Now, I had implemented a SSLVPN service at my home network to act as the first authentication gate. The product I am using is SSL-Explorer from 3SP (http://www.3sp.com/). The product gives me 1st tier defence by authenticate over a browser. I added two factor authentication by SMS. The product natively support SMS gateway from Clickatel (http://www.clickatel.com/). The implementation experience was great as the whole installation and profile provisioning only costs me less then 3 hours with AD integration.
In order to avoid certification untrust issue every time I connect via the SSLVPN, I bought a SSL certificate from GoDaddy (http://www.godaddy.com/).
After all these implementation, I disabled all direct port forwarding except TCP 443 to SSLVPN service.
The total investment for this project:
- AD - already have, nothing added, $0
- 3SP SSLVPN license -using 2 concurrent users free license, $0
- PC based server - using a virtual machine with CentOS, $0
- SMS Gateway - Clickatell, HK$100 for about 220 SMS send out credits (about HK$0.45 per authentication)
- SSL Certificate - GoDaddy, US$14.95 for 1 year
- My time - 3 hours of design and implementation
In shout, for home use, it does not cost a lot if you do not need SMS OTP. Other methods of two factor authentication can also be used, like digital signatures, OTP tokens, etc. However, I think SMS is the most accessabile way for me.