We help IT Professionals succeed at work.

Should you let people VPN into work from their personal/home computers?

tenover
tenover asked
on
Medium Priority
429 Views
Last Modified: 2013-11-15
I (the IT Manager for our company of about 100 people) have installed local VPN clients on all the company provided laptops so that these people can VPN from outside while at home or on the road. These laptops are company provided and I can monitor the anti-virus software through an administrative console as well as monitor other things on the laptops because they ARE company provided and have to conform to our policies, GPO's, etc....In the past 6 months however, I've been asked by more and more employees to have the VPN client installed on their PERSONAL/HOME machines, and their supervisors are of course approving it, because they would like them to work from home on the .weekends and evenings.  I see this as a HUGE security risk, as who knows what they have (or DON'T have) on their home machines, who uses them, etc.....Has anyone else had experience with this type of thing, and how can I convince my boss (a non-IT person) that this is NOT a good idea?  
Comment
Watch Question

CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
I agree. These systems can not be trusted. Our company has the same policy in place. We do not allow VPN connections from anything but company equipment.

Think of it as someone walking into your office and plugging up their computer to an office port. They have direct access to your network.

One option though would be a NAC device which requires all VPN users to pass pre-determined requirements (proper AV, Firewall settings etc...) or they are either denied access or given limited access to the network. NACs though from what i hear are pretty involved and can get quite expensive to setup and manage.
CERTIFIED EXPERT

Commented:
One more thing to add, lets be honest the average computer user in any organization is basically computer illiterate. Sure they may know how to user office and email and some other basic programs but for the most part they have no clue if and when their pcs are infected. So lets just say for instance you have a user who is infected with a virus/spyware and their connecting via the VPN. They open some files do their normal work etc but they have a piece of malware that modifies files they work on with launch points or droppers. Anyone else who opens that file then has a chance to get infected.

Not to mention that once the user is on the VPN they can connect to their email account/contacts. If they have an smtp enabled virus/malware on their machine then you could easily start seeing spam runs being directed to people in your company and also to outisde address from your company.

If your boss is no an IT person the best analogy I can give is this. "Would you go around handing out keys to your house to anyone that asked?" "Would you allow just anyone off the street to walk into your home and do what they please?" Because that is ultimately what this boils down to.
CERTIFIED EXPERT

Commented:
xxdcmast, that1guy15, I am also in favor of not having VPN from users home PC.

you don't know who bad their pcs are infected with stuff, that you don't even want to know about.

Author

Commented:
Thanks guys, I totally agree, but wanted to make sure I wasn't abusing my "authority" by saying that it shouldn't be done and wouldn't be allowed....

Author

Commented:
Real quick....
I think I might upgrade our firewall/VPN solution (Sonicwall) to a new unit that offers SSL VPN, which is pretty much the same solution as Citrix (in a way), correct?  This way everyone would have to connect using SSL and could connect from any computer securely and safely, right?
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.