Re: Remote Access Policies

[Philip Webster <p.webster () QUT EDU AU>]

Matthew Gracie wrote on 16/07/2008 01:30 :
> Todd Bossaller wrote:
> > Does anyone have any policies or rules they would be willing to share
> > for remote access (VPN) to their instituion?  Are there any legal
> > policies/procedures I should be aware of?
>
> A big one for us when we started formalizing security policies was
> forbidding connection to the VPN from personally-owned computers. I
> didn't feel that the College had any right to enforce proper security
> policies on computers that we don't own, so now users who wish to use
> the VPN to work at home have to request a laptop from their department.
>
> It seems like a minor point, but it's astonishing how malware-infested
> the home computer of the average PhD is these days.

We had the same issue but took a different approach and forced all of
our VPN connections through an IPS.  This immediately reduced the amount
of malicious traffic we were seeing, and over time has shown us that
security of home PCs does seem to be improving.

We also get an indication of the effectiveness of some of our awareness
campaigns - e.g. we saw a dramatic reduction in detections on the IPS
just after we first gave away free AV software to students.

Phil

--
Philip Webster, IT Security Engineer
Queensland University of Technology