Security Basics mailing list archives
Re: Home users with VPN connections
From: "Pierre A. Cadieux" <hobbit () theshire com>
Date: Thu, 13 Mar 2003 18:54:44 -0800
VPN's have been an exposure since they have become as wide spread and common place in the work environment.
I have worked for companies that ran the gamut from disallowing VPN's for all users but IT (which doesn't really solve anything), have strict policies against connecting any system that doesn't have home firewalls and AV software, to providing the home firewall hardware/software to all approved VPN users.
A couple of points: - Monitor your VPN segment like it is an external network.- Communicate your companies policies and standards for AV software and/or home firewalls (Don't have a standard, get one/make one).
- Enforce the above mentioned standards as best as you can. (This is not always easy to do).
- Vigorously handle any intrusion attempts, virus incidents, or worm attacks via your VPN's. Unless you have a bulletproof policy and 100% enforcement this WILL happen. Be prepared.
- Password requirements should adhere to your company standards for possibly exposed passwords (regarding length, complexity, and rotation).
- Pursue VPN options that allow you to restrict the access that a user or group of users has access to. Is there any reason an accounting person should have access to a development server? Is there any reason that anyone outside of accounting should have access to the accounting database, etc.
To restate a previous point, it can be fairly easy to justify to management the cost benefit of providing Anti-Virus software and/or home firewall software/hardware to home users. I HIGHLY suggest this as a course of action.
Constant vigilance and best of luck. ->Pierre Cadieux At 05:15 PM 3/13/2003 +0000, Jonathan Grotegut wrote:
Forgive me if this seems trivial or "newbieish" but I am new to the "Security" end of computing. With the new CERT Advisory CA-2003-08. I got me to thinking "What are others policies, procedures, and requirements for home users connecting via VPN to a corporate network?" When a person connects a VPN connection from their home to the office, they can very easily have a Trojan or a virus. This would allow for easy infection or access to the corporate network. What are what are your thoughts on policies, procedures, requirements for VPN users connecting to the corporate network as far as Password requirements, Personal Firewalls, Virus Software, Etc.? Thanks in advance for your sugestions. By the way our clients vary. Our clients are all in different professions, meaning we have everything from health care providers to mortgage companies to printing companies. Jonathan Grotegut DirectPointe
Current thread:
- Home users with VPN connections Jonathan Grotegut (Mar 13)
- Re: Home users with VPN connections Gene Yoo (Mar 17)
- Re: Home users with VPN connections Pierre A. Cadieux (Mar 17)
- Re: Home users with VPN connections David M. Fetter (Mar 17)
- Re: Home users with VPN connections lassal (Mar 17)
- Re: Home users with VPN connections camthompson (Mar 17)
- <Possible follow-ups>
- Re: Home users with VPN connections ladhanikarim (Mar 17)
- Re: Home users with VPN connections James Lee Gromoll (Mar 19)
- Re: Home users with VPN connections Chris Berry (Mar 20)
- RE: Home users with VPN connections Brent Woodard (Mar 21)
- RE: Home users with VPN connections Mike Dresser (Mar 25)
- RE: Home users with VPN connections Kevin Saenz (Mar 26)
- RE: Home users with VPN connections Mike Dresser (Mar 25)
- RE: Home users with VPN connections Chris Berry (Mar 24)
(Thread continues...)