On Mon, Feb 3, 2020 at 12:50 PM Christopher Morrow <morrowc.lists@gmail.com> wrote:
Sorry, to be a little less flippant and a bit more productive: "I don't think every remote endpoint needs full access (or even some compromise based on how well you can/can't scale your VPN box's policies) access to the internal network. I think you don't even want to provide this access based on some loose ideas about 'ip address' and 'vpn identity'."
This isn't particularly difficult or costly to do right, though. pfSense on a VM with relatively minimal resources running your VPNs works very well and can easily be configured to authenticate against, for example, LDAP as well. It also has a convenient firewall configuration user interface that's very straight-forward, so you don't need some highly-paid network engineering guru to manage the thing, either, so you can associate a given identity with a given address and then apply firewall rules right at that VPN border in addition to the other access controls that you should have in place upstream. Certainly giving full access to everyone is overkill, unnecessary, and can be problematic for obvious reasons - but at the same time, we're talking about back doors here when many of the same folks worried about these back doors also have wide open front doors at the same time. Matt Harris|CIO 816-256-5446|Direct Looking for something? Helpdesk Portal|Email Support|Billing Portal We build and deliver innovative IT solutions.