Got it

Using VPN for remote work Highlighted

Latest reply: Dec 19, 2021 21:28:37 797 9 3 0 0

Hello! My name is Vladimir and I am paranoiac.

During this COVID-19 epidemic we have to greatly expand the number of the remote workers in our organization. We use Huawei USG firewall and SSL VPN feature to make it possible. In this topic I would like to describe the problems that we faced and how we fighted them.

Let’s talk about security risks of massive VPN. Many users with many computers are connecting to the enterprise network. They use their own equipment to do that. And we can’t control the security politics and even antivirus software in their PCs. The VPN give them an ability to connect their PCs to the enterprise LAN. When user connects VPN client to the VPN server, the user PC is “placed to the enterprise LAN”. If we have not limited the possibilities of the connections then every virus (or little hacker) will get an ability to make dysfunction of our ICT. Now I will describe the network diagram of this connection to provide more clear look at this.

SSL VPN


Remote user connects his own device to the Internet. Then he starts the VPN client (SecoClient). VPN client establishes connection to the VPN server (USG firewall) and creates “SSL VPN tunnel”. When it is done, the VPN client got IP address from the VPN server and create LAN adapter at the users host with IP parameters from the VPN server. After that user can send packets to the VPN server. And VPN server know that user have IP address from VPN clients IP addresses pool. It is important to understand that user can not send packets to the enterprise network anyway else but thru the VPN server.

To have an ability to send and receive network packets we need to configure some routing. User should know which network segments can be routed with VPN server and LAN routers should know that VPN clients IP addresses are routed with VPN server. Both routes should exist to start VPN work.

Now we will talk about Huawei SSL VPN possibilities and their implementation.

ServiceDefinition

Web proxy

Used by remote users to access intranet web resources.

File sharing

Used by remote users to access an intranet file server running the Server Message Block (SMB)-capable Windows OS and those running the Network File System (NFS)-capable Linux OS.

Users can use web browsers to perform some operations on an intranet file system as easily as they do on a local file system. The operations include creating and browsing a directory and downloading, uploading, renaming, and deleting a file.

Port forwarding

Used by remote services to access intranet TCP resources. Port forwarding applies to TCP application services, such as Telnet, remote desktop, FTP, and email. Port forwarding allows for port-level secure access to intranet resources.

Network extension

Used by remote services to access intranet IP resources.

Web resources, file resources, and TCP resources are IP resources. The network extension service is enabled when the types of resources that users want to access do not need to be distinguished.

I will not explain all the variants of services – only ones that we use. And we use the first one and the last one.

Using web proxy

When user needs to configure his computer at home, he needs some instructions and software. Most of our remote users start to work remotely after closing of the office. In this case we need to give them instructions and software to install VPN clients. To do that we upload VPN software and files with instructions to the local web server. After that we publish these files with web proxy feature of the SSL VPN. Now user can use browser to connect our “firewall SSL VPN portal” and download software from it. But he will be able to do that only after the authentication and authorization. At this phase you don’t need VPN client. You download it from the “firewall SSL VPN portal”.

When user uses web proxy he doesn’t get full access to the enterprise network. He just gets ability to access some web servers. If you want to use it to check your sites, some features don’t work (we had problems with external links and maybe cookies or sessions). But it is a good way to publish the instructions and software.

Using network extension

This is the main way for our remote workers. They got access to some internal web based software and virtual desktop infrastructure (VDI). We limit the list of the accessible resources to get maximum protection of the ICT. After limiting the accessible IP addresses we limit services with security policies. After this to limitations we can permit only 80 port for web server and deny it for FTP server. Usage of the web systems in this configuration is better than with web proxy because you don’t get the URL rewriting and browser can work directly with web server and use all its features.

Some people need more then web based systems. They need access to the files in the NAS or other software. If we allow remote file access then we will allow the remote access to the NAS from the users home PC and all its viruses. I don’t want to do that. And to let people work we use VDI. Why VDI is more secure? Because we don’t send files from user PC, we only send mouse and keyboard actions and receive the picture of the screen (yes, we deny local files sharing with VDI). When user connect to the VDI he get his own virtual computer inside the enterprise LAN. He can work with all enterprise resources. To permit VDI usage we need to permit limited number of the protocols to pass thru VPN. To find the list of the ports and protocols that must be permitted you can search with “FusionAccess firewall” or something similar.

VDI give not only pluses. It have some minuses. First of all – you need VDI: servers, storages, software, administrators. Second is “users don’t like to work in VDI”. It freeze on videos, need additional software, doesn’t look like “own PC”. In case of VPN we get some additional problems with Internet bandwidth. VDI consume it. More VDI connections with VPN – more Internet bandwidth they use. To protect from this problem we make some preferences for the remote VDI clients to reduce the Internet bandwidth – reduce the frames per second and some picture quality parameters. We also can limit the maximum bandwidth of the VDI client (and we did that). The more bandwidth is used when the picture on the screen is changed. And in “normal conditions” it isn’t very big.


Huawei documentation: https://support.huawei.com/hedex/hdx.do?docid=EDOC1100013380&lang=en&idPath=24030814|9856724|21430823|21100508|8661805

Thanks for sharing.
Why you say you a paranoiac.Using VPN for remote work-3320059-1
View more
  • x
  • convention:

Posted by Popeye_Wang at 2020-05-28 09:52 Thanks for sharing.Why you say you a paranoiac.
I deny many things :)
View more
  • x
  • convention:

Irina
Irina Created Jun 10, 2020 13:58:03 (0) (0)
Haha, I liked that
Coming from a person with mild paranoia I could relate with what you said  
Peterhof
Peterhof Reply Irina  Created Jun 11, 2020 10:05:50 (0) (0)
 
Some problems of the SecoClient that we found:
1. Do not use computer older than Windows 7.
2. If you use MacOS - reboot the computer after installation.
3. There is a little possibility that SecoClient application will not work at your Windows computer. It will not connect to the firewall. In this case you can try to use Internet Explorer with ActiveX component for this purpose. Just login the firewall SSL VPN portal and allow it to connect. We have two or three users with this problem.
View more
  • x
  • convention:

thanks for take your time to share it!
View more
  • x
  • convention:

well done
View more
  • x
  • convention:

Thanks for your valuable post.
View more
  • x
  • convention:

Thanks for your valuable post.
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.