Solved

Should you let people VPN into work from their personal/home computers?

Posted on 2009-07-09
6
379 Views
Last Modified: 2013-11-15
I (the IT Manager for our company of about 100 people) have installed local VPN clients on all the company provided laptops so that these people can VPN from outside while at home or on the road. These laptops are company provided and I can monitor the anti-virus software through an administrative console as well as monitor other things on the laptops because they ARE company provided and have to conform to our policies, GPO's, etc....In the past 6 months however, I've been asked by more and more employees to have the VPN client installed on their PERSONAL/HOME machines, and their supervisors are of course approving it, because they would like them to work from home on the .weekends and evenings.  I see this as a HUGE security risk, as who knows what they have (or DON'T have) on their home machines, who uses them, etc.....Has anyone else had experience with this type of thing, and how can I convince my boss (a non-IT person) that this is NOT a good idea?  
0
Comment
Question by:tenover
6 Comments
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 500 total points
ID: 24815147
We definitely DO NOT allow users to have VPN on their personal computers. We only allow it on our owned assets. Think about it when someone connects via VPN they are on the network and any little nasties they have on their machine now have a connection to everythign in your orgainzation.

I would highly advise against this, I would try to push for citrix as an alternative if possible.
0
 
LVL 23

Expert Comment

by:that1guy15
ID: 24815202
I agree. These systems can not be trusted. Our company has the same policy in place. We do not allow VPN connections from anything but company equipment.

Think of it as someone walking into your office and plugging up their computer to an office port. They have direct access to your network.

One option though would be a NAC device which requires all VPN users to pass pre-determined requirements (proper AV, Firewall settings etc...) or they are either denied access or given limited access to the network. NACs though from what i hear are pretty involved and can get quite expensive to setup and manage.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 24815211
One more thing to add, lets be honest the average computer user in any organization is basically computer illiterate. Sure they may know how to user office and email and some other basic programs but for the most part they have no clue if and when their pcs are infected. So lets just say for instance you have a user who is infected with a virus/spyware and their connecting via the VPN. They open some files do their normal work etc but they have a piece of malware that modifies files they work on with launch points or droppers. Anyone else who opens that file then has a chance to get infected.

Not to mention that once the user is on the VPN they can connect to their email account/contacts. If they have an smtp enabled virus/malware on their machine then you could easily start seeing spam runs being directed to people in your company and also to outisde address from your company.

If your boss is no an IT person the best analogy I can give is this. "Would you go around handing out keys to your house to anyone that asked?" "Would you allow just anyone off the street to walk into your home and do what they please?" Because that is ultimately what this boils down to.
0
Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

 
LVL 8

Expert Comment

by:bsohn417
ID: 24818077
xxdcmast, that1guy15, I am also in favor of not having VPN from users home PC.

you don't know who bad their pcs are infected with stuff, that you don't even want to know about.
0
 

Author Comment

by:tenover
ID: 24818549
Thanks guys, I totally agree, but wanted to make sure I wasn't abusing my "authority" by saying that it shouldn't be done and wouldn't be allowed....
0
 

Author Comment

by:tenover
ID: 24863063
Real quick....
I think I might upgrade our firewall/VPN solution (Sonicwall) to a new unit that offers SSL VPN, which is pretty much the same solution as Citrix (in a way), correct?  This way everyone would have to connect using SSL and could connect from any computer securely and safely, right?
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If your app took Google’s lash recently, here are the 5 most likely reasons.
The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
This video demonstrates basic masking and how to edit the mask to reveal the desired image.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question