working from home

[ghostmachine]

hi
i would like to here some views/opinions/advice from the experts here regarding
working from home. How do you ensure that when a staff logs into the office network
using any VPNs , the office servers will check that the staff's own home PC is updated with the latest patches and AV updates, if not , he/she is disallowed to use the connection ?
What are some of the solutions in the market that provide this?
thanks

[tenzenryu]

Hi

the following guidance from Microsoft is quite useful generally (as well as covering their product specifics).

http://www.microsoft.com/technet/sec.../vppgch01.mspx

The following google search also turns up useful material

intext:VPN.quarantine

While this material covers electronic security, you should also ensure that staff clearly understand the 'people' side of working from home.

1. Equipment, documentation and media should be securely locked away when not in use.
2. Disks holding sensitive material should be encrypted.
3. The computers should be locked down and the ability to download and/or install either prevented or severely limited. Netnanny and childlock software are available on the market for these purposes.
4. The computers should be inspected manually on a regular basis.
5. IMO wireless functionality should be disabled unless required for business purposes.
6. Family members should not be allowed to use work computers.
7. Work should not be done on family computers either (unless you want to take responsibility for the security of those computers).
8. Employees should not advertise that they work from home nor show off their kit to the neighbours.
9. The company's insurance policy should extend to mobile and home use of equipment.
10. The company should consider paying for additional security to staff homes where sensitive material is held.

[Katja]

When people are working from home, I guess you have to consider whom owns the computer that these persons are using at home! If this computer is owned by the company, you could technically do with it as what you'd be doing with any other company system, including restricting the users access rights by turning them into users instead of administrators.
If they have some technical problems with their system, all they would have to do is bring it to the office. And as you guessed, such systems would often be laptops.

But if the home-worker is the owner of this computer then anything you -as a company- install on their system could be seen as a violation of their privacy. And you can't force them to but the AV software the company is using, nor can you force them to keep it up-to-date. Basically, you will have to assume that these users are just unsafe and thus scan all traffic between their systems and the company servers. And if the user sends a virus or is sending spam, then this connection to this user should be blocked immediately.
But you don't have any rights to force these people to install anything you like on their system. You even have to be careful with that because if e.g. you update their AV software, you could end up with license problems since your corporate license will probably only apply to company computers, and not the systems used by these home-workers.

So basically, give these people a company laptop, make sure they only have user access to it unless they absolutely need administrator rights and make sure these users sign a contract where they accept the responsibilities for using company resources at home. (E.g., they make sure it won't be stolen and prevent others -kids- from having access to anything on that system.) This would basically be the only way to control the systems that the people use at home. Don't let them use their personal computers for official company tasks unless you really trust these people.

[zencoder]

Check Point offers a large suite of VPN products, and I believe they now have some policy enforcement solutions as well. StillSecure is a new software company that also offers products to enforce policy based on these sorts of criteria, and they look to have a huge amount of potential.

Personally, I think you are making a grave mistake, allowing computers that are NOT company owned assets to connect to the network via VPN tunnel. You can buy all the software you want to try and enforce policy, but there are ways to counter that (or try to). Plus, you have no idea what they have been doing with their home PC's; you could be opening the gateway to trojans, worms, malware, virii, p2p traffic, etc ad naseum.

A better option is often to use a secure application gateway to provide access to specific resources (Citrix is the main provider of the software to do this, but there are others, I'm sure.) VPN is not the best option, most of the time; however, it is difficult to get non-security management to realize the risk vs. benefit, and many organizations end up spending a lot of money to give VPN access to many people who really don't require it.