Security Basics mailing list archives
RE: Home laptops on a corporate network
From: "Petter Bruland" <pbruland () fcglv com>
Date: Wed, 9 May 2007 13:07:05 -0700
Sounds like a good idea, but there are security vulnerabilities with VMWare. Not sure if any current malware/spy ware/virus takes advantage of these flaws though. Also how the OS within the VMWare image is configured has a great deal to do with how secure it is. Sounds like it would be hard to maintain these VMs and make sure that they are *clean*. One way that sounds easier to configure and maintain, is setting up a VLAN X where the VPN clients connect, then only allow RDC via port XXXX to VLAN Y where they can access either a Terminal Server or their office PC. And have some nice filtering setup between the VLANs, such as a Sonicwall, Cisco, Barracuda etc. A lot of good ideas and questions has been posted here, but nobody has mentioned anything about two factor authentication or password management in combination with remote access. Assuming you have a pretty good setup, where the clients are checked before entering the network as well as filters to prevents all sorts of *bad* things from happening. With weak passwords or a poor password policy, you could have users accessing the network who should not be there. Seems that if you're HIPAA/SOC, you should not have remote access :-( -Petter -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Yousef Syed Sent: Tuesday, May 08, 2007 4:35 PM To: security-basics () securityfocus com Subject: Re: Home laptops on a corporate network Just wondering... But is it possible to setup a locked-down VMWare image for external laptop users to use if they really-really need access your corporate network. (a small subsection of the network inside its own DMZ specifically designed to share data) Personally, I can't think of a reason why an external laptop (or USB drive for that matter) would need access to the internal corporate network anyway. They can be provided with separate access to get onto the internet from a segmented system that has no access to the Internal system. ys On 08/05/07, Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net> wrote:
On 2007-05-08 christopherkelley () hotmail com wrote:I'd recommend NOT doing this. Especially if you are trying comply with HIPAA. Keep in mind that you will have little to no management capability over these personal laptops, which means you have no ability to verify patch level and AV update on these machines that may have EPHI on them. Not to mention the fact that these employees are probably taking them home and plugging them into their home networks, where they (or their kids) are running bearshare, gnutella, grokster, bitorrent, and surfing to unfiltered web sites. Not only does this mean that they are potentially exposing critical data in this manner, it also means they are bringing potentially infested computers into the soft chewy center of your network. Whenever you have an employee with a laptop, you create a liability to your network, allowing them to use personal laptops presents an even bigger liability. IMHO, this level of risk is unacceptable, especially from a HIPAA compliance standpoint.I wholeheartedly second that recommendation. Allowing corporate data on private computers (or private computers on a corporate network) is a bad, BAD practice. Never EVER do that. You really want to do the exact opposite: establish a policy that *prohibit* employees from transferring corporate data to private computers, and have it signed by each employee. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
-- Yousef Syed "To ask a question is to show ignorance; not to ask a question, means you remain ignorant" - Japanese Proverb
Current thread:
- Re: Home laptops on a corporate network, (continued)
- Re: Home laptops on a corporate network gjgowey (May 09)
- Re: Home laptops on a corporate network Christopher Kelley (May 09)
- RE: Home laptops on a corporate network Adam Rosen (May 09)
- Re: Home laptops on a corporate network gjgowey (May 09)
- RE: Home laptops on a corporate network Adam Rosen (May 09)
- RE: Home laptops on a corporate network Nick Duda (May 08)
- Re: Home laptops on a corporate network gjgowey (May 08)
- Re: Home laptops on a corporate network Ansgar -59cobalt- Wiechers (May 08)
- Re: Home laptops on a corporate network Yousef Syed (May 09)
- RE: Home laptops on a corporate network Adam Rosen (May 09)
- Re: Home laptops on a corporate network gjgowey (May 09)
- RE: Home laptops on a corporate network Petter Bruland (May 09)
- RE: Home laptops on a corporate network Crawley, Jim (May 09)
- Re: Home laptops on a corporate network Rob Creely (May 10)
- Re: Home laptops on a corporate network Yousef Syed (May 09)
- Message not available
- Re: Home laptops on a corporate network Johnny Wong (May 09)
- RE: [bugtraq] Re: Home laptops on a corporate network mathew_ericson (May 10)
- RE: [bugtraq] Re: Home laptops on a corporate network winsoc (May 10)
- Re: Home laptops on a corporate network Ryan Chow (May 09)
- Re: Home laptops on a corporate network Tsu (May 08)
- Re: Home laptops on a corporate network Kurt Buff (May 08)