RE: Remote Access for Home Computers

["Dan Tesch" <dan.tesch () comcast net>]

I allow VPN access to my networks but only allow port 3389 for users
to access their own desktops - policies that apply while they are at
their desks stil apply and I have not heard of any viri working over
3389 *yet* but I guess that is what defense in depth is for?


On 24/08/05 01:19 -0000, nick_hunt () mascohq com wrote:
> Hello all
>
> I have been getting asked a lot lately about the possibility of 
> letting users access corporate resources with their home computers via 
> SSL VPN that has NAC features on it.  I keep on fighting it, mostly 
> because I think it will cause a lot of support calls, but more 
> importantly because I am afraid of the possible vulnerabilities of 
> allowing un-managed machines access to our network.  I was wondering 
> if anyone knew of any statistics or good articles on the letting users 
> access corporate data with their home machines.

Would the recent examples of _corporate_ laptops roaming around the world
before returning to the corporate network and bringing it down not be
sufficient?

Home machines are generally less secure than corporate systems, and they
definitely follow different security policies.

> The security implications that I am most worried about is:
> 1) worm propagation:  afraid infected machine will allow a worm onto 
> our network.  Even though the SSL vpn does a check to see if AV is 
> running and def's are up to date, and also does not give an IP on our 
> network, there is the possibility of users uploading infected files to 
> websites or network shares.

And a new virus/worm coming out for which your A/V vendor does not have a
signature blows all the checks out of the water.

A VPN is simply an extension of your corporate network. If you allow access
to file shares, you are allowing unknown hosts into your trusted network. I
would not normally allow a VPN into my systems unless I trust the
administrators of those hosts.

Devdas Bhagat