I would like to know about the Remote access VPN procedures that others follow in their organizations for the 3rd party vendors and business partners.
In our organization, we typically share a VPN access form with vendors that they fill out with their full name, email, phone number, company contact, and duration of access. However, we often face a challenge when vendors leave the IP and Port information blank, as they may not know this information.
I would like to hear from others about what procedures they follow to ensure smooth remote access VPN for their vendors. Additionally, I am interested in understanding the internal process after receiving the form. Any tips and advice that you can share would be appreciated.
At a company I worked for we had a whole non-disclosure agreement with each vendor, but that was something the legal department handled exclusively.
Of course we had a VPN access form with all the information you listed. We would also set the Phase 1 and 2 encryption types and all that information. Then we always schedule a turn-up call between network engineers and the PSK, if used, was shared over the call. Then all the configuration and testing was done on the call. In many cases the vendor outsources the VPN configuration so you might be dealing with a very seasoned network engineer. In other cases, it might a help desk guy or a programmer clunking their way through the configuration.
We also liked having a separated, dedicated VPN/Firewall for these connections. That way we could fine tune the firewall rules at one place. Any maintenance we needed to do on our network wouldn’t affect the tunnels. And if we had to upgrade the VPN box then it was one email to all vendors. And in worse case scenario, if for someone reason we need to lock out all vendors from the network, we could simply disconnect that device or power it off.
My company are using OpenVPN Access Server for remote VPN access. Our partner need to provide the following information for access: Name, contact, time and system they want to access. Then I send them the VPN account/password/otp token to access. When they login first time, I can see MAC, Public IP of them from VPN log (using a openvpn access server’s custom post auth scrip). I will config limit access base on these information.
No need firewall. In the custom python script, i query the user limit config from sqlite DB, then compare with current properites that VPN client report (MAC, IP,…).
Sure thing. I work on an open source project called OpenZiti (https://docs.openziti.io/) which implements zero trust networking and SDN principles. It operates as an overlay network which mandates strong identity and authenticate-before-connect (among other things). As a result, it builds outbound connections (once authenticated and authorised) at source and destination into the fabric, so that end users only need outbound internet; no need for static IP, port forward, inbound ports, issues with CGNAT etc. Further, you can define what specific services users would get access to specific IP/DNS/port if you wish - i.e., least privilege & micro segmented.