November 6th, 2002, 12:10 PM
I'm worried - should I be
Our office has several staff who "link in" from home. They connect via their router and ISDN link (basically a PPP setup) directly onto our DMZ and then our firewall allows them to access various features on the network - eg mail and the several of the applications that run on various servers(firewall rules using specific IP addresses and ports in an attempt to tie things down as tightly as possible) . This I am happy with as their PC's are not connected to anything else.
However it has been brought to my attention that one person has created a home lan, whereby their PC (which they use to connect to our office network) is also connected locally to his home lan, along with his kids PC's. Now this home lan also has access to the Internet - and no firewall or Virus protection. I was informed that they thought this would be OK as the PC that links to the office is using one class C address, whilst the kids PC's are using a different class. I am concerned that if one of the Kids PC's gets compromised via the internet then the hacker could by whatever means get onto the trusted PC and then onto our office network.
Am I being paranoid or have I a good reason for concern.
November 6th, 2002, 12:22 PM
I don't imagine this is any more serious than any of your staff machines being connected to the internet. I expect that your staff do connect to the internet from their home machines, and not all of them necessarily take the precautions you might want.
If the company is really serious about it, it will buy all the homeworkers a box each for accessing the company intranet from home, and forbid them to connect it to the internet or any other machines.
November 6th, 2002, 12:42 PM
Thanks for your reply
I was trying to to convey that the other remote staff PC's were connected only to our network. We have designed their Routers only to call our office ISDN number and therfore they do not connect to the internet. This one user is the only one who is our "weak" link with the kids's PC's using and ADSL link to the big wide world
November 6th, 2002, 12:42 PM
You should check that there are not any shared user acounts on the two machines, ie the kids machine has had a login created to access files on the PC you have provided and visa versa.
I asume that the company PC you have provided have anti virus protection on them.
I agree with slarty it is quite posible that other staff do connect thier PC to the internet, remote workers sometimes see company machines as thier own and act accordingly.
November 6th, 2002, 02:26 PM
November 10th, 2002, 06:32 PM
I believe there are also solutions out there for software firewalls that allow the software to be "pushed" and updated across the net as they connect. This way, you can configure and update policies, as well as gather some statistics on their connections/traffic. We were actually looking at a solution of this nature involving Zone Alarm. Some VPN servers support this feature also.
Opinions are like
holes - everybody\'s got\'em.
November 10th, 2002, 07:38 PM
November 23rd, 2002, 02:10 AM
Well I for one think you're right to be worried. (add this to the good advice from tiger shark)
Disagree with me y'all, but if i had an external user who's dialing in, I would make damned sure that the machine was mine, and that the user was told that it was a disiplinary offence to connect the machine to any network other than the corporate WAN.
My reasoning ....
1. there are plenty of trojans with key loggers, that, and a little social engineering, and you have a breeding ground for an access violation.
2. add to this, if the machine ever comes in for support, what the hell is on the HDD of the machine? (Viruses / Trojans etc)
I use one of MY machines to connect to the works WAN, but it has caddy based HDDs, and the one I use for work, is used for NOTHING ELSE.
in conclusion ...
Ban any NON Corporate machines from access (either through witten policy, or through IP/MAC address banning)
Ban home users from installing ANYTHING on the homeworking kit, and back this up by using at least NT/Linux/UNIX, and locking the things down.
Audit the home machines on a regular basis, and at least poke offenders in the eye.
think about using at least challenge/response tokens for network authentication
Do not rely solely on the antivirus, unless you like cleaning up after infections.