+ Reply to Thread
Results 1 to 3 of 3
  1. Senior Member
    Join Date
    Oct 2016
    Location
    NJ
    Posts
    344

    Certifications
    CCNP R&S, CCNA(Security/Data Center), PCNSE 7, MCITP: Exchange 2010
    #1

    Default Split or Full Tunnel for Remote Access VPN

    I was curious what TE members are doing for remote access VPN, split or full tunnel. Also, wondering how many are also using MFA for VPN

    I'm currently using GlobalProtect (Palo Alto), with a full tunnel and MFA using user certs. I have a requirement that we must use "Always On", so the VPN connects automatically on external networks. It detects when it is internal.

    The main reason for the question is, a few have requested that we switch to OTP instead of certs, but this gets a little tricky. If the user fails to enter the proper OTP, the VPN connection will fail and their internet traffic will go through their internet connection, instead of sending it to our firewall.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Jan 2015
    Location
    Chicago, IL
    Posts
    990

    Certifications
    Too many MCPs and MCTS, MCSA: Security, MCSE: Security, MCSA: 2003, 2008, 2012, MCITP: EA, CISSP-ISSAP, SCS DLP, GREM
    #2
    Full is more secure, but at the price of convenience. Sometimes users need to print some user crap to local printers, etc. Full tunnel kills that.

    Yeah, MFA is typical these days. The last company I worked for used machine certs as the second factor.

    Always on is always good, as it solves so many problems, like you don't have to publish your SCCM or anti-virus or whatever else servers to the Internet and care about their mutual authentication and encryption in motion, etc. Plus, group policies, which is huge, easy password changes, easier incident response, etc. The back side is it's pricey as you have to maintain a licensing scheme that takes into account that 100% of your remote users may be connected at the same time.

    I would advise against OTP (RSA SecurId? SMS OTP?) in this scenario, primarily based on it being inconvenient. From regulations and compliance viewpoint, AFAIK, there's no such a requirement as PCI DSS and HITRUST or whatever else you have to comply with are usually satisfied with a "factor" no matter what it is.

    If the sponsor of this project is pushy I'd suggest to protect with OTP only the services this sponsor is concerned with. Let's say it is an internal web-site or something -- then require OTP only for the web-site in question. This way you will have all the benefits of "always on" like group policies and all the endpoint software communication AND will have this sponsor satisfied.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Oct 2016
    Location
    NJ
    Posts
    344

    Certifications
    CCNP R&S, CCNA(Security/Data Center), PCNSE 7, MCITP: Exchange 2010
    #3
    I agree. It's more secure, for sure. You're absolutely right about the local printers. It was one of the biggest complaints

    What's inconvenient about OTP for VPN connections? I've only implemented it for SSL VPNs in the past.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks