RE: Home laptops on a corporate network

["Nick Duda" <nduda () VistaPrint com>]

Using a product like Cisco Clean Access (CAS/CAM) allows you to control
patch level and antivirus before a system is allowed access to your
network. It can drop them into a remediation vlan with a remediation
server to they can "fix" the problem right away.

CCA client runs on the laptop and when connected to the network (in a
default unsecure vlan) talks to the CAS, gets its policy and starts its
thing. No computer cant get on the VPN or WiFi here unless it has what
we require installed for patches and av (software and dats). It can be
run in-band and out-of-band (dynamically change vlan on interfaces).

Because its client / server based, it allows for a boatload of other
custom scans and searches. If you tell it to look for certain
files/services (bearshare, bitorrent..etc) and if present deny
access...etc.

It's a pretty sweet appliance, but with a price tag. Can't imagine
running a VPN/Wifi in corporate without it.

The fact of most businesses is that ease of use usually overrules
security (in not all cases). If the CEO of a company demands that home
laptops are to be used, find a solution that allows it. This is one.




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of christopherkelley () hotmail com
Sent: Tuesday, May 08, 2007 1:12 PM
To: security-basics () securityfocus com
Subject: Re: Home laptops on a corporate network

I'd recommend NOT doing this. Especially if you are trying comply with
HIPAA. Keep in mind that you will have little to no management
capability over these personal laptops, which means you have no ability
to verify patch level and AV update on these machines that may have EPHI
on them. Not to mention the fact that these employees are probably
taking them home and plugging them into their home networks, where they
(or their kids) are running bearshare, gnutella, grokster, bitorrent,
and surfing to unfiltered web sites. Not only does this mean that they
are potentially exposing critical data in this manner, it also means
they are bringing potentially infested computers into the soft chewy
center of your network.

Whenever you have an employee with a laptop, you create a liability to
your network, allowing them to use personal laptops presents an even
bigger liability. IMHO, this level of risk is unacceptable, especially
from a HIPAA compliance standpoint.
---------------------
Confidentiality note
The information in this email and any attachment may contain confidential and proprietary information of VistaPrint 
and/or its affiliates and may be privileged or otherwise protected from disclosure. If you are not the intended 
recipient, you are hereby notified that any review, reliance or distribution by others or forwarding without express 
permission is strictly prohibited and may cause liability. In case you have received this message due to an error in 
transmission, please notify the sender immediately and delete this email and any attachment from your system.
---------------------