Protect network from compromised remote PC
-
I hope I am not mistaken about this section.
Let's assume that a user able to connect via OpenVPN has a PC infected with malware.
I may not be able to handle his PC. Sometimes they are the personal PCs of users on which the company has no power to impose configurations or limit their functionality.
Once connected to the network it may also compromise the network.
Is there any way to avoid it? -
@darkcorner said in Protect network from compromised remote PC:
Once connected to the network it may also compromise the network.
Is there any way to avoid it?Opening up the entire company network is a choice. What about limiting the access to strictly needed local (company LAN) devices ?
Printers and such devices could be used without any further authorisation, but file and app servers should be password protected. And also placed in a DMZ.
Eventually, you should not hand over the 'keys' to 'your' place, if you don't trust the person/device.The thing is, if the user could can also go to 'outside', then, from an 'Internet' point of view the bad device comes from your companies WAN connection. The companies responsibility can get engaged.
-
@gertjan
This is the problem.
For example, the employee John (fictional name) has to work in smart working from home, using his personal PC. I have to allow him to have access to the application server.
I don't have control of his PC, but I was wondering if it's possible to filter VPN traffic to see if malware is getting in.
I can't give John a laptop, I could instead give access to my virtual PC which I think is safe, but he should always be able to access it remotely (via RDP or VNC) and therefore the VPN must always be open. -
@darkcorner said in Protect network from compromised remote PC:
but I was wondering if it's possible to filter VPN traffic to see if malware is getting in.
If all is well : you probably can't as all traffic is TLS these days.
Traffic over the tunnel is protected as it travels over the internet. It comes into the VPN server, goes trough the OpenVPN firewall (you can put rules in there that determine what devices can be accessed, locally, or even on the Internet).If you want to look inside the traffic, you want to look inside the TLS data stream. it can be done but isn't not easy to do. You have to have access to the employee's computer to install certs, force the traffic that comes in the VPN so it goes through proxy like squid ( ? ) that "opens" the TLS traffic and checks the traffic.
What kind of aps or network services are we talking here ?
A intra web server or a mail server : they can handle dirty clients very well. Windows network sharing ? Good question .... probably they do rather well. Other apps ? File servers ? Dono. -
@gertjan
When you're dealing with very small businesses, you don't have much of a chance to control things.
Ideally, the remote user has a laptop provided by the company and therefore protected and locked. Unfortunately I have to use a personal PC of the user and I do not know what is installed on it and how it is used.
I do not ask myself the problem of a stranger who enters the tunnel from the outside, but of a hypothetical malware already present on the PC.
When the PC connects to the corporate network through OpenVPN, I don't want the malware to get on the network.
On pfSense there is ClamAV, Snort and pfBlocker installed.
But they control what comes in from the WAN, not from the LAN or OpenVPN.
In DMZ there is a Linux Web server, a Win Server with applications on SQLServer, an email server, a Samba file system. -
You could in theory limit access to a single virtual desktop. That way "John's" dirty computer can only get to RDP on a single system. This would limit the exposure to a single point you can harden.
-
Restricting access via OpenVPN to only TCP port 3389 (RDP) and possibly DNS (TCP/UDP53) to your internal DNS servers should reduce your exposure a fair bit.
