ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Hardware

SME Toolkit

Remote users are the weakest VPN link

John McCormick Tech Republic

Published: 23 Jul 2002 13:13 BST

One essential rule for all telecommuters, no matter what their level of access to the enterprise network, is that they all have personal firewall and antivirus software in place. Even if they aren't connected directly to the company and can't spread an infection, the home computer has become a business asset and must be afforded at least this basic protection.

Employees who use dial-up connections should still have a good firewall. If they have a cable modem or another type of high-speed access that gives them a fixed IP address, they will need the strongest possible firewall, one that is configured and maintained by the IT staff.

For some, this means a remotely managed firewall (distributed firewall) as well as antivirus software that can be updated remotely. But it will be a lot simpler to use these methods in combination with removable drives.

Another critical element of any telecommuter's system is a strong file encryption routine. Not only can home computers be stolen and laptops taken off that airport luggage carousel or out of hotel rooms, but if you have installed removable drives, data will be regularly carried around by telecommuters as well.

Even if telecommuter systems are just standard PCs that are remotely managed, they are still more exposed to theft than most office systems, so the data on them needs to be secured. The only way to guard this data is by encrypting all files on the hard drive. (This is separate from the encryption that is part of a VPN connection.) File encryption isn't perfect, but it will go a long way toward protecting sensitive data.

Casual telecommuters If e-mail-only users are to be exempted from the strict high-level remote worker policy that controls the computer use of full-access remote workers, they should utilise an outside e-mail account with messages forwarded to that account by someone inside the network. This eliminates any VPN concerns and makes this sort of user a trivial problem for network managers.

This is not the same thing as answering corporate-addressed e-mails from clients or staff directly from the company mail server. If that is required, the user should conform to all the security requirements of any full-access telecommuter.

Helping the help desk An obvious benefit of having all telecommuter systems owned by the company is that they can all be identically configured, eliminating the nightmare situation where company workers are each using a different combination of hardware, OS, and application versions. This advantage alone should be enough to sell management on the cost-effectiveness of providing computers to telecommuters. Even if you don't want to provide users with the option of having a second drive for personal use, using removable drives means that any telecommuter, regardless of technical knowledge or ability to transport a heavy PC to a distant office, can simply bring in the system for routine or emergency maintenance.

Lots of remote control programs are available that can be used to maintain dial-up telecommuters' systems and, of course, they can also be managed through a good VPN. But those cost money, too, and pose many security and performance issues of their own.

Summary You may not have been thinking about your remote workers as a major security threat. However, if you ignore the risk they pose, you are leaving your company open to a network breach and/or a theft of critical data. The recommendations in this article can help you standardise and lock down the systems of remote workers.

Have your say instantly in the Tech Update forum.

Find out what's where in the new Tech Update with our Guided Tour.

Let the editors know what you think in the Mailroom.