I'm worried - should I be

[Maugerhc]

Hi

Our office has several staff who "link in" from home. They connect via their router and ISDN link (basically a PPP setup) directly onto our DMZ and then our firewall allows them to access various features on the network - eg mail and the several of the applications that run on various servers(firewall rules using specific IP addresses and ports in an attempt to tie things down as tightly as possible) . This I am happy with as their PC's are not connected to anything else.

However it has been brought to my attention that one person has created a home lan, whereby their PC (which they use to connect to our office network) is also connected locally to his home lan, along with his kids PC's. Now this home lan also has access to the Internet - and no firewall or Virus protection. I was informed that they thought this would be OK as the PC that links to the office is using one class C address, whilst the kids PC's are using a different class. I am concerned that if one of the Kids PC's gets compromised via the internet then the hacker could by whatever means get onto the trusted PC and then onto our office network.

Am I being paranoid or have I a good reason for concern.

[slarty]

I don't imagine this is any more serious than any of your staff machines being connected to the internet. I expect that your staff do connect to the internet from their home machines, and not all of them necessarily take the precautions you might want.

If the company is really serious about it, it will buy all the homeworkers a box each for accessing the company intranet from home, and forbid them to connect it to the internet or any other machines.

[Maugerhc]

Thanks for your reply

I was trying to to convey that the other remote staff PC's were connected only to our network. We have designed their Routers only to call our office ISDN number and therfore they do not connect to the internet. This one user is the only one who is our "weak" link with the kids's PC's using and ADSL link to the big wide world

Helen

[waverebel]

You should check that there are not any shared user acounts on the two machines, ie the kids machine has had a login created to access files on the PC you have provided and visa versa.

I asume that the company PC you have provided have anti virus protection on them.

I agree with slarty it is quite posible that other staff do connect thier PC to the internet, remote workers sometimes see company machines as thier own and act accordingly.

[Tiger Shark]

It's really rather simple....

Our policy is that if you have a high speed connection at home you purchase a hardware firewall and bring it to us to set up. If you don't then you don't get access from home and you have to come into work every time you need to work.

We realised some time ago that for all the work we put into securing our systems it is a bit of a waste if you have a bunch of potential back doors and decided that we had to slam them shut. High speed, always on connections with (semi)permanent IP's in the hands of normal users are just too dangerous.

Yes, yes.... I know.... They could still D/L and install any number of RATS etc. but at least the "front door" isn't wide open with an "Enter Here" sign in neon for the world to see. We also monitor and log all connections from each individual. It becomes quite easy to see their work patterns, (you know - Joe gets up at 6:am gets a coffee and checks his email but Sue checks it last thing at night before she goes to bed), so when Sue logs in at 7:00am you just make a quick phonecall to confirm that it was actually her - If it wasn't both she and you have a teeny problem..... and she should be bringing her box to you immediately.

In your case the policy should be that that machine is either permanently disconnected from the home network _or_ the network will be protected by a firewall set up by you. Forcing them to have it set up by you avoids the liars - if they have to bring it to you then they have to buy it..... Once they've spent their cold hard cash on it they will put it in place......

[t2k2]

I believe there are also solutions out there for software firewalls that allow the software to be "pushed" and updated across the net as they connect. This way, you can configure and update policies, as well as gather some statistics on their connections/traffic. We were actually looking at a solution of this nature involving Zone Alarm. Some VPN servers support this feature also.

[Scorp666]

My question is why does the kids machine need to be connect to the machine that connects to your network in the first place if it has it's own internet access? It seems to me that employee of yours must use the LAN to access the internet otherwise I see no purpose in connecting it to the LAN.

In my humble opinion, the risks are minimal since access to your company's network must be protected with a login and password for sure?!?! Unless your employee stores that login / password on his computer, even if his machine was compromised and a cracker took control of it, the cracker still wouldn't have access to your network. Off course, he would have access to the files your employee has downloaded to his HD though...

I think the best solution is to have that LAN disconnected since that machine is clearly supposed not to access the internet. The risk is minimal but still there...

[bofhandpfy]

Well I for one think you're right to be worried. (add this to the good advice from tiger shark)

Disagree with me y'all, but if i had an external user who's dialing in, I would make damned sure that the machine was mine, and that the user was told that it was a disiplinary offence to connect the machine to any network other than the corporate WAN.

My reasoning ....

1. there are plenty of trojans with key loggers, that, and a little social engineering, and you have a breeding ground for an access violation.

2. add to this, if the machine ever comes in for support, what the hell is on the HDD of the machine? (Viruses / Trojans etc)

I use one of MY machines to connect to the works WAN, but it has caddy based HDDs, and the one I use for work, is used for NOTHING ELSE.

in conclusion ...

Ban any NON Corporate machines from access (either through witten policy, or through IP/MAC address banning)

Ban home users from installing ANYTHING on the homeworking kit, and back this up by using at least NT/Linux/UNIX, and locking the things down.

Audit the home machines on a regular basis, and at least poke offenders in the eye.

think about using at least challenge/response tokens for network authentication

Do not rely solely on the antivirus, unless you like cleaning up after infections.