Security Basics mailing list archives
Re: How secure is VPN access?
From: GuidoZ <uberguidoz () gmail com>
Date: Fri, 19 Nov 2004 04:28:35 +0000
While Dave has brought up a good point - there is another side to it. It depends on how well the company provided laptops are treated. I've consulted for many organizations that hardly do a thing to ensure company laptops have up-to-date AV/spyware solutions. The majority have never seen Windows Update once. In the case of a home PC, it's not to say that it's much better, although frequently people will have a friend who can help on a home PC. Some corporate laptops are pretty locked down so the same friend couldn't install a security patch, leaving that laptop open to more threats then a home PC. Moral is - it's best to contain as much control as possible internally while allowing as much control externally as needed for the employee to do their job. No matter if you don't allow home PCs or not, having remote access poses a risk. Properly controlling that risk (internally) is your best bet, and if done properly, then it wouldn't matter as much if the end user was signing in from the corporate laptop or their home PC. Just another side to think about. The actual answer would depend on the situation, though in my experience I've found that most companies do not allow users to sign in from Home PCs. (Reasons range from ignorance to classified security guidelines.) -- Peace. ~G On Thu, 18 Nov 2004 00:11:58 -0500, dave kleiman <dave () isecureu com> wrote:
Cesar, Would allow a user to bring their home computer to the office, and just hand them an IP and allow them full network access? Do your users have access to network resources through the VPN? They can spread viruses, Trojans etc. to the network from the VPN. No, you definitely should not let home computers access the VPN, you should have complete control of the systems that do access via VPN and keep them up-to-date, etc. Citrix is a different story, as long as you restrict drive and port redirection, it can be a "better-controlled" situation. ______________________________________ Dave Kleiman, CISSP, CISM, CIFI, MCSE www.SecurityBreachResponse.com -----Original Message----- From: Cesar Diaz [mailto:cdiaz00 () gmail com] Sent: Wednesday, November 17, 2004 11:39 To: security-basics () securityfocus com Subject: How secure is VPN access? List, After years of having VPN access for our remote users without a single know security incident, my boss and I have to justify to her boss why VPN is secure. The CIO wants us to only allow users to access the network from company laptops, not from their own home computers. We currently will allow users to install the VPN client software on their home computers to connect remotely, or they can use Citrix through SSL access to get to network resources. His concern is that if a users home PC is compromised, that compromise can spread to our network. Is this a legitimate concern? Can anyone point me in the direction of some documentation backing either argument? Thanks in advance for any help. C
Current thread:
- How secure is VPN access? Cesar Diaz (Nov 17)
- RE: How secure is VPN access? dave kleiman (Nov 18)
- Re: How secure is VPN access? Jimi Thompson (Nov 19)
- Re: How secure is VPN access? GuidoZ (Nov 19)
- RE: How secure is VPN access? David Gillett (Nov 18)
- Re: How secure is VPN access? Nathaniel Hall (Nov 19)
- <Possible follow-ups>
- RE: How secure is VPN access? Alsobrook, Taylor (C.) (Nov 18)
- RE: How secure is VPN access? Matvei Kliuchnikov (Nov 18)
- Re: How secure is VPN access? K. K. Mookhey (Nov 22)
- RE: How secure is VPN access? Javier Otero De Alba (Nov 18)
- Re: How secure is VPN access? Jonathan Loh (Nov 19)
- How secure is VPN access? Hayden Searle (Nov 19)
- FW: How secure is VPN access? Stephane Auger (Nov 19)
- RE: How secure is VPN access? dave kleiman (Nov 18)