?
Solved

Should you let people VPN into work from their personal/home computers?

Posted on 2009-07-09
6
Medium Priority
?
388 Views
Last Modified: 2013-11-15
I (the IT Manager for our company of about 100 people) have installed local VPN clients on all the company provided laptops so that these people can VPN from outside while at home or on the road. These laptops are company provided and I can monitor the anti-virus software through an administrative console as well as monitor other things on the laptops because they ARE company provided and have to conform to our policies, GPO's, etc....In the past 6 months however, I've been asked by more and more employees to have the VPN client installed on their PERSONAL/HOME machines, and their supervisors are of course approving it, because they would like them to work from home on the .weekends and evenings.  I see this as a HUGE security risk, as who knows what they have (or DON'T have) on their home machines, who uses them, etc.....Has anyone else had experience with this type of thing, and how can I convince my boss (a non-IT person) that this is NOT a good idea?  
0
Comment
Question by:tenover
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 2000 total points
ID: 24815147
We definitely DO NOT allow users to have VPN on their personal computers. We only allow it on our owned assets. Think about it when someone connects via VPN they are on the network and any little nasties they have on their machine now have a connection to everythign in your orgainzation.

I would highly advise against this, I would try to push for citrix as an alternative if possible.
0
 
LVL 23

Expert Comment

by:that1guy15
ID: 24815202
I agree. These systems can not be trusted. Our company has the same policy in place. We do not allow VPN connections from anything but company equipment.

Think of it as someone walking into your office and plugging up their computer to an office port. They have direct access to your network.

One option though would be a NAC device which requires all VPN users to pass pre-determined requirements (proper AV, Firewall settings etc...) or they are either denied access or given limited access to the network. NACs though from what i hear are pretty involved and can get quite expensive to setup and manage.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 24815211
One more thing to add, lets be honest the average computer user in any organization is basically computer illiterate. Sure they may know how to user office and email and some other basic programs but for the most part they have no clue if and when their pcs are infected. So lets just say for instance you have a user who is infected with a virus/spyware and their connecting via the VPN. They open some files do their normal work etc but they have a piece of malware that modifies files they work on with launch points or droppers. Anyone else who opens that file then has a chance to get infected.

Not to mention that once the user is on the VPN they can connect to their email account/contacts. If they have an smtp enabled virus/malware on their machine then you could easily start seeing spam runs being directed to people in your company and also to outisde address from your company.

If your boss is no an IT person the best analogy I can give is this. "Would you go around handing out keys to your house to anyone that asked?" "Would you allow just anyone off the street to walk into your home and do what they please?" Because that is ultimately what this boils down to.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Expert Comment

by:bsohn417
ID: 24818077
xxdcmast, that1guy15, I am also in favor of not having VPN from users home PC.

you don't know who bad their pcs are infected with stuff, that you don't even want to know about.
0
 

Author Comment

by:tenover
ID: 24818549
Thanks guys, I totally agree, but wanted to make sure I wasn't abusing my "authority" by saying that it shouldn't be done and wouldn't be allowed....
0
 

Author Comment

by:tenover
ID: 24863063
Real quick....
I think I might upgrade our firewall/VPN solution (Sonicwall) to a new unit that offers SSL VPN, which is pretty much the same solution as Citrix (in a way), correct?  This way everyone would have to connect using SSL and could connect from any computer securely and safely, right?
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Developer portfolios can be a bit of an enigma—how do you present yourself to employers without burying them in lines of code?  A modern portfolio is more than just work samples, it’s also a statement of how you work.
An overview on how to enroll an hourly employee into the employee database and how to give them access into the clock in terminal.
XMind Plus helps organize all details/aspects of any project from large to small in an orderly and concise manner. If you are working on a complex project, use this micro tutorial to show you how to make a basic flow chart. The software is free when…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question