VPN - 3rd option? 1

[GVN]

Concerning VPN access, one either has VPN access or they don't, - but is there another option whereby you can give them VPN access but only allow them access to open server or application? Management here is very untrusting of their employees, even the upper management levels..., and the president is afraid that people will steal data if it's accessible from the comfort of their own home. Any ideas to solve this quandary?

GVN

 

[kmcferrin]

People who are likely to steal data from the comfort of their own home are just as likely to steal data from their desk at work, via their iPod or thumbdrive or whatever they have handy.

Depending on what you are using to provide VPN capability, you should have several options for restricting access. Restricting VPN access to just one or two key servers is usually pretty easy to do. I haven't seen a VPN device yet that couldn't do it. If your firewall is doubling as your VPN endpoint (most of them have that capability nowdays) then it's just a matter of setting up a firewall rule for the VPN traffic.

You could conceivably just allow them VPN access in to a Terminal Server that had all of the applications that they needed, and then be done with it. There are also products like Ctirix nFuse (which is now part of their Secure Access suite) that can provide similar capabilities over the web without needing a VPN endpoint. There are literally dozens of ways to do this.

 

[GVN]

I agree with your comments about stealing 100%, and have argued that before, but in vain...

Will setting up all the "approved" servers in one VLAN solve this issue? How would you tag a VPN connection into that VLAN?

We don't use Terminal Server here (so far...), is it expensive?

 

[GVN]

kmcferrin-
Won't setting up a firewall rule for the VPN traffic affect ALL VPN users? I just want it to affect one specific one...

GVN

 

[kmcferrin]

Yes, the rule would effect all users. If you're worried about just one specific user, that's a completely different situation.

Depending on the capabilities of your device, you might be able to force that user to use a separate tunnel for their VPN connection and then restrict traffic from that tunnel to a single server. It wouldn't have to be a separate VLAN, you could just specify the allowed destination as xxx.xxx.xxx.xxx/255.255.255.255 and it will only allow traffic to one host.

My suggestion is to post in whatever forum would be appropriate to the firewall/VPN device that you are using. You can get more specific help there.

Regarding Terminal Server, I don't know what the licensing costs are like. I've only ever used it on Windows 2000 Server, and in that case the TS CALs were included with Windows 2000 Pro and Windows XP. The server itself is included with the OS.

 

[GVN]

This is a clearer question than the first one:

Concerning VPN access, one either has VPN access or they don't, - but is there another option whereby you can give someone VPN access but only grant them data accessibility to one server or application? Management here is very untrusting of their employees, even the upper management levels..., and the president is afraid that people will steal data if it's accessible from the comfort of their own home. Any ideas to solve this quandary? Will setting up all the "approved" servers in one VLAN solve this issue? How would you tag a VPN connection into that VLAN? THANKS!

 

[GVN]

kmcferrin-
Just read your reply after already re-posting... I will take your advice and repost in another forum, THANKS!!!

GVN