to authenticate the user. which mean user can connect to company network from outside with any laptop as long as his AD credentials are alive and working s/he can connect. so here you go security is compromise now :(

to make network secure you can do a posture (ISE) at anyconnect with user and machine cert. but as said earlier. it a user education everyone/every company is different. you made your point if they does not consider this its not your problem.

please do not forget to rate.

_Chris_ · ‎03-02-2020

"however on anyconnect side for user authentication they using LDAP to authenticate the user. which mean user can connect to company network from outside with any laptop as long as his AD credentials are alive and working s/he can connect."

This is literally what will be occurring and also why I am expressing concern :(

We are using certificate along with LDAP login. I guess the best way to try and band-aid this is to do the security posture checks prior to connection.

Sheraz.Salim · ‎03-02-2020

for this you need ISE deployment. which is another project so as long as you convince your employer you good to go. LDAP with cert is good least your have more control though.

please do not forget to rate.

harmesh88 · ‎03-02-2020

Dear ,

As i read your post.

You want to authenticate user with no compromise AD

1. option will be AD authentication (that you dont want to use).

2. Radius authentication , (You can use custom radius software or Cisco authentication solution

-- Cisco Identity Services Engine (ISE)

3. You can use two fector authentication duo - for this you have to buy duo solution .

This are the option to authenticate Any connect VPN , You can choose what you have convenient to use.

I hope you got your answer .