Solved

Should you let people VPN into work from their personal/home computers?

Posted on 2009-07-09
6
370 Views
Last Modified: 2013-11-15
I (the IT Manager for our company of about 100 people) have installed local VPN clients on all the company provided laptops so that these people can VPN from outside while at home or on the road. These laptops are company provided and I can monitor the anti-virus software through an administrative console as well as monitor other things on the laptops because they ARE company provided and have to conform to our policies, GPO's, etc....In the past 6 months however, I've been asked by more and more employees to have the VPN client installed on their PERSONAL/HOME machines, and their supervisors are of course approving it, because they would like them to work from home on the .weekends and evenings.  I see this as a HUGE security risk, as who knows what they have (or DON'T have) on their home machines, who uses them, etc.....Has anyone else had experience with this type of thing, and how can I convince my boss (a non-IT person) that this is NOT a good idea?  
0
Comment
Question by:tenover
6 Comments
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 500 total points
ID: 24815147
We definitely DO NOT allow users to have VPN on their personal computers. We only allow it on our owned assets. Think about it when someone connects via VPN they are on the network and any little nasties they have on their machine now have a connection to everythign in your orgainzation.

I would highly advise against this, I would try to push for citrix as an alternative if possible.
0
 
LVL 23

Expert Comment

by:that1guy15
ID: 24815202
I agree. These systems can not be trusted. Our company has the same policy in place. We do not allow VPN connections from anything but company equipment.

Think of it as someone walking into your office and plugging up their computer to an office port. They have direct access to your network.

One option though would be a NAC device which requires all VPN users to pass pre-determined requirements (proper AV, Firewall settings etc...) or they are either denied access or given limited access to the network. NACs though from what i hear are pretty involved and can get quite expensive to setup and manage.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 24815211
One more thing to add, lets be honest the average computer user in any organization is basically computer illiterate. Sure they may know how to user office and email and some other basic programs but for the most part they have no clue if and when their pcs are infected. So lets just say for instance you have a user who is infected with a virus/spyware and their connecting via the VPN. They open some files do their normal work etc but they have a piece of malware that modifies files they work on with launch points or droppers. Anyone else who opens that file then has a chance to get infected.

Not to mention that once the user is on the VPN they can connect to their email account/contacts. If they have an smtp enabled virus/malware on their machine then you could easily start seeing spam runs being directed to people in your company and also to outisde address from your company.

If your boss is no an IT person the best analogy I can give is this. "Would you go around handing out keys to your house to anyone that asked?" "Would you allow just anyone off the street to walk into your home and do what they please?" Because that is ultimately what this boils down to.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 8

Expert Comment

by:bsohn417
ID: 24818077
xxdcmast, that1guy15, I am also in favor of not having VPN from users home PC.

you don't know who bad their pcs are infected with stuff, that you don't even want to know about.
0
 

Author Comment

by:tenover
ID: 24818549
Thanks guys, I totally agree, but wanted to make sure I wasn't abusing my "authority" by saying that it shouldn't be done and wouldn't be allowed....
0
 

Author Comment

by:tenover
ID: 24863063
Real quick....
I think I might upgrade our firewall/VPN solution (Sonicwall) to a new unit that offers SSL VPN, which is pretty much the same solution as Citrix (in a way), correct?  This way everyone would have to connect using SSL and could connect from any computer securely and safely, right?
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Workplace bullying has increased with the use of email and social media. Retain evidence of this with email archiving to protect your employees.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This video demonstrates basic masking and how to edit the mask to reveal the desired image.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now