I'm looking for advice on the best access model for a vulnerability management specialist who works from home full-time. They need to conduct asset discovery and run vulnerability scans across both internal and external networks using tools like Kali Linux and Nessus. I have two options in mind: 1) provide direct VPN access to the internal network for scanning from their corporate laptop, or 2) set them up to VPN in first, then access a jump host to run the scans from there. What do you think is the safest and most practical approach?
5 Answers
You might want to give him both options. Since this is an employee, they may need to customize their tools and environment for the best results. The key is to communicate with them and find out what they'll need to effectively perform their job.
I vote jump box too. It’s a smart way to avoid any issues with scanning directly from a laptop, which often shouldn’t have those extended rights for security reasons.
I recommend going with the jump host. If you give VPN access directly, all the tools and sensitive data like reports and passwords will be on his laptop, which is pretty portable and could easily get lost or stolen. Using a jump box keeps all that sensitive information secure within your data center and also helps improve scan speed since it won't be limited by his home ISP.
It doesn’t make sense to have someone running long scans directly from their laptop. They should be managing scans from a stable environment where they can set everything up properly, rather than dealing with a potentially unreliable setup.
Jump host all the way! It just feels like a safer and more organized approach for long-term vulnerability management, instead of doing one-off scans from a laptop. The scans can take a long time, and having a dedicated server with the right access makes it smoother.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures