When your CEO sends information from the home office to a remote one, he or she expects the information to reach its target safely. However, IT managers know it’s not always that easy. They know that viruses and hackers lurk in cyberspace for opportunities to hit the tastiest packets.

If your CEO or other users shuttle packets via a virtual private network (VPN) you created, security issues are probably on your mind right now. A recent TechRepublic poll asked IT managers about security and VPNs. More than 70 percent of respondents said they were at least somewhat concerned about VPN security.

Most have VPN security concerns.

According to John Doyle, the director of product marketing for Corporate Edge Services for Nortel Networks, VPNs are generally secure. “The encryption technology [VPNs use] makes them absolutely bulletproof from a security point,” said Doyle, who has worked with VPNs and similar technology for the last 20 years.

Security issues arise due to the way users treat a VPN. For example, many companies allow their users to surf the Web, an insecure practice that exposes a network to hackers, he said. A practical way to keep users’ VPN practices under control is to create a VPN use policy.

Here’s how you can help us help you

Is a VPN user policy something your organization should follow? Why or why not? What would you include in a VPN policy? We’re creating a policy you can download, and we want to know what you think should be in it. Tell us by adding to the discussion at the end of this article.

Why use a policy?
TechRepublic member David Dziadek believes in VPN user policies, but told us that his organization has no policy or guidelines in place. He believes that due to his organization’s high use of broadband and the VPN, it needs a policy, especially for users who access the network from home. “Basically if a user gets broadband at home, the first thing they want is to be set up to use our VPN,” said Dziadek.

Another TechRepublic member, Tony DeRosa, agrees that a VPN policy is needed for home and remote users. “VPNs will provide security for transmitted data. However, if users with home networks enable resource sharing, particularly with disk drives, and do not install a firewall, they could be leaving themselves open to hackers,” he said.

“It is important that users are aware that sharing resources and maintaining a continuous online connection, available with broadband technology, can compromise locally stored sensitive information unless a firewall [hardware or software] is provided,” he added.

What a policy might include
A VPN policy could start with an explanation of how users can avoid the possible attacks that may hit home or remote users. Also, it could stipulate what PC can be used to connect to an organization’s network. For example, using a company-maintained PC is usually safer than an employee-owned machine because the company equipment receives regular virus updates and configurations from a network.

TechRepublic member Ed Krayer had some other ideas. He said a policy should explain to users that:

  • It’s imperative to protect VPN and network passwords.
  • Connecting to another party via the Internet moves the point of protection from the corporate firewalls to a remote computer that may not have this same level of protective maintenance.
  • When a VPN connection is made, a “hole” is created in an organization’s firewall that exposes it to attacks.