Rethink Remote Access Policy: Travis Fisher’s Advice
<span style="text-decoration:underline;"> </span>of <a href="http://www.inacom-sby.com/">Inacom Information Systems</a> in Salisbury, MD, specializing in developing strong, secure reliable networks for Delmarva organizations.
I'd like to discuss something that isn't necessarily policy centric, but needs to be addressed during implementation. One thing that isn't well discussed at this point is who owns the computer during the remote connection and how is it used.
All too often, I see organizations that want remote access, but they do not understand the vulnerabilities that exist when you let an uncontrolled device VPN into your network. At this point, they are behind any access controls and security devices that you have in place. If it's a shared PC in the family, you open yourself up to all the threats encountered when people consume all of the content on sites that are inappropriate for the workplace.
If you are going to let remote users connect via VPN, you should have a Network Access Control (NAC) solution in place. This will make sure that the device conforms to your security policies.
The general idea is to mitigate the risks associated with granting network access to different classes of users or even to devices that are not directly under the company's control. It's going to be up to the network administrator to deploy and configure a NAC solution based upon the needs and resources of their organization.
Common policies that NAC enforces include the device having a current antivirus definition and scan, that the device is validated to be a part of the network and granting appropriate resources for the user. In the event that the remote connection request is not in compliance, the device and user are quarantined until problems can be resolved (i.e., the device can have a new AV definition sent to it, missing patches, etc). The overall goal is to meet any security or regulatory needs in a way that minimizes risk given the amount of management resources available to the administrator.