RE: How secure is VPN access?

[Matvei Kliuchnikov <matvei.kliuchnikov () gmail com>]

Quoth Cesar Diaz on 11/17/2004 8:38 AM:
> List,
>
> After years of having VPN access for our remote users without a single
> know security incident, my boss and I have to justify to her boss why
> VPN is secure.
>
> The CIO wants us to only allow users to access the network from
> company laptops, not from their own home computers.  We currently will
> allow users to install the VPN client software on their home computers
> to connect remotely, or they can use Citrix through SSL access to get
> to network resources.  His concern is that if a users home PC is
> compromised, that compromise can spread to our network.
>
> Is this a legitimate concern?  Can anyone point me in the direction of
> some documentation backing either argument?

Think about what VPN is. It's simply a way to cheaply and securely
connect remote sites. That's it. Once you're connected, you're
basically on the LAN. So any infection, viruses, etc. can be
transmitted just as easily (unless you've got a VLAN with further
firewalling between the two).

So, yes, letting users work from their personal systems *is* a
security risk, but there are ways to reduce that vulnerability.