The goal: Allow contractors VPN access to our company network utilizing VPN while minimizing risk and maximizing ease and convenience.
Question: We are using Cisco ASA 5540's with SSL VPN clients for employees and contractors. We check to see if the machine is an asset and then allow it to connect to the VPN after the user is authenticated. If they're a contractor, we're imposing an Access Control List (ACL) on them and enabling split tunneling.
We'd like to limit this even further, since right now we have to support our vpn client on THEIR computer, which a bit sticky and also we don't trust their computer - with antivirus etc.
What we're thinking about is to allow them to WEBVPN, which is basically an encrypted reverse proxy and then allow them to remote control a "pc farm" in a DMZ running on vmware or Windows Terminal Serer. Then, they'd be using one of OUR assets - for which we can maintain appropriate patches, antivirus, etc. Then, we can build firewall rules allowing their RDP session in through the firewall.
Is this how you do it? Or would do it? Or do you have a better idea?
What we're thinking about is to allow them to WEBVPN, which is basically an encrypted reverse proxy and then allow them to remote control a "pc farm" in a DMZ running on vmware or Windows Terminal Serer....
This is an excellent solution for your concerns, at least for me. You have prety much lay down a very good RA access control for contractor users, you could also throw in per user vpn filters and have a single ssl tunnel for contractors to even segregate your contractors per username if they happen to be in different companies.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...