Question about remote access, VPN access security policies

Hi there,

I have a question about remote access policies and what potential risks a company could be opening up.

Currently, the company allows part time employees VPN clients installed on non-company machines in order to access certain internal resources from home offices.

My questions are:
*What sort of security risks would this policy be opening up? Is there a strong risk of viruses and malware spreading throughout the network if one of these non-company machines gets infected and connects to the VPN?

*Any risk with having computers with VPN access and mapped shared drives on home wireless networks that may or may not have security enabled?

* In an ideal situation for IT, what remote access policies could be in place to ensure the integrity and security of the network?
LVL 1
kevincostelloAsked:
Who is Participating?
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
If you have your VPN running and you have any sort of Virus on the clients computer this could leak into your network as it could go through the VPN tunnel you have created. If your network ends up getting a virus or worm of some sort, even spyware this is all bad. Once it has made its way into the network it will then start going to all of the local computer/servers in your network and this will be more work then you could imaging to get rid of. I have had to remove viruses in the past from entire networks and it ain't fun.

It just better to have a policy like this in place so that everyone can't just run wild on your network. It will make more work/headaches for you in the end if you will be the one removing the infections.

Hope this helps
0
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
Hello there,

I would highly recommend not having users home PC's have VPN access. I say this because you have no idea what that user does on there computer. You have no idea if they currently have viruses or any types of Spyware on there computer. You also don't know if they have an Anti-Virus program and if they do is it always up-to-date?

Somethings that should be enforced is company corporate Anti-virus/Firewall on any computer that is getting the VPN client. I would also make it a policy that the computers have to be company owned. If you don't have enough laptop/desktops to give the people with VPN access you could have them bring in there home computers and put the corporate software on them. But then also your not going to have control on what they do with them at home.

Hope this helps
0
 
rowansmithConnect With a Mentor Commented:
The best way to deal with remote access requirements from personal/non enterprise hardware is to allow connectivity only to Terminal Servers and/or SSL VPNs which publish the specific applications that the user should have access too.

As has been stated above there is no way to be sure how a client is configured if you do not have control over it.

The industry trend these days is to allow staff to use personal computers and more so require contractors to supply their own laptops/hardware.  This requires that these users terminate their connections on Terminal Server types solutions such as an SSL VPN or a CitrixMetaFrame Server or even RDP sessions.

It is critical that the infrastructure is configured in such a way as to prevent resources such as disks and the likes from being directly accessible by the client.

-Rowan
0
 
kevincostelloAuthor Commented:
Thanks guys, both good replies.

I guess most of my concern here would initially be creating a business case for moving to a more secure policy. *Why* do they need to move to the safe approaches you guys list above?

What could happen if unmonitored clients are allowed to VPN in? What is likely, and what are some worst case scenario?

Thanks!
0
 
kevincostelloAuthor Commented:
Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.