Best way to allow contractors to VPN in?

Unanswered Question
Dec 11th, 2008
User Badges:

The goal: Allow contractors VPN access to our company network utilizing VPN while minimizing risk and maximizing ease and convenience.


Question: We are using Cisco ASA 5540's with SSL VPN clients for employees and contractors. We check to see if the machine is an asset and then allow it to connect to the VPN after the user is authenticated. If they're a contractor, we're imposing an Access Control List (ACL) on them and enabling split tunneling.


We'd like to limit this even further, since right now we have to support our vpn client on THEIR computer, which a bit sticky and also we don't trust their computer - with antivirus etc.


What we're thinking about is to allow them to WEBVPN, which is basically an encrypted reverse proxy and then allow them to remote control a "pc farm" in a DMZ running on vmware or Windows Terminal Serer. Then, they'd be using one of OUR assets - for which we can maintain appropriate patches, antivirus, etc. Then, we can build firewall rules allowing their RDP session in through the firewall.


Is this how you do it? Or would do it? Or do you have a better idea?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Thu, 12/11/2008 - 10:16
User Badges:
  • Green, 3000 points or more

What we're thinking about is to allow them to WEBVPN, which is basically an encrypted reverse proxy and then allow them to remote control a "pc farm" in a DMZ running on vmware or Windows Terminal Serer....


Brannen,


This is an excellent solution for your concerns, at least for me. You have prety much lay down a very good RA access control for contractor users, you could also throw in per user vpn filters and have a single ssl tunnel for contractors to even segregate your contractors per username if they happen to be in different companies.


Remote access VPN filters

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml



Also there are other solutions for your main concern you previously posted like for example

RA users personal systems and viruses on none company machines, I will post the link for just reference in future etc..


Network Admision Control framework, but that requires other platforms and architecture.

http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html

Actions

This Discussion