Security and Remote Access

The security problems that show up in small businesses are consistent: open RDP, flat networks with no access control between departments, shared credentials, no MFA, and no visibility into what is hitting the perimeter. Subnet Works works through the actual attack surface, starting with the changes that cut the most risk for the cost.

Common problems businesses call about

• Employees need remote access and someone suggested “just open port 3389”
• A security audit or insurance renewal flagged open ports and no MFA
• Staff are using personal devices and there is no way to control what they can reach
• An incident happened (or almost happened) and the business wants to know what to do differently
• Multiple internal tools with separate logins and no centralized access control
• No visibility into who is connecting to what, from where

What the engagement covers

Network-layer access control

• ACL design on Cisco routers and switches: standard, extended, and named ACLs
• Traffic filtering between VLANs to enforce least-privilege access at the network layer
• Port-based access control: 802.1X where applicable, port security on unmanaged-device ports
• Firewall policy review and hardening on perimeter devices

Remote access

• Tailscale Zero Trust VPN: deployment, per-user and per-group ACL policies, exit node configuration
• Site-to-site VPN configuration on Cisco IOS devices (IPsec, GRE over IPsec)
• Elimination of direct internet exposure for RDP, SSH, and internal admin interfaces
• Split-tunnel vs. full-tunnel access design based on business requirements

Authentication and identity

• Authelia SSO with multi-factor authentication for internal web applications
• Integration of SSO across self-hosted services via reverse proxy
• Privileged access review: who has access to what, and whether they still need it
• SSH hardening: key-based auth, disable password login, restricted user access

Intrusion detection and monitoring

• CrowdSec deployment with community blocklist and automated ban rules
• Fail2ban configuration for exposed authentication services
• Log analysis: identifying brute-force patterns, unusual authentication attempts, lateral movement indicators
• Alerting configuration for high-priority security events

Reverse proxy and TLS

• Caddy reverse proxy: automatic TLS, path and subdomain routing, access control middleware
• Elimination of self-signed certificates on internal services
• HTTP security header configuration: HSTS, CSP, X-Frame-Options, and related headers

Representative scope examples

RDP exposure eliminated. A 15-person company in Hudson County had been running RDP exposed on the default port for remote access. After a failed ransomware attempt was caught by the ISP, they called Subnet Works. RDP was taken off the internet, Tailscale was deployed with per-user ACLs restricting each employee to only the machines they need, and MFA was enforced for all remote sessions.

SSO across internal tools. A growing company in Bergen County had accumulated eight internal web applications each with separate credentials, some shared among multiple people. Subnet Works deployed Authelia behind a Caddy reverse proxy, unified authentication across all eight services with TOTP-based MFA, and documented the procedure for adding new services and revoking access when staff leave.

Security posture after a near-miss. A business in Essex County had a contractor account compromised. The credential had been used to access internal systems for two weeks before anyone noticed. Subnet Works audited active accounts and access levels, removed stale credentials, configured CrowdSec on the perimeter with alerting on repeated authentication failures, and delivered a one-page access review checklist for future contractor onboarding and offboarding.