Solved

Question about remote access, VPN access security policies

Posted on 2008-06-24
5
305 Views
Last Modified: 2010-04-21
Hi there,

I have a question about remote access policies and what potential risks a company could be opening up.

Currently, the company allows part time employees VPN clients installed on non-company machines in order to access certain internal resources from home offices.

My questions are:
*What sort of security risks would this policy be opening up? Is there a strong risk of viruses and malware spreading throughout the network if one of these non-company machines gets infected and connects to the VPN?

*Any risk with having computers with VPN access and mapped shared drives on home wireless networks that may or may not have security enabled?

* In an ideal situation for IT, what remote access policies could be in place to ensure the integrity and security of the network?
0
Comment
Question by:kevincostello
  • 2
  • 2
5 Comments
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 400 total points
ID: 21857620
Hello there,

I would highly recommend not having users home PC's have VPN access. I say this because you have no idea what that user does on there computer. You have no idea if they currently have viruses or any types of Spyware on there computer. You also don't know if they have an Anti-Virus program and if they do is it always up-to-date?

Somethings that should be enforced is company corporate Anti-virus/Firewall on any computer that is getting the VPN client. I would also make it a policy that the computers have to be company owned. If you don't have enough laptop/desktops to give the people with VPN access you could have them bring in there home computers and put the corporate software on them. But then also your not going to have control on what they do with them at home.

Hope this helps
0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 100 total points
ID: 21859396
The best way to deal with remote access requirements from personal/non enterprise hardware is to allow connectivity only to Terminal Servers and/or SSL VPNs which publish the specific applications that the user should have access too.

As has been stated above there is no way to be sure how a client is configured if you do not have control over it.

The industry trend these days is to allow staff to use personal computers and more so require contractors to supply their own laptops/hardware.  This requires that these users terminate their connections on Terminal Server types solutions such as an SSL VPN or a CitrixMetaFrame Server or even RDP sessions.

It is critical that the infrastructure is configured in such a way as to prevent resources such as disks and the likes from being directly accessible by the client.

-Rowan
0
 
LVL 1

Author Comment

by:kevincostello
ID: 21865112
Thanks guys, both good replies.

I guess most of my concern here would initially be creating a business case for moving to a more secure policy. *Why* do they need to move to the safe approaches you guys list above?

What could happen if unmonitored clients are allowed to VPN in? What is likely, and what are some worst case scenario?

Thanks!
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 400 total points
ID: 21884262
If you have your VPN running and you have any sort of Virus on the clients computer this could leak into your network as it could go through the VPN tunnel you have created. If your network ends up getting a virus or worm of some sort, even spyware this is all bad. Once it has made its way into the network it will then start going to all of the local computer/servers in your network and this will be more work then you could imaging to get rid of. I have had to remove viruses in the past from entire networks and it ain't fun.

It just better to have a policy like this in place so that everyone can't just run wild on your network. It will make more work/headaches for you in the end if you will be the one removing the infections.

Hope this helps
0
 
LVL 1

Author Closing Comment

by:kevincostello
ID: 31470211
Thanks!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OnPage: Incident management and secure messaging on your smartphone
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question