Question about remote access, VPN access security policies

Posted on 2008-06-24
Last Modified: 2010-04-21
Hi there,

I have a question about remote access policies and what potential risks a company could be opening up.

Currently, the company allows part time employees VPN clients installed on non-company machines in order to access certain internal resources from home offices.

My questions are:
*What sort of security risks would this policy be opening up? Is there a strong risk of viruses and malware spreading throughout the network if one of these non-company machines gets infected and connects to the VPN?

*Any risk with having computers with VPN access and mapped shared drives on home wireless networks that may or may not have security enabled?

* In an ideal situation for IT, what remote access policies could be in place to ensure the integrity and security of the network?
Question by:kevincostello
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 400 total points
ID: 21857620
Hello there,

I would highly recommend not having users home PC's have VPN access. I say this because you have no idea what that user does on there computer. You have no idea if they currently have viruses or any types of Spyware on there computer. You also don't know if they have an Anti-Virus program and if they do is it always up-to-date?

Somethings that should be enforced is company corporate Anti-virus/Firewall on any computer that is getting the VPN client. I would also make it a policy that the computers have to be company owned. If you don't have enough laptop/desktops to give the people with VPN access you could have them bring in there home computers and put the corporate software on them. But then also your not going to have control on what they do with them at home.

Hope this helps
LVL 11

Assisted Solution

rowansmith earned 100 total points
ID: 21859396
The best way to deal with remote access requirements from personal/non enterprise hardware is to allow connectivity only to Terminal Servers and/or SSL VPNs which publish the specific applications that the user should have access too.

As has been stated above there is no way to be sure how a client is configured if you do not have control over it.

The industry trend these days is to allow staff to use personal computers and more so require contractors to supply their own laptops/hardware.  This requires that these users terminate their connections on Terminal Server types solutions such as an SSL VPN or a CitrixMetaFrame Server or even RDP sessions.

It is critical that the infrastructure is configured in such a way as to prevent resources such as disks and the likes from being directly accessible by the client.


Author Comment

ID: 21865112
Thanks guys, both good replies.

I guess most of my concern here would initially be creating a business case for moving to a more secure policy. *Why* do they need to move to the safe approaches you guys list above?

What could happen if unmonitored clients are allowed to VPN in? What is likely, and what are some worst case scenario?

LVL 53

Accepted Solution

Will Szymkowski earned 400 total points
ID: 21884262
If you have your VPN running and you have any sort of Virus on the clients computer this could leak into your network as it could go through the VPN tunnel you have created. If your network ends up getting a virus or worm of some sort, even spyware this is all bad. Once it has made its way into the network it will then start going to all of the local computer/servers in your network and this will be more work then you could imaging to get rid of. I have had to remove viruses in the past from entire networks and it ain't fun.

It just better to have a policy like this in place so that everyone can't just run wild on your network. It will make more work/headaches for you in the end if you will be the one removing the infections.

Hope this helps

Author Closing Comment

ID: 31470211

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
A hard and fast method for reducing Active Directory Administrators members.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question