Saturday, May 23, 2020

COVID-19 Curveball: Secure Network Setup

I have a puzzle I need a little advice on.

Because of COVID-19, I find myself needing to support a unique setup for several of our employees. We work on secure material at times and we need a way to sandbox these employees. For a basic idea, please see this network diagram

The puzzle: we need to set up a computer (or multiple computers) and multiple wifi devices on a network we don't control (the employee's own network). We need to make sure we don't touch any configuration on the employee's side. Because we need to secure and manage the wifi, we need to deploy our own wifi router to the employee. The employee has their own network--branching off from there, we need to setup a secure network so the computer(s) and wifi devices we deploy to them cannot reach out to the Internet except for a few notable exceptions. Not such a big deal at this point. We can MAC whitelist devices connected to our wifi router/firewall and we can block outbound traffic on our router/firewall.

Enter the difficulty: we need to talk to the computer(s) we deploy on the secured network. We need to send files to/from the computer(s) we deploy. We may also need to remotely drive the computer (Windows 10 Pro). Ideally, we could set up a VPN server on our router/firewall that we could connect to and manage the devices in our secured network. With double-NATing and the upstream employee router/firewall in the way, connecting to our internal devices is easier said than done.

One thing we could do is set up remote control software (Team Viewer, LogMeIn, RemotePC, etc.) on one or all of the computers we deploy. This should allow to gain control of the machines. And we could block all ports on our firewall except for what's needed for the remote control. Seems doable but we'd prefer it to have the connection always on, and we also need to be able to exchange files to/from the computer(s).

I'm wondering if there are any other solutions I'm not thinking of or unaware of. Any clever new VPN-type applications that would allow us to connect into our internal network?



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)