Description: This pattern covers the connection of authorised endpoints (client machines such as corporate owned laptops) to an organisations private computing resources via a Wireless Public Hotspot, traversing the internet. It is applicable to scenarios where staff wish to access the corporate network from public locations such as hotels, home networks, or cafes. The key aspects of this pattern are the use of strong authentication for the user (ideally 2 factor certificate or token based) to ensure that only authorised users can access the network, encryption of the traffic transmitted over the public network to prevent interception of traffic, a personal firewall for the endpoint to prevent compromise and subsequent access to private networked resources.
It is recommended that the authentication mechanism for the users to establish a VPN connection should be linked with the organisations global directory which would allow simpler access management across multiple access points, including integrating authentication to resources accessed.
VPN access should be terminated in a DMZ, with consideration given to the use of role based access to specific network segments.
Assumptions: Wireless Access Points cannot be trusted therefore the client machines must have personal firewalls installed, ideally with the ability to detect malicious traffic via anomaly detection or signatures. Personal firewalls should be configured to silently drop all inbound connections. Confidentiality and integrity is provided by use of a VPN to connect to private networked resources. Strong authentication ensures only valid users can connect.
Ensure that Network Intrusion Detection and Protection devices are deployed to cover traffic from VPN.
Typical challenges: Strong authentication should be as easy to use as possible, with certificates stored on Smartcards a useful option. Other common approaches involve the use of tokens that generate a time based code that is entered along with a user ID and static PIN.
Clients need to have good configuration management to ensure that OS and application patches, signatures for antivirus and personal firewalls are kept up to date.
Indications: You should apply this pattern when providing access for remote workers via Wireless Hotspots to your private corporate or organisation network. This pattern does not cover Bluetooth or Infrared.
Contra-indications: Highly secure environments where risks from external connectivity must be minimised.
Resistance against threats: Spoofing, eavesdropping, impersonation, unauthorised access to computing resources.
