By Mike Mullins
Chances are good that most of your users own a home computer or your company provides laptops to employees who travel, and all of them want access. If remote access isn't implemented securely, this is a recipe for disaster.
How can you secure your network when users need access when they're away from the office?
Just say no to OWA
First, get rid of your Outlook Web Access (OWA) implementation, and force your Microsoft Exchange users to access their e-mail via the Outlook client. You might have a great antivirus program, maybe you use some type of content filtering on e-mail, and you probably apply security restrictions to your clients to prevent virus attachments from reaching your users' mailboxes. But when you allow your users to use OWA, you also allow them to go around all of that security.
"What about attachment restrictions?" you ask. They're client-level access restrictions. Outlook client restrictions that are passed from the server don't take effect when you use a Web client to interact directly with a user's mailbox. A remote user could send a message with a virus-laden attachment to every user in your site and potentially cause catastrophic damage to your entire network.
Make VPNs mandatory
If a virtual private network (VPN) solution didn't come with your firewall, buy one. Install VPN software on every portable computing device your company owns.
Depending on the type of VPN solution you implement, you can use several different types of authentication for your network. Pick the authentication method (Kerberos, Static-Accounts, Radius, PKI, etc.) that best suits your business practice.
Many companies sell excellent client-to-server and/or client-to-network VPN hardware and software, including your enterprise firewall vendor, Cisco, and F-SECURE VPN+. Check out these vendors and ensure that they support a broad spectrum of operating systems. Broad OS support is essential, because if you remove OWA for security reasons, you're going to need some way to give remote access to users who work from home.
Create installation instructions for users, and provide the client installation package for every user who requires (requires, not wants) remote access to the network. Explain to your users that you're doing this to protect them from viruses and hacking exploits that are targeted at large corporate networks.
While you're budgeting for your VPN solution, also budget for a site-licensed antivirus program that you can give your users to install on their home PCs. As part of the network use policy, require that users install this antivirus software on any machine they use to access the corporate network.
Make users sign off on this policy. By doing so, you could also prevent a sneakerware virus from transporting itself from home to work.
As networks become more responsive and user demands for remote access increase, organizations have allowed functionality to bypass security. Don't let operational demand drive security down the drain on your network. Security begins and ends with access to your network, regardless of how that access is achieved. Your network is there to support your users, so give your users all the access they need to do their job. But do it securely!
Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.