I'm working in local government supporting our Department of Emergency Services that includes Fire Rescue and EMTs. Each truck and ambulance has a laptop that connects to our network via a VPN using NetMotion, but they're not domain-joined, which poses security concerns. Recent directives from the FBI and our state's Law Enforcement require MFA for anyone who accesses CJIS information, even if they only handle Fire/Rescue calls.
We currently use DUO for MFA, but I'm unsure how to effectively implement this for our EMTs since they switch trucks frequently and it's impractical to require them to log in at the station if they're already on the road. I considered joining the laptops to the domain and using YubiKeys, but cached credentials complicate this scenario. Some have suggested placing NetMotion behind MFA, yet it seems to be a requirement to have MFA at laptop login.
Additionally, deploying CradlePoints with IPSec connections would be an improvement, but it's challenging to justify the extra cost. I'm really looking for advice on how we can set up this MFA system without creating significant delays in urgent situations.
4 Answers
Here's what we do: we have always-on VPN with Palo Alto, paired with a local domain. Each machine connects to the network and prompts for Duo MFA. We're also transitioning to using Entra with passwordless YubiKeys, and both YubiKey and an authenticator app can be used. This setup doesn't require a VPN before logging in. This could be a good option since you won't always need a physical key and can manage backups if someone loses one.
That's a tricky situation! If there’s a shift change and the new person hasn’t logged in yet, those MFA logins can definitely slow things down, especially in emergencies. Maybe you could skip the login in critical situations, but that wouldn't be as fast as using their existing software to get directions. It's a tough call on how to balance security without affecting response times!
You're spot on! It feels like an impossible scenario with mandated security when lives are on the line. It's not right that they push for this without thinking about the real-world impact.
From my experience, I'd suggest domain joining the laptops and issuing user accounts to EMTs if they don’t already have them. Once they're on the domain, you could set up Duo to enforce MFA on laptop logins when they have a network connection. Consider using cached credentials for shifts - maybe setting a policy to keep credentials for 24-48 hours so they're able to log in with minimal hassle during critical shifts.
I was wondering if NetMotion is compatible with Duo for VPN connections? I've been hearing mixed things, so I'm curious if it’s a feasible solution to integrate MFA directly into the VPN login.
Thanks for sharing! Moving towards Entra sounds like a great strategy. It’d be good to see how we can incorporate that as we upgrade our systems.