Secure Remote Access Technical Solution Guide v1.0
______________________________________________________________________________________________________
9
Access control violations
Endpoint compliance-check violations
When providing web-based access, the VPN Gateway will proxy all information requests through
a single, common internal IP address. In this case, configure the gateway to embed user
information such as the username in HTTP headers to allow per-user tracking through internal
IDS and web application servers.
Ensure that the topology you use for remote access deployment allows security inspection of
non-encrypted traffic. This requires placing internal firewalls and intrusion detection and
prevention (IDP) systems on the trusted side of the VPN Gateway so that remote user traffic can
be inspected and blocked accordingly.
2.6 Protect information and network access
There are a number of techniques you can employ to ensure that information and network access
are protected, even in the case of forgetful or careless end users. Examples include:
Enable idle timeouts to close a remote access session after a period of inactivity. This
limits unauthorized access if a user walks away from an active session.
Enable session timeouts to limit the total session time allowed.
Use a cache wiper to remove any residual data left behind during a session.
Disable split tunneling. Split tunneling allows non-remote access traffic, such as web
access to Internet sites, to bypass the VPN connection. If a connected PC is
compromised and a hacker connects through a backdoor, the hacker will have access to
internal resources during an active session. To limit the possibility of this type of attack,
disable split tunneling. Note that this will not prevent reverse-connecting Trojan horses
and backdoors unless the protocol ports used are blocked by your access control lists
and DMZ security policies. Use endpoint security checking, including malware detection,
to disallow connections from hosts infected with those threats.
2.7 Ensure remote access availability
Provide a resilient and highly available solution by using an active/active deployment with
redundant VPN Gateways. Depending on the size of your network and criticality of remote
access, you may wish to employ both local redundancy through clustering and geographical
redundancy with a multisite VPN Gateway deployment.
2.8 Don’t forget people, process, and policy
These best practices are related to deployment options for a Virtual Private Network. Such a
solution needs to reflect company policies and procedures, including:
Information security policy
Audit logging and data retention policy
Appropriate legislative compliance policies
In addition to the technology to support Secure Remote Access, it is critical to establish operating
procedures and security policy elements specific to remote users and clients.
Education and training of end users also plays a key role in protecting information and securing
access to the network.
(92 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales