RE: Home laptops on a corporate network

["Scott Ramsdell" <Scott.Ramsdell () cellnet com>]

Additionally, a corporate asset taken home would likely have a VPN client installed.  The gateway can then check 
(through the client) that the laptop is still running anti-malware tools, that the tools are at the proper revision 
levels, and can require the client be used for all Internet communication.  Failing any of those checks, the gateway 
would not allow the connection.  The gateway will also check periodically that the conditions are still true, and if 
not, disconnect.

But, yes, to your first point, you would not open up a VPN connection for their personal home computer.  In that case, 
you would want to use terminal services or Citrix.

Kind Regards,
 
Scott Ramsdell
CISSP, CCNA, MCSE
Security Network Engineer


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Shawn
Sent: Friday, May 11, 2007 1:50 PM
To: marc
Cc: krymson () gmail com; security-basics () securityfocus com; security-basics-return-44327 () securityfocus com
Subject: RE: Home laptops on a corporate network

> > Wouldn't a regular vpn just open for all kinds of badware they have on
> their home computer? And if you issue a work computer for them it will
> be used as their normal computer and properly be as infected as their
> home computer anyways.

No.

At least not if your company properly manages it's laptops...our user's 
privileges are extremely, extremely restricted through group policy/local 
security settings. They can't web browse. They can't install any software/apps. 
They can't modify any system settings. They are not at all used in 
the same manner that the user's "normal" computers are. They do not pose 
nearly the same risk that the user's "normal" computers do.

Furthermore, users are required to bring their laptops into the office on 
a regular basis for virus scanning/WSUS patching.

Obviously, you can tailor your own company's group policy to suite your 
own specific needs.

Again, I don't think comparing company managed equipment to home equipment 
is a fair comparison at all if the company exercises any decent means of 
control.


On Fri, 11 May 2007, marc  wrote:

> Sorry in advance for anything stupid. I'm still just a wannabe newbie in
> security :)
>
> Wouldn't a regular vpn just open for all kinds of badware they have on
> their home computer? And if you issue a work computer for them it will
> be used as their normal computer and properly be as infected as their
> home computer anyways. Why not use a product that can be used with their
> home computer but one that don't have to be installed. I have this usb
> key I have been issued at work from this company.
>
> http://www.giritech.com/
>
> It's mighty fancy. It will allow me to connect to our citrix server and
> do my work without any risk of our citrix server being infected by any
> thing on my work issued laptop.
>
> Disclaimer: I do have any relations with giritech I'm just a happy user
> of their product.
>
> And sorry for spelling mistakes, none native English speaker here. :)
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Shawn
> Sent: 11. maj 2007 19:06
> To: krymson () gmail com
> Cc: security-basics () securityfocus com;
> security-basics-return-44327 () securityfocus com
> Subject: RE: Home laptops on a corporate network
>
> I take it assigning the users who need to work from home company
> owned/managed laptops, and then providing VPN access to these laptops,
> is just not an option?
>
> Setting up -somewhat- secure access to the corporate network from a
> staffers home computer just seems like too much trouble and too much
> risk
> for what you gain...it'd just be easier to buy/image/issue laptops.
>
> On Fri, 11 May 2007, krymson () gmail com wrote:
>
> > If this scenario is an absolute must, even in the face of HIPAA (and
> if this were my data, I'd be highly concerned about this company...),
> then I do like having users VPN into an isolated network segment and
> then connect to a Terminal Server to do their work.
> > However, not to throw monkeywrenches in, but this solution still does
> nothing about keyloggers, screenscrapers, or even a full-blown screen
> capture program running to record all this data. Even just one frame of
> a doc open can be enough to spoil your HIPAA party depending on the data
> these users have access to. Really, there's nothing you can do about
> this other than disallowing their home systems.
> > You do have to pretend two things:
> > 1) Assume you have the filthiest, most infected, worm-ridden home PC
> ever connecting to your network.
> > 2) Assume one of these workers will be wanting to sell this data or
> maliciously gather and use it.
> > You can take action against 1, but you're not going to be able to
> audit 2 unless you own the devices they are allowed to use.
> >