0

We have bought a firewall (sonicwall nsa) and it comes with 2 SSLVPN license. With it, we also can download NetExtender, which I understood it as establishing some sort of VPN session between the local client and our firewall, and make the local PC part of our LAN. I searched a bit around on the security of this, as I am quite concern that a user's laptop becomes part of our LAN. Supposed this is establishing some sort of IPSec connection? If I understand correctly, the packets are keyed and encrypted and all. Questions:

  1. But I'm not sure what good is that if the user laptop is now part of the entire network? Anything on it, such as virus, is now free to pass to other part of the LAN. Is this safe? If not, supposed the correct use of this is to allow VPN only for "administrated" laptops and PC where proper configurations (firewall, virus checking etc) are configured?

  2. Is SSLVPN (in this particular case I only have Sonicwall's SSLVPN client) a better choice of use in this case? At least, for Sonicwall, their SSLVPN only allows RDP and SSH terminal, restrictive application use? and the local pc does not become part of the network. or it is really not as secure as it seems.

thanks in advance

EDIT: to respond to comment, the purpose for SSLVPN most of our users are to be able to use Remote Desktop.

surfcode
  • 245
  • 2
  • 6
  • 16

1 Answers1

1

I think you're putting the cart before the horse here. You've not outlined any requirements for the applications the remote users need to use. Without that, it's difficult to give a specific answer.

The important part, whichever technology you choose, is that you put appropriate access controls in place. A computer on the VPN would typically not have any reason to talk to anything but a select set of servers, and likely not the workstations on the remote office, and most likely not other VPN clients.

This goal can be acheived in different ways depending on the access technology in use. For the first option you're describing, this kind of access control would be done at the network layer using firewall rules. For the second option, you'd restrict it by configuring the applications the user is allowed to access.

Typically, a solution like the SSLVPN solution above may offer more granularity and controls, at the expense of application compatibility.

Per von Zweigbergk
  • 2,625
  • 2
  • 19
  • 28
  • thanks for the respond. I've added an EDIT to the original question. You are right, for now, most of our users needed this for remote desktop. Supposed VPN can also achieve this goal, by added more restrictive firewall rules, e.g. to allow RDP only. Thank you for the suggestions. I was looking at the problem too grand. – surfcode Oct 12 '15 at 07:07