SME Toolkit

Remote users are the weakest VPN link

John McCormick Tech Republic

Published: 23 Jul 2002 13:13 BST

Virtual private networks have generated their share of security concerns, but the focus has been primarily on flaws in VPN protocols and configurations.

The fact that many telecommuters and road warriors also use their systems for things other than work and then connect to the corporate network via VPN makes poor security practices on those remote PCs a legitimate concern for the corporate network.

How big a deal is this? Cahners In-Stat research shows there were 32 million full-time or part-time telecommuters in 2001, with 70 percent having access to the Internet. A large percentage of these workers were employed by small businesses, but a significant number, roughly 5 million, were working for enterprise-class companies and probably using VPN connections.

This large number of off-site systems that connect to corporate networks raises two major categories of security concerns.

Broadband Obviously, the first concern is that many telecommuters use broadband connections such as DSL and cable to get enough bandwidth to do their jobs. This makes them targets for attack, and once an attacker has penetrated the home system, that person may be able to piggyback into the corporate network through the VPN.

Data security The other major concern is data security. Telecommuters and road warriors often store a lot of company data on their machines. Although locating and penetrating a remote user's system takes a certain amount of skill, it's fairly easy to steal the computer carrying case of a road warrior or break into a telecommuter's house and snag a computer that may contain large amounts of confidential business data.

How it starts Most companies fall into telecommuting a bit at a time, beginning with one or more key workers who request the convenience of working from home at least occasionally. Sometimes an arrangement begins because a valued employee has a medical problem, is recovering from an operation, or is extending a maternity leave.

Regardless of the circumstances, telecommuting almost always begins as a case-by-case process where the users are given individual treatment. This means that, in most instances, a variety of hardware and software is in use, and telecommuters are performing a wide range of tasks--creating a nightmare for the IT professionals who have to manage the computing environment.

In addition, since the usual corporate network policies probably can't be directly applied to remote workers, no formal security or usage policy is likely to be in place. And you can't simply apply the office policy to remote workers. Many of the corporate policies just don't make sense for remote workers, and some additional considerations need to be made for them as well. Sometimes, eliminating bad rules is more important than adding good ones. It's only human nature, but if you try to impose bad rules that are unworkable, workers will tend to ignore the good rules too.