Question about remote access, VPN access security policies

Posted on 2008-06-24
Medium Priority
Last Modified: 2010-04-21
Hi there,

I have a question about remote access policies and what potential risks a company could be opening up.

Currently, the company allows part time employees VPN clients installed on non-company machines in order to access certain internal resources from home offices.

My questions are:
*What sort of security risks would this policy be opening up? Is there a strong risk of viruses and malware spreading throughout the network if one of these non-company machines gets infected and connects to the VPN?

*Any risk with having computers with VPN access and mapped shared drives on home wireless networks that may or may not have security enabled?

* In an ideal situation for IT, what remote access policies could be in place to ensure the integrity and security of the network?
Question by:kevincostello
  • 2
  • 2
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 1600 total points
ID: 21857620
Hello there,

I would highly recommend not having users home PC's have VPN access. I say this because you have no idea what that user does on there computer. You have no idea if they currently have viruses or any types of Spyware on there computer. You also don't know if they have an Anti-Virus program and if they do is it always up-to-date?

Somethings that should be enforced is company corporate Anti-virus/Firewall on any computer that is getting the VPN client. I would also make it a policy that the computers have to be company owned. If you don't have enough laptop/desktops to give the people with VPN access you could have them bring in there home computers and put the corporate software on them. But then also your not going to have control on what they do with them at home.

Hope this helps
LVL 11

Assisted Solution

rowansmith earned 400 total points
ID: 21859396
The best way to deal with remote access requirements from personal/non enterprise hardware is to allow connectivity only to Terminal Servers and/or SSL VPNs which publish the specific applications that the user should have access too.

As has been stated above there is no way to be sure how a client is configured if you do not have control over it.

The industry trend these days is to allow staff to use personal computers and more so require contractors to supply their own laptops/hardware.  This requires that these users terminate their connections on Terminal Server types solutions such as an SSL VPN or a CitrixMetaFrame Server or even RDP sessions.

It is critical that the infrastructure is configured in such a way as to prevent resources such as disks and the likes from being directly accessible by the client.


Author Comment

ID: 21865112
Thanks guys, both good replies.

I guess most of my concern here would initially be creating a business case for moving to a more secure policy. *Why* do they need to move to the safe approaches you guys list above?

What could happen if unmonitored clients are allowed to VPN in? What is likely, and what are some worst case scenario?

LVL 53

Accepted Solution

Will Szymkowski earned 1600 total points
ID: 21884262
If you have your VPN running and you have any sort of Virus on the clients computer this could leak into your network as it could go through the VPN tunnel you have created. If your network ends up getting a virus or worm of some sort, even spyware this is all bad. Once it has made its way into the network it will then start going to all of the local computer/servers in your network and this will be more work then you could imaging to get rid of. I have had to remove viruses in the past from entire networks and it ain't fun.

It just better to have a policy like this in place so that everyone can't just run wild on your network. It will make more work/headaches for you in the end if you will be the one removing the infections.

Hope this helps

Author Closing Comment

ID: 31470211

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The Super Bowl is just days away. Millions of advertising dollars will be spent in just a few hours to drive people to websites around the globe. Optimizing your site in anticipation of a big event like this (and the traffic surges that follow) will…
You do not need to be a security expert to make the RIGHT security. You just need some 3D guidance, to help lay out an action plan to secure your business operations. It does not happen overnight. You just need to start now and do the first thin…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question