Supporting remote users could be the subject of a book. When that book gets written, let’s hope it includes a chapter on supporting the security issues related to individual telecommuters.
As high-speed access becomes more common, the number of telecommuting workers is likely to rise, bringing with it a corresponding increase in network security issues.
TechRepublic addressed some of those issues in “Telecommuting: Balancing the need for speed and security,” in which Gartner analyst Jay Pultz gave us an overview of both security and control issues associated with telecommuting.
In this article, we’ll take a look at two potential solutions to telecommuting security issues and how they might affect your support department:
- 1. Protecting telecommuter machines via cable/DSL routers and personal firewall software
- 2. Using Microsoft’s Terminal Services
There’s light at the other end of the tunnel
Unlike telecommuters who are using dial-up connections into your organization’s network, those workers who have cable or DSL connections in their home offices are likely to have computers on all the time with their always-on high-speed connections.
"If you are a corporate teleworker, it is likely that you will have some interesting information or software on your PC," Pultz told us in our earlier article. "You probably have a file labeled, covertly, 'passwords,' which might be of interest if you are of the hacker persuasion.
"Or you may have software on your machine that is server-like so a hacker can get access to your machine as a corporate server, and from that machine, they can get to corporate resources. The corporate network assumes this is a trusted machine, but it has actually been infiltrated by a hacker...[who] can use that machine as a backdoor to get into the corporate network."
In November, Pultz told us that one of the best ways to help protect a telecommuter’s machine is with personal firewall software. The problem with that, he said, is that security software needs to be configured correctly for the individual’s machine and environment.
Since we spoke with Pultz, the availability and affordability of cable/DSL routers has made them an attractive security supplement. Cable/DSL routers are available from companies, including:
These routers offer NAT translation, which adds a layer of security by allowing a number of computers behind a router to share a single IP address.
One network administrator we know thinks companies should consider providing telecommuters with these devices for the company’s own protection.
But is a cable/DSL router enough?
Steve Gibson of Gibson Research Corporation, which provides the Shields Up port scanning test, doesn’t think so.
On one page of the GRC Web site, Gibson suggests combining hardware routers with personal firewall software for “the PC industry's most comprehensive internal extrusion management.” This hardware/software combination combats both external intrusions into a computer and external intrusions—unauthorized data being sent from within a system to an outside source.
But cable/DSL routers and security software aren't the only consideration when designing a low-maintenance VPN. Will telecommuters access the company network through their personal or company-provided computer? Pultz recommends that companies avoid the temptation to provide only a VPN connection to the telecommuter. Instead, Pultz suggests that companies provide telecommuters a PC with the company’s standard hard drive image to be used exclusively for company business. With non-business-related software banned from the company computer, support desks will know exactly what they are supporting, how it should be configured, and how it will interact with security hardware/software.
Limit problems with Terminal Services
Another option, particularly if you have upgraded to Windows 2000 servers and clients, is to avoid security concerns by using Terminal Services, effectively giving the telecommuter a thin client to work from.
This option was mentioned by TechRepublic’s IT director, Troy Atwood, when we discussed the functional uses of Terminal Services in “Extend your organization with Win2K Terminal Services.” In that article, Atwood discussed the way Terminal Services restricts network access during remote sessions by contractors.
“We brought up the Terminal Server and put the fat client on there. The contractors come in through port 443 [the secure SSL port] through a Web browser,” Atwood said. “We don’t have to worry about what OS they’re running or what their system is on. As long as they have Internet Explorer 5.5 set up, they come in, they get a terminal session, and they can run the application.”
This same kind of thin client functionality would be ideal for telecommuters, he said. They could have all the same applications they use at their desktops in the office, and they wouldn’t have to worry about where their computers have been.
TechRepublic member Teresa Grogan said that is exactly what she is doing with telecommuters at her organization. Her organization provides dial-up users with a diskette with the client on it. Those with high-speed access can hit a Web-enabled client.
Both scenarios have reduced calls to their help desk because there is nothing to configure and little to go wrong. Because all the computing is done on the server, the user is dealing with nothing but screen images, making the connection quick and sterile.
The only drawback that Grogan mentioned is that the servers have to be pretty powerful and if the server goes down, all the users go down.
What works for you?
Are you supporting telecommuters with high-speed or Terminal Services access? How is it working for you? Do you feel you are getting secure connections from your telecommuters? Why? Tell us what you think in the discussion below or send us a note.