Solved

Question about remote access, VPN access security policies

Posted on 2008-06-24
5
307 Views
Last Modified: 2010-04-21
Hi there,

I have a question about remote access policies and what potential risks a company could be opening up.

Currently, the company allows part time employees VPN clients installed on non-company machines in order to access certain internal resources from home offices.

My questions are:
*What sort of security risks would this policy be opening up? Is there a strong risk of viruses and malware spreading throughout the network if one of these non-company machines gets infected and connects to the VPN?

*Any risk with having computers with VPN access and mapped shared drives on home wireless networks that may or may not have security enabled?

* In an ideal situation for IT, what remote access policies could be in place to ensure the integrity and security of the network?
0
Comment
Question by:kevincostello
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 400 total points
ID: 21857620
Hello there,

I would highly recommend not having users home PC's have VPN access. I say this because you have no idea what that user does on there computer. You have no idea if they currently have viruses or any types of Spyware on there computer. You also don't know if they have an Anti-Virus program and if they do is it always up-to-date?

Somethings that should be enforced is company corporate Anti-virus/Firewall on any computer that is getting the VPN client. I would also make it a policy that the computers have to be company owned. If you don't have enough laptop/desktops to give the people with VPN access you could have them bring in there home computers and put the corporate software on them. But then also your not going to have control on what they do with them at home.

Hope this helps
0
 
LVL 11

Assisted Solution

by:rowansmith
rowansmith earned 100 total points
ID: 21859396
The best way to deal with remote access requirements from personal/non enterprise hardware is to allow connectivity only to Terminal Servers and/or SSL VPNs which publish the specific applications that the user should have access too.

As has been stated above there is no way to be sure how a client is configured if you do not have control over it.

The industry trend these days is to allow staff to use personal computers and more so require contractors to supply their own laptops/hardware.  This requires that these users terminate their connections on Terminal Server types solutions such as an SSL VPN or a CitrixMetaFrame Server or even RDP sessions.

It is critical that the infrastructure is configured in such a way as to prevent resources such as disks and the likes from being directly accessible by the client.

-Rowan
0
 
LVL 1

Author Comment

by:kevincostello
ID: 21865112
Thanks guys, both good replies.

I guess most of my concern here would initially be creating a business case for moving to a more secure policy. *Why* do they need to move to the safe approaches you guys list above?

What could happen if unmonitored clients are allowed to VPN in? What is likely, and what are some worst case scenario?

Thanks!
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 400 total points
ID: 21884262
If you have your VPN running and you have any sort of Virus on the clients computer this could leak into your network as it could go through the VPN tunnel you have created. If your network ends up getting a virus or worm of some sort, even spyware this is all bad. Once it has made its way into the network it will then start going to all of the local computer/servers in your network and this will be more work then you could imaging to get rid of. I have had to remove viruses in the past from entire networks and it ain't fun.

It just better to have a policy like this in place so that everyone can't just run wild on your network. It will make more work/headaches for you in the end if you will be the one removing the infections.

Hope this helps
0
 
LVL 1

Author Closing Comment

by:kevincostello
ID: 31470211
Thanks!
0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Part One of the two-part Q&A series with MalwareTech.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question