Remote Access for Home Computers

[nick_hunt () mascohq com]

Hello all

I have been getting asked a lot lately about the possibility of letting users access corporate resources with their 
home computers via SSL VPN that has NAC features on it.  I keep on fighting it, mostly because I think it will cause a 
lot of support calls, but more importantly because I am afraid of the possible vulnerabilities of allowing un-managed 
machines access to our network.  I was wondering if anyone knew of any statistics or good articles on the letting users 
access corporate data with their home machines.  

The security implications that I am most worried about is:
1) worm propagation:  afraid infected machine will allow a worm onto our network.  Even though the SSL vpn does a check 
to see if AV is running and def's are up to date, and also does not give an IP on our network, there is the possibility 
of users uploading infected files to websites or network shares.
2) user copying confidential information to their home machines and then that information getting comprimised.  SSL vpn 
has the funtionality to block copying of files down to the local machine but misconfigurations or vulnerabilities in 
the VPN could allow for these controls to be subverted.
3) Machine that is infected with some type of bot getting on the VPN and launching a denial of service attack against 
internal servers.

If anyone can give me more possible attacks, and more importantly any statistics on other companies that have done this 
and had problems would help me with taking this argument to my management.

Thanks for the help
Nick