In our company, as in many other IT and not so IT companies, the possibility of remote access has existed for a long time, and many employees used it out of necessity. With the spread of COVID-19 in the world, our IT department, by decision of the company's management, began to transfer employees who returned from foreign trips to remote work. Yes, we started practicing home self-isolation from the very beginning of March, even before it became mainstream. By mid-March, the solution had already been scaled to the entire company, and at the end of March, we all almost seamlessly switched to a new mode of mass remote work for everyone.
Technically, to implement remote access to the network, we use Microsoft VPN (RRAS) - as one of the roles of Windows Server. When connected to the network, various internal resources become available from sharepoints, file sharing, bug trackers to a CRM system, for many, this is enough for work. For those who still have workstations in the office, RDP access is configured through the RDG gateway.
Why did you choose this solution or why should you choose it? Because if you already have a domain and other infrastructure from Microsoft, then the answer is obvious, it will most likely be easier, faster and cheaper for your IT department to implement it. You just need to add a few features. And it will be easier for employees to configure Windows components than to download and configure additional access clients.
When accessing the VPN gateway itself and after, when connecting to workstations and important web resources, we use two-factor authentication. Indeed, it would be strange if we, as a manufacturer of two-factor authentication solutions, did not use our products ourselves. This is our corporate standard, each employee has a token with a personal certificate, which is used to authenticate on the office workstation to the domain and to the internal resources of the company.
According to statistics, more than 80% of information security incidents use weak or stolen passwords. Therefore, the introduction of two-factor authentication greatly increases the overall level of security of the company and its resources, reduces the risk of theft or password guessing to almost zero, and also ensures that communication takes place with a valid user. When implementing a PKI infrastructure, password authentication can be disabled altogether.
From the point of view of the UI for the user, such a scheme is even simpler than entering a login and password. The reason is that a complex password no longer needs to be remembered, there is no need to stick stickers under the keyboard (violating all conceivable and unthinkable security policies), the password does not even need to be changed every 90 days (although this is no longer considered best practice, but in many places still practised). The user will just need to come up with a not very complicated PIN code and not lose the token. The token itself can be made in the form of a smart card that can be conveniently carried in a wallet. RFID tags can be implanted into the token and smart card for access to office premises.
The PIN code is used for authentication, to provide access to key information and perform cryptographic transformations and checks, it is not scary to lose the token, since it is impossible to guess the PIN code, after several attempts, blocking will occur. At the same time, the smart card chip protects key information from extraction, cloning and other attacks.
What else?
If the solution to the issue of remote access from Microsoft for some reason is not suitable, then you can implement the PKI infrastructure and configure two-factor authentication using our smart cards in various VDI infrastructures (Citrix Virtual Apps and Desktops, Citrix ADC, VMware Horizon, VMware Unified Gateway, Huawei Fusion) and hardware security systems (PaloAlto, CheckPoint, Cisco) and other products.
Some of the examples were considered in our previous articles.
In the next article, we will talk about setting up OpenVPN with certificate authentication from MSCA.
Not a single certificate
If the implementation of a PKI infrastructure and the purchase of hardware devices for each employee looks too complicated or, for example, it is not technically possible to connect a smart card, then there is a solution with one-time passwords based on our JAS authentication server. As authenticators, you can use software (Google Authenticator, Yandex Key), hardware (any relevant RFC, for example, JaCarta WebPass). Almost all the same solutions are supported as for smart cards/tokens. We also talked about some customization examples in our previous posts.
Authentication methods can be combined, that is, by OTP - let, for example, only mobile users, and authenticate classic laptops / desktops only with a certificate on a token.
Due to the specifics of the work, many non-technical friends have recently contacted me personally for help in setting up remote access. So we managed to peep a little who and how gets out of the situation. There were pleasant surprises when not very large companies use famous brands, including those with two-factor authentication solutions. There were also cases, surprising in the opposite direction, when really very large and well-known companies (not IT) recommended simply installing TeamViewer on their office computers.
In this situation, the specialists of the company "Aladdin R.D." recommend that you take a responsible approach to solving problems of remote access to your corporate infrastructure. On this occasion, at the very beginning of the general self-isolation regime, we launched .
Source: habr.com