RE: VPN and Security

["Nick Duda" <nduda () VistaPrint com>]

> Aside from what everyone else has said you need to consider the legal
> impacts as well.  If the home machine is owned by the employee then
you have
> few options.  Legally you can not install or force someone to comply
with
> your standards if you do not own the equipment.  You can of course
deny them
> access to the network, but for example, you can't tell the user that
they
> have to have xyz software/updates on their machine.  Since you don't
know
> what software is installed on their home computer you are pretty much
> opening yourself to a big potential bag of worms here.

If they are connecting to "your" VPN you "CAN" tell them what the need
to run. If they deny, no access...period. We tend to present VPN access
as a "perk" rather than "requirement". If you want to work from home, on
your own equipment then you "WILL" follow our rules, if not get a
company issued laptop/workstation.

With something like CCA, you don't have to worry so much about what the
user has installed but rather what they don't have installed or what
they are not doing. Good VPN ACL's and firewall filters will help
protect against the majority of malware that are on peoples home systems
that like to "phone home" and spread.

> If you go down this route I would also suggest you do split tunneling.
An
> employee can not get in trouble for surfing adult sites on their home
> computer if you force all their internet traffic through your Internet
pipe
> & filters/logging.  

With content filtering proxy servers you can enforce your corporate
infosec policies (which should detail acceptable use) via VPN. Again, if
your on my VPN you follow company infosec rules...having something like
CCA, Firewalls and content filtering proxies without using split
tunneling helps achieve this. When your done doing "work stuff"
disconnect from the VPN and go on with your porn browsing habits.

I don't think there are many legal what'ifs at all with VPN use. The
employee consents to the company's terms, and so long as those terms are
not illegal in itself then all is fair game. 


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Herb Steck
Sent: Tuesday, June 19, 2007 3:33 PM
To: security-basics () securityfocus com
Subject: RE: VPN and Security

Aside from what everyone else has said you need to consider the legal
impacts as well.  If the home machine is owned by the employee then you
have
few options.  Legally you can not install or force someone to comply
with
your standards if you do not own the equipment.  You can of course deny
them
access to the network, but for example, you can't tell the user that
they
have to have xyz software/updates on their machine.  Since you don't
know
what software is installed on their home computer you are pretty much
opening yourself to a big potential bag of worms here.

If you go down this route I would also suggest you do split tunneling.
An
employee can not get in trouble for surfing adult sites on their home
computer if you force all their internet traffic through your Internet
pipe
& filters/logging.  

Having employees work from home is a great idea.  There are some big
technical "what if's" as well as legal "what if's" that need to be
thought
out before going down this road.

Easiest solution is to do something like a web based citrix or similar.
Then you don't have to worry about the NAC side or legal side.

I didn't even touch on the licensing issues either, so if you're a
Microsoft
shop you need to look at the impact of this as well.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On
Behalf Of Michael J. Benedetto
Sent: Tuesday, June 19, 2007 11:07 AM
To: 'Murda Mcloud'; 'Sohail Sarwar'; 'Scott Ramsdell'; 'WALI';
security-basics () securityfocus com
Subject: RE: VPN and Security

There are also technologies like Cisco NAC (among others) that can check
and
enforce endpoint compliance with you standards (patch levels, antivirus,

etc.). That should help on the user side if you can't force them to use
a
company configured and maintained PC from outside the office.

-Mike 

> -----Original Message-----
> From: listbounce@securityfocuscom 
> [mailto:listbounce () securityfocus com] On Behalf Of Murda Mcloud
> Sent: Monday, June 18, 2007 9:00 PM
> To: 'Sohail Sarwar'; 'Scott Ramsdell'; 'WALI'; 
> security-basics () securityfocus com
> Subject: RE: VPN and Security
>
> VPN is as secure as how well it is implemented and used. 
> Also, the various encryption algorithms used determine how 
> secure it is. Like everything, it is as strong as the weakest 
> link and usually in this scenario that means the home user or 
> their PC.
>
> You're right about the two factor authentication. What were 
> you thinking of using-smart cards or similar?
>
> Giving home users the list of things they must have in 
> place(AV for example) is a good idea. Will you allow them to 
> split tunnel from their home connections or will they have to 
> come through the VPN connection to be able to browse so that 
> they can still go through your firewall/proxy etc?
> Second option is safer but prob slower. And how would you 
> control them when they're not on a VPN? 
> Depending on how far you want to go, you could specify that 
> they only use their laptop for the VPN and have no split and 
> then they can use their home pc for their own use.
>
>
>
> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Sohail Sarwar
> Sent: Monday, June 18, 2007 11:08 PM
> To: Scott Ramsdell; WALI; security-basics () securityfocus com
> Subject: VPN and Security
>
> Hi there,
>
>       I just wanted to put this out there.  How secure is VPN.
> Meaning, if my users take home the client and install it on 
> their desktop at home, and connect to the corporate network 
> and production network, wheat are we really looking at.  Are 
> they secure or not.
>
>       Two factor authentication would only help the 
> authentication purpose and to protect the user name and password ?
>
>       How about restricting them to access, and how about 
> worrying about their home computer that can be effected.
>
>       Has anyone been through this.  Any one give home users 
> a list of requirements that they must have before vpn can be 
> offered to them ?
>
>       Should there be some type of desktop policy installed 
> on their home computer, just to protect the company network ? 
>  Any help and guidance would be great
>
> Regards,
> Sohail

---------------------
Confidentiality note
The information in this email and any attachment may contain confidential and proprietary information of VistaPrint 
and/or its affiliates and may be privileged or otherwise protected from disclosure. If you are not the intended 
recipient, you are hereby notified that any review, reliance or distribution by others or forwarding without express 
permission is strictly prohibited and may cause liability. In case you have received this message due to an error in 
transmission, please notify the sender immediately and delete this email and any attachment from your system.
---------------------