From: Christian Zeng (christian@zengl.net)
Date: Thu Sep 20 2007 - 17:14:51 ART
Hi,
* pankaj ahuja wrote:
> We're looking at providing our users a solution which should prefereably be
> clientless and should allow users to be able to VPN in from the worst
> possible places like a Cyber cafe and still prevent the network from getting
> infected with Viruses and worms etc.
I never would allow a device that is not under your control relatively
broad access to a company network - especially not from internet cafe
pcs. For example, our corporate IT has provided two ways of remote
access over SSL VPN: the first is web only to corporate internet and
OWA, the second one is real SSL VPN. You only get SSL VPN if your end
station follows company rules == is identified as a company end station
by looking at various implementation details. We use Juniper for that,
you can try to do that in a Cisco environment, too (NAC).
> CSD - don't know much about that yet.
I had a quick look at it during one of the CCSP exams, I really cant say
much about it. On the other had - why not use a terminal server-like
solution then - Citrix offers web-based access to a terminal server, for
example. Also, the concentrator can function as a Citrix Secure Gateway
through webvpn.
I know that this can cost a lot of money, perhaps its better to look
first if you can divide the services offered into less secure (= less
access rights, applicable to be used from foreign systems) and more
secure (= only accessible from systems that you control and that comply
to company security rules).
Christian
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:14 ART