Lock IT Down: Don't let VPN users be the weak link in network security

Learn how VPN users can open a hole to your network

Virtual private networks have generated their share of security concerns, but the focus has been primarily on flaws in VPN protocols and configurations. Although those issues are important, the most significant security threat in any VPN setup is the individual remote telecommuter making a VPN connection from home or an employee on the road with a laptop and the ability to connect to the corporate office via VPN.

The fact that many telecommuters and road warriors also use their systems for things other than work and then connect to the corporate network via VPN makes poor security practices on those remote PCs a legitimate concern for the corporate network.

How big a deal is this? Cahners In-Stat research shows there were 32 million full-time or part-time telecommuters in 2001, with 70 percent having access to the Internet. A large percentage of these workers were employed by small businesses, but a significant number, roughly 5 million, were working for enterprise-class companies and probably using VPN connections.

This large number of off-site systems that connect to corporate networks raises two major categories of security concerns.

Obviously, the first concern is that many telecommuters use broadband connections such as DSL and cable to get enough bandwidth to do their jobs. This makes them targets for attack, and once an attacker has penetrated the home system, that person may be able to piggyback into the corporate network through the VPN.

Data security
The other major concern is data security. Telecommuters and road warriors often store a lot of company data on their machines. Although locating and penetrating a remote user's system takes a certain amount of skill, it’s fairly easy to steal the computer carrying case of a road warrior or break into a telecommuter's house and snag a computer that may contain large amounts of confidential business data.

How it starts
Most companies fall into telecommuting a bit at a time, beginning with one or more key workers who request the convenience of working from home at least occasionally. Sometimes an arrangement begins because a valued employee has a medical problem, is recovering from an operation, or is extending a maternity leave.

Regardless of the circumstances, telecommuting almost always begins as a case-by-case process where the users are given individual treatment. This means that, in most instances, a variety of hardware and software is in use, and telecommuters are performing a wide range of tasks—creating a nightmare for the IT professionals who have to manage the computing environment.

In addition, since the usual corporate network policies probably can’t be directly applied to remote workers, no formal security or usage policy is likely to be in place. And you can't simply apply the office policy to remote workers. Many of the corporate policies just don’t make sense for remote workers, and some additional considerations need to be made for them as well. Sometimes, eliminating bad rules is more important than adding good ones. It’s only human nature, but if you try to impose bad rules that are unworkable, workers will tend to ignore the good rules too.

Considering policy issues
The first thing you must do to get a handle on this new work environment is to come up with a policy that covers all remote workers and doesn’t allow for any exceptions. That latter requirement means that there can and often should be subcategories of workers and special guidelines based on categories of tasks.

Let me clarify this. There is a big difference between securing a system for a telecommuter who merely answers some e-mails during occasional home working sessions, a part- or full-time telecommuter with critical corporate responsibilities, and an executive or technical expert who routinely carries around a laptop with a load of confidential corporate data.

These three categories would obviously require different rules regarding security and other issues, but they should fall under a general superset of rules that apply to everyone.

The general remote worker policy that should apply to all workers can simply be an extension or modification of your existing network user rules involving such things as not sharing details about the system with others, not modifying spreadsheet formulas or macros without authorization, not sharing passwords, not opening e-mail attachments, not visiting porno sites, not responding to spam, making regular backups, and so on.

Just take your existing computer usage policy and make some intelligent alterations and deletions that recognize the different situation faced by remote workers. This part should be simple if you already have a good computer usage policy; if you don’t, this is a good time to develop one. Then, you can work from it when creating your remote worker usage policy.

Policy recommendations
I suggest defining two major categories of users for the remote worker policy: what I call full-use or full-access telecommuters and casual telecommuters. Road warriors will need some additional rules specific to them but will fall into one or the other of the two main categories.

These groups can be defined technologically. For example, does the person have a VPN link to the office network (full access), or does the person simply perform independent research and file reports, having no passwords or ability to link directly to the office network (casual users)? You can also group people into categories based on the kind of data they deal with (in other words, how confidential or critical the data is).

Large organizations with many telecommuters doing very different things will need more categories, probably taking the two technical groupings and adding subcategories for each depending on the kind of data handled by the employees.

My other telecommuter rules mainly stem from this basic requirement and the need to keep security configurations up to date on every computer. For example, I strongly recommend that all telecommuters connecting to the corporate VPN be supplied with a company-owned computer. When you think about it, this really isn’t a major investment these days. A basic system is all most telecommuters will need. Hot P4 machines from Dell are suitable even for most advanced users, but cost under $1,000 for a complete system.

Giving the company ownership of a computer will eliminate a plethora of potential legal and management problems. For example, if the telecommuters work on their own systems, how does a company either demand that they upgrade their hardware or software or enforce such a demand?

As part of this company ownership, it becomes simple to require that the computer be used only for company business. This eliminates all the problems of mixing personal and business activities and files, as well as keeping a four-year-old from wiping out critical files.

Some people will object that it is an imposition to have a company computer that they can’t use for anything else, but there is a simple, elegant solution to this: Install removable, swappable hard drives. This provides an inexpensive way to manage telecommuters, because you can require them to bring the drives to the office for regular scans. Since they will suspect that you can easily detect out-of-policy use of the computer, it provides a strong incentive for them to obey the rules. It also makes it easier to maintain both software and utilities as well as to enforce regular backups.

Installing a removable hard drive costs about $200 per computer, including the new hard drive, brackets, and labor. That doesn't include the cost of the OS and applications, but those would be needed anyway. The other option is to supply laptops to telecommuters, but laptops are more expensive and are also attractive theft targets.

If every telecommuter has the same basic PC configuration at home (based on the company's standard software image), and the IT department maintains an identical configuration, it will be simple to troubleshoot and maintain both the drives and the complete systems. A much more complex task is to remotely manage all those telecommuters’ systems via the network. But where that is appropriate, corporate ownership of all the hardware and software is even more essential.

In either case, if removable drives are used, it’s easy for the company to essentially offer a second PC for personal use by designating one hard drive for business use and a second drive for personal use. Remote users should be responsible for their personal drive, which will probably include games, family software, and so forth.

This setup eliminates the complaints about having a separate business and personal computer both taking up space in the home. And since you need to power down a system to swap drives, it keeps the corporate and home software completely separate.

Security considerations
One essential rule for all telecommuters, no matter what their level of access to the enterprise network, is that they all have personal firewall and antivirus software in place. Even if they aren’t connected directly to the company and can’t spread an infection, the home computer has become a business asset and must be afforded at least this basic protection.

Employees who use dial-up connections should still have a good firewall. If they have a cable modem or another type of high-speed access that gives them a fixed IP address, they will need the strongest possible firewall, one that is configured and maintained by the IT staff.

For some, this means a remotely managed firewall (distributed firewall) as well as antivirus software that can be updated remotely. But it will be a lot simpler to use these methods in combination with removable drives.

Another critical element of any telecommuter’s system is a strong file encryption routine. Not only can home computers be stolen and laptops taken off that airport luggage carousel or out of hotel rooms, but if you have installed removable drives, data will be regularly carried around by telecommuters as well.

Even if telecommuter systems are just standard PCs that are remotely managed, they are still more exposed to theft than most office systems, so the data on them needs to be secured. The only way to guard this data is by encrypting all files on the hard drive. (This is separate from the encryption that is part of a VPN connection.) File encryption isn’t perfect, but it will go a long way toward protecting sensitive data.

Casual telecommuters
If e-mail-only users are to be exempted from the strict high-level remote worker policy that controls the computer use of full-access remote workers, they should utilize an outside e-mail account with messages forwarded to that account by someone inside the network. This eliminates any VPN concerns and makes this sort of user a trivial problem for network managers.

This is not the same thing as answering corporate-addressed e-mails from clients or staff directly from the company mail server. If that is required, the user should conform to all the security requirements of any full-access telecommuter.

Helping the help desk
An obvious benefit of having all telecommuter systems owned by the company is that they can all be identically configured, eliminating the nightmare situation where company workers are each using a different combination of hardware, OS, and application versions. This advantage alone should be enough to sell management on the cost-effectiveness of providing computers to telecommuters. Even if you don’t want to provide users with the option of having a second drive for personal use, using removable drives means that any telecommuter, regardless of technical knowledge or ability to transport a heavy PC to a distant office, can simply bring in the system for routine or emergency maintenance.

Lots of remote control programs are available that can be used to maintain dial-up telecommuters’ systems and, of course, they can also be managed through a good VPN. But those cost money, too, and pose many security and performance issues of their own.

You may not have been thinking about your remote workers as a major security threat. However, if you ignore the risk they pose, you are leaving your company open to a network breach and/or a theft of critical data. The recommendations in this article can help you standardize and lock down the systems of remote workers.

Editor's Picks