General discussion

  • Creator
  • #2184190

    Pro’s and Con’s of VPN at home for Employees.


    by csrphoto ·

    Ok, I’m in need of some advice, so here’s the situation. I work for a County Sheriff’s Department that is has it’s own IT Department, as opposed to the County’s IT department. The County has recently decided to offer to it’s employee’s (including those of us at the Sheriff’s Dept.) the ability to print our paycheck stubs via the intra-net instead of receiving them in the mail as in the past. For the County Employee’s, this is completely optional (as it should be) and people that want to continue receiving their stubs in the mail can do so. However, some of the Sheriff’s higher brass has made an executive decision to force all of the Sheriff employees to only be able to receive their stubs on-line (supposedly saving the Department $11,000 annually in printing and mailing fees). Because of this, the upper management has also decided that IT will set up any and all users home PC’s with VPN access (potentially up to 1500 people) just so they can log on to our network, to get access to the county’s network so they can print their pay stubs at home.

    So now the IT staff is to support these users home PC’s as well as the Departments network (oh, and by the way we also support several of the outer-lying smaller Police Departments agencies). The IT Staff has expressed concerns with this and I am wondering what information or concerns anyone else out there might suggest we look into. Here is what we have tried to bring to the attention of upper-management:

    1) more man hours to support home PC’s
    2) home PC’s may not be up to par with Department standards
    3) After hours support (which is extremely expensive to the department) will dramatically increase
    4) Potentially opening up our network to more exposure to viruses, trojans, and hacking.
    5) Many users may not have PC’s at home and will want access from public PC’s (such as at Kinko’s).
    6) VPN support will turn into PC support for issues unrelated to Sheriff’s Department.

    Further concerns amongst the department are whether or not forcing the employees to print their own stubs is even legal. It appears that some institutions that require a paycheck stub for for accreditation (eg credit checks) won’t accept the home printed stubs as valid. Has anyone ever heard of a situation like this before?

All Comments

  • Author
    • #3185976

      Unbelievable. But I do believe it.

      by stress junkie ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      I think your last two point are the most important ones. Is this legal? Are employer printed paycheck stubs considered a legal document that they are REQUIRED to provide?

      Is it legal? I suspect that the IRS would have some answers about the employer’s obligation to provide the information on paycheck stubs.

      Banks won’t accept home printed stubs? You could ask any bank about it. They should be able to refer you to appropriate laws that govern their behavior.

      It also seems to me that if the above research shows that the employer is required to provide a paycheck stub but is allowed to require employees to print them at home then the employer should be required to provide an appropriate computer and printer to all employees. I don’t see how you can shift this cost off onto employees.

      Nevertheless there are probably laws governing all of these issues. The county must have a legal department. Ask them what they think.

      Then there is the issue raised in the title of your post, the VPN. There are numerous software products that can be used separately or together to create a VPN. The first consideration is to remember that SECURITY IS JUST AN ILLUSION. Therefore you could argue, as I would do, that a VPN is not and cannot be secure enough to be a responsible part of your computing environment.

      I suspect that if you research the Federal and state tax requirements, the bank requirements, and the state’s requirements placed on employers you will be able to find some answers.

      If those routes don’t work then tell the management that there is no such thing as a secure VPN. The fact that the VPN has to be implemented on machines that are in the employees’ homes is going to be a problem for both security and for maintenance. What if the home computer has a virus? It could then have access to the employer’s network. What if the home computer is reconfigured by the employee? They would either lose their connection which then requires maintenance or they could compromise the security of the employer’s network. You can’t very well tell people that they can’t do what they want on their home machines. If they mess up the VPN settings then that is the IT department’s problem.

      Good luck. 🙂

      • #3194848

        Union involvement

        by csrphoto ·

        In reply to Unbelievable. But I do believe it.

        As far as the legality of the issue, I think the Union will get involved if that is the case.

        I guess my concern is to look more into the ramifications of expenditures from a Technologies perspective.

        I think our biggest concern ought to be the security issue of allowing Sheriff employee’s (which includes both civilians and correctional officers in addition to the deputized peace officers) access to network that public safety is dependent on.

      • #3194832

        Forget the VPN

        by eric.p ·

        In reply to Unbelievable. But I do believe it.

        If they really want to give employess access to this then a VPN is definitely the wrong way to go about it. Just give your employees access to a password-protected page on the web that they can get their pay stubs from. Good grief, if that’s secure enough for banks it ought to be secure enough for you. The real question is if the development cost of the web site is worth the paltry savings you quoted in printing and mailing costs?

        • #3194770

          Web Access Denied

          by csrphoto ·

          In reply to Forget the VPN

          This was our first though too, but becuase the payroll software resides on the county’s network (as opposed to the Sheriff Dept. network) we have no say or control as to putting it on the website. That would be up to the County to decide, which they already have. They decided not to do so becuase they are allowing their employees to have the option of printing their stubs or recieve them in the mail.

          The county’s view is that since it’s the Sheriff’s Dept that doesn’t want to comply, it’s the Sheriff’s Dept’s problem.

        • #3182038

          Regarding banks

          by stress junkie ·

          In reply to Forget the VPN

          “…if that’s secure enough for banks it ought to be secure enough for you.”

          I don’t agree that the adoption by banks is proof of security for the following reasons.

          Banks are run by nontechnical people. These people make decisions that are based on market demand rather than on security. Bank managers look to Federal regulation for their list of do’s and don’ts. These managers will be happy to implement some feature to make them more competetive if the Federal government allows it even if it is not completely safe.

          Bank computer systems are run by technical people. However there is a wide range of technical skill in this group. It is entirely possible to find situations where a system administrator is told to implement something that he/she is not skilled in doing.

          It is also probable that a bank system administrator may be ordered to implement a system which they know is not secure.

          It is also demonstrable that some bank system administrators are more quality oriented than others. In other words some system administrators are just not interested in the quality of their own work. I recently worked at a mutual fund company. I can tell you that there were system administrators working there that were not sufficiently skilled nor were they particularly interested in the quality of their own work to merit their custodial and fuduciary responsibilities inherent in their position.

          All of these facts undermine the argument that if banks are using this system then it must be acceptably secure.

          Plus, one difference between banks using this technology and the situation described in the original post is that banks in my area do not force this technology on their customers. Bank customers have got to go through extra steps when setting up a bank account before it can be accessed over the Internet. In the original post the employer wants to force this onto their employees.

          I wouldn’t completely trust bank managers or the regulations governing banks to always make good decisions. Mistakes are always possible. So using banks to justify the quality or security of the technology isn’t enough proof to persuade me.

      • #3194776


        by firstpeter ·

        In reply to Unbelievable. But I do believe it.

        I couldn’t even begin to comment on the legal side so I won’t (although I will say that having a law like that is obnoxious enough that it probably IS on the book somewhere…).

        However, with the VPN you could at least take some prevenatative measures. I’m speaking theoretically here, but I believe ISA Server 2004 has a “Quarantine” feature that will enable VPN connections, but stick computers in a limited access pool until they “validate” credentials and up-to-date software (like all Windows patches, virus signatures, etc.). Pretty slick.

        That doesn’t help the fact that if someone’s computer doesn’t meet those requirements that you’re probably stuck fixing it or making some exception, but at least it’s a start.

        And Stress is right – security is pretty much shot. Even if you DO have those things in place someone connecting at a Kinko’s is at high risk for getting their password stolen and who knows what. For that matter the risk is at home, as well.

    • #3185957

      Unbelievably Bad Idea

      by bluegiant ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      Wow! Talk about your nightmare IT situation! Setting up and maintaining up to 1500 VPN connections will be difficult, time consuming, and expensive. We only have a few dozen people who VPN in from home or the road and keeping them happy is tough enough.

      In my situation, I get my paystubs through the companies HR website. I have my own user profile to access the HR site through the internet. One of the options available is to print my paystub. I can’t give you any details on the setup or implementation because this function has been outsourced (I work for a small subsidiary of a huge company.)

      The way we get around having to set up and maintain individual home PC’s (so that people have access to their paystubs) is to have a few PC’s around the facility that people can use for this purpose. This may be an option in your situation. Have a few PC’s set up where needed that are locked down and used only for accessing and printing paystubs (and any other business related things deemed necessary.) This way you have control of the equipment, security risks and legal issues are minimized, costs are low, and your users have help handy if necessary.

      I sure hope you can talk them out of that insane plan.


      • #3182226

        maintain individual home PC’s

        by ip_fresh9 ·

        In reply to Unbelievably Bad Idea

        The way we get around having to set up and maintain individual home PC’s (so that people have access to their paystubs) is to have a few PC’s around the facility that people can use for this purpose. This may be an option in your situation. Have a few PC’s set up where needed that are locked down and used only for accessing and printing paystubs (and any other business related things deemed necessary.) This way you have control of the equipment, security risks and legal issues are minimized, costs are low, and your users have help handy if necessary.


      • #3194819

        It get’s better…

        by csrphoto ·

        In reply to Unbelievably Bad Idea

        Ideally we would have the paystubs printable from the website, but here enlies the problem. Becuase the County IT department and the Sheriff’s IT Department are two completley different entities, and becuase the payroll software is on the County’s network it is there responsability to service and maintain it. However, they don’t see a need to provide the paycheck stubs over the internet becuase the County is giving their users a choice to print it out or to continue recieving it in the mail.

        Now the Sheriff employee’s are technically County employees (which is why we recieve our paystubs from the county), but the upper-brass has determined for all it’s staff that we are not to recieve our paycheck in the mail (saving the Sheriff Dept. a small chunk of change). But they do want the users to be able to print their stubbs at home…the only way to do that (since County IT won’t) is to for us to provide VPN access from home for these users.

        Allthough we do have several spare/training PC’s that people can use, they also have their regular PC’s they can use (they do this to fill out their time cards online already anyways). So I don’t understand why it’s so important for the users to be able to print from home (other than maybe save the department cost from the users printing on Department printers and department paper).

        • #3195106

          You Have Precedence For Solution

          by sfaiswl ·

          In reply to It get’s better…

          You say everybody(?) logs-on a PC to fill out a timecard?
          Is this always at work? If so, then that’s just the flip-side of the payroll process from the paystub, so logging on the same place to get the paystub at the other side of the payroll process a is reasonable requirement.
          If everybody is allowed or expected to fill out the timecard from home, then that’s precedence for the paystub issue, and the existing security for data entry is obviously(?) acceptable for data viewing.
          Either way, the suggestion from petev@… that you institute a “pilot” program is a great suggestion.

    • #3185892

      Why not

      by tonythetiger ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      just ask who wants theirs printed out and run a print job at work and have them pick them up? That way they’ll save the mailing costs and “some” of the printing costs, and they’ll be getting an “oficial” paystub (though I don’t recall seeing the statute that “requires” employers provide paystubs, only “pay” 🙂 and W-2s at the end of the year.)

    • #3182288


      by roger99a ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      I wonder how many of them will check the little box to “Remember my Password” and let their kids play on your network.

      Any VPN that has to support 1500 users is also going to be expensive. Make sure they know that. You’ll probably find that any solution you use will eat up the $11,000 you were trying to save anyway.

      What would be better than a VPN is an SSL interface on a seperate web server that can retrieve the stub instead of a full VPN. This would eliminate most of the security and home maintenance issues.

      Now the dumb questions: why don’t they deliver the stubs with the checks? Is there no internal mail delivery system that can send these stubs without using the Post Office? And are there people that never come to work and wouldn’t have access to a computer in the station?

    • #3182186

      Using “Print Your Pay Stub” without VPN Access

      by cesandman ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      Ours can be printed via a link on the company’s intranet. If they are using Pro Business Payroll, you can also access it on the web, sign in and print your pay stub. Although, I do have a VPN connections, I never use it for this purpose. I can’t understand why the county would want to set up all those VPN connections for a single purpose that could be handled much more inexpensively. Also VPN connections on your home machine will allow your IT Department free access to your PC if you don’t have a firewall installed.

    • #3182114

      OK as this is US Law I can not comment on what the Legal

      by hal 9000 ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      Ramifications are but I can point you in the right direction as to instigating a proper security policy that once written up can be submitted to those higher up the food chain for approval.

      Firstly if you are allowing workers to access the internal systems to the Pay Check level you have to accept responsibility for security on their home systems. This of course will include providing any necessary software and possibly hardware upgrades to bring them into line with the present standards for where you work. It will also include needing to lock down individual home computers so that no unauthorized people can gain access to your system. This may involve setting up user accounts with dedicated passwords for individual users and then a group account for the rest of the family.

      Ideally you should be supplying the hardware so if a person leaves the department you can get the hardware/software back and not have a potential security breach.

      You’ll have to draft up a complete new security protocol to be implemented and make sure that every one involved understands this.

      I had to do this with a couple of the Bosses “home Computers” so we gave them Notebooks as their own personal play toys and only allowed then to use them we also had to provide their homes with general use computers and High Speed Internet Connections. There where only a few people involved here 4 actually and the cost was way more than 11K per year just in hardware/software but on the up side it was all tax deductible because it was required to maintain network security.

      Just grab you current Security manual and redraft it to include providing at the very least every person involved a Department Issued LT and the required software as well as a printer of course it will have to be a laser one because a BJ will wash off it the paper gets wet.

      Just doing that as well as listing the extra duties involved by the IT Department and extra staff required should be enough to make them see reason and after all 11K is only petty cash really.

      But do it properly and make it look professional in the presentation and allow at least 1 hour per week per LT for maintenance it might seem like a lot of time buy really that is way too consultive as you’ll be constantly rebuilding the things for the first couple of months at least. Also factor in the Deprecation for Tax Purposes as you live there you should know this and just how often you’ll be needing to replace the hardware/software to maintain the Tax Benefits and remember to include unexpected events like the total destruction of the units depending on staff numbers allow for at least 1 for every 100 units per year, this will cover theft and destruction of the Departments Lt’s that will happen.

      At the end of the updated Security Manual include the following “The projected expenses are variable because we have no idea of how prices will move over the 4 -5 year installation period and they will most likely vary drastically when it comes time to replace the existing units!”

      I’m betting that when the Powers that Be actually read the requirements that they are imposing they will drop the idea so fast that you’ll never see it coming but if they preserve with the idea you have established the ground rules of what will be required and have a valid argument for a Budget increase at the next meeting where Budgets for the individual departments are handed out.

      OH I nearly forgot this don’t disagree with those who have made this decision as they have been sold on just how easy it is to implement a VPN probably by attending a MS do so instead of trying to tell them that it can not be done bring them hard facts on what is involved by doing it this way. No doubt they have been told that implementing a VPN is only a few mouse clicks so it is easy to do. What you have to show them is that while it is easy there are costs involved which they had not been told about and just how it will adversely impact upon their IT budget.

      Col ]:)

      • #3194758

        VPN via appliance.

        by too old for it ·

        In reply to OK as this is US Law I can not comment on what the Legal

        HAL, you don’t have to blame MS for this. The appliance vendors are happy to tell you just how easy it is to throw down a VPN with their equipment. So simple a marginally trained chimpanzee can do it. And their tech support in a suburb of Bangalore are there nearly 24/7 if you run onto a jam.

        • #3181796

          Actually it wasn’t my intention to Blame MS for this one

          by hal 9000 ·

          In reply to VPN via appliance.

          Just the Marketing people who really have no idea of how things work. I can’t remember which MS Partners meeting I was at but it was recently either last year or this year but they claimed that there was only a 3 click routine to go through to establish a VPN. Which is true from one point of view and wrong from another.

          But you can hardly blame the hardware vendors when they pickup on this as a Sales Gimmick to help sell their product.

          At the MS Meeting the Techs where the ones shaking their heads in disbelief and I actually felt sorry for them as the Marketing people had taken something twisted it to make it sound much better than what it actually is and run with it and then expected the Techs to make it work.

          Col ]:)

    • #3182107

      Well, Where I Work

      by thechas ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      Where I work, just over a year ago, we were given a choice.

      Either use direct deposit and print your paycheck statement from the company intranet, or wait for your check to come in the mail.

      Checks that are mailed are mailed out the same day that direct deposit funds become available. So, those employees who choose to receive actual paychecks get their pay at least 1 day later than those with direct deposit.

      A couple of kiosks were set up so that employees who did not have computers could access the intranet and print their statements.

      The biggest concern was the majority of employees who use public printers to print their statements.

      All in all, there have been few problems.

      What has amazed me is the significant number of employees who have chosen not to print out their pay statements. Many have forgotten their passwords and are not concerned with reestablishing their access.

      All pay related transactions are handled via the intranet.

      As far as I know, our payroll intranet site cannot be accessed from outside.

      A separate Internet site is used for most benefit related transactions.


      • #3182101

        Chas you might be able to answer this one

        by hal 9000 ·

        In reply to Well, Where I Work

        But then again you might not as different places have different laws but is there any legal requirement to provide pay slips with regular wage/salary payments where you are?

        I would have thought that the equivalent of what we have here called a “Group Certificate” provided to every employee at the end of the Finical Year for Tax Returns would suffice to show your income for any financial transactions like applying for a Credit Card, House Mortgagee or similar.


        • #3195072

          Different levels of credit

          by thechas ·

          In reply to Chas you might be able to answer this one


          Yes, we all get an annual statement of our earnings and taxes withheld for use in filing our tax returns. This information is also “shared” by employers with various government agencies.
          I foresee the day when this too will be delivered electronically.

          For most primary lending institutions, your annual earnings statement is sufficient.

          There are various lower levels of lending in the US that don’t use the credit reports and annual wage statements.

          Typically, when you have no established credit history in the US, you have a hard time getting any form of loan or credit.

          So, to establish a credit history, you start out at the lower levels.

          A common low level lending situation is a self financing used car dealer.
          If you don’t have a credit history, they base the amount they will loan you on your last paycheck stub.

          Since these lenders are dealing with people who have had credit problems or are bad credit risks, I can fully understand that they would not accept a pay statement on regular printer paper as proof of earnings.

          The flip side of this, is that the people who need to use these types of lenders are the same ones who get in trouble for misusing credit.

          Another situation where having just the paycheck statement is when you have changed jobs and substantially increased your income.

          The data in your financial history will limit what loans you can get until after the first year on the new job. Many financial institutions will accept a current pay stub as proof of higher earnings.

          Same for renting a house or apartment when you first start out, or move to a new area. Many landlords require proof of your employment status, but will not pay for the credit report or other services that would provide the information.

          With the current concerns about litigation, I don’t know if the average employer would be willing to provide an alternate statement of employment or earnings on company letterhead.


        • #3195027

          Thanks Chas

          by hal 9000 ·

          In reply to Different levels of credit

          Seems that this is just another case of technology outstripping the current business practices of many places.

          Over here when proof of income is required the employer has to provide a letter stating the time of employment the type of employment and the weekly income of an employee upon request for the very reasons that you have laid out. The employee has to ask for this information and then it is up to the employee what they do with it.

          Really isn’t much of an issue but it may become one if our current Federal Government gets its way with Work Place Reforms that it has tagged to do in this term. If they manage to get it through it effectively would mean that any employer could have staff on a casual basis for ever without any advantages of actually working there like Holiday pay and sick pay.

          Currently is is a major bone of contention as this time it is not the unions who are really upset which of course they are but the States who are responsible for this area of the work place and the Federal Government is trying to get the States to relinquish this area to them for the benefit of all. 😀

          Naturally being an employer myself I want this to go through as then I can put all my staff on casual employment plans and I’ll never have to worry about having to pay them sick or Holiday pay and when there isn’t enough work I just don’t need to have them come into work and get paid. Personally I would never consider doing something like that but there are many places that would and with our aging population I think we need some form of security in employment not going the other way where you are at the beck and call of some unscrupulous employer. But I never have claimed that the Government was here for the Good of the People just the Good of those who pay into their reelection funds which generally happens to be Big Business. I’m sure this idea would suit them down to the ground.

          Of course if they do get it through I would like to see Politicians put on the same employment contracts with no added benefits like unlimited travel expenses and mailing expenses and making them insecure of their positions in general. After all if we actually had Politicians working for their money we just might get some decent laws passed. 😉

          Col ]:)

      • #3194756

        Mandatory Direct Deposit

        by too old for it ·

        In reply to Well, Where I Work

        … seems to be a trend, especially in the contracting side.

        One of the firms I occasionally contract with makes sure your “handler” sees you every Friday, gives you your stub, sees how you are doing, do you need anything, etc.

        Another has the info online.

        Current one does the direct deposit. Paystubs are sent to a remote office 4 states away, photocopied, then mailed to us. I can still look at the deposit on my banks system shortly after midnite on the day it is due.

    • #3194834

      ONE WORD

      by deway2 ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      TERMINAL SERVER! You have to consider individuals using their home computers connecting via vpn’s can infect your network! I learned the hard way. We use direct deposit here and pay checks and timesheets are distributed to the supervisors to hand out to there employees. There’s two options.

      • #3182025

        Friends don’t let friends VPN

        by angry_white_male ·

        In reply to ONE WORD

        Agree with everyone here… bad idea – and for the limited scope (viewing pay stubs) – just simply isn’t worth it. It will turn into a support nightmare (initially), along with the ongoing maintenace issues as users upgrade their PC’s, let spyware/viruses hose everything, etc. The licensing fees for the VPN connections on your firewall and clients will eat up that $11,000 savings alone.

        The less people with access to a public-safety network, the better.

    • #3182089

      What a lovely idea (for the employer)

      by jafo ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      Hi Rev.

      I must admit, the idea of your employer is indeed the best idea I’ve heard in years, just to save a few bucks.

      The legal issues, I think you can find together with the IRS and the union if the idea is indeed acceptable. I would not be suprised that someone would say that the stub of the financial transaction may be supplied electronicly, but that on request a written stub needs to be provided.

      In that case, as IT department, provide everyone with an instruction that in any case of problems with printing, they should request for the witten stub.

      Additionally, I would suggest that you also include instructions for everyone now forced to print there stub at home, that they would request the company to provide the paper for printing this so important legal paperwork that should be required by the company. (This would already totally screw-up the savings calculation). On top of that, add to the instruction that everyone should request reburstment for business usage of personal equipment (call is rent). This would not only decrease the cost savings, but would also flud the administration with alot of additional work. (Some may even have to accuire a PC and will therefore have the employer pay for the complete PC).
      I think you’ll find the union supporting you with these kind of actions.

      Then for supporting home PC’s? DON’T. There are millions of combinations when it comes to PC’s and all there troubles. There is no way any IT department can support this. What you can support however is the (VPN) connection.

      Make sure however that you have an answering machine and an e-mail address with auto responder that will run through the 90% of the problems with the users.

      The security risk is good to mention, but when the company makes this choise, not something you can fight.

      The most important part is something you did not mention. Probably providing VPN access is part of a larger plan. This will be the plan where in the near future, once VPN has been set-up, also your work will turn to a 24/7 activity. This is also a warning you may ventilate into the organization.

      For the rest, all I can say is “good luck” (and start looking).

    • #3182066

      Translate it to cost

      by gralfus ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      Show them how much it will cost based on the criteria you have already provided. Determine who will be responsible for the cost. Make it simple to understand. Put it all in writing and submit it officially. Keep a couple of copies of the report for yourself. If they decide to do it anyway, document the time and expense that it really does take, and add that to the report as an addendum. Then submit it again a year later, demonstrating the cost increase and the frustration of users and IT staff.

      • #3182012

        Bull’s Eye

        by csrphoto ·

        In reply to Translate it to cost

        I think of all the possible ways to deter the action, displaying the cost ratio is probably the one they are going to pay attention to. Breaking down how much it will cost to implement and support this project and comparing it to the cosst of in-house printing and shipping ought to shed enough light on the matter for upper management to see our point. Conservatively we would be spending $40k a year to save $11k a year. It just doesn’t add up…

        • #3181960

          Yep and you are right…once you support a user at home..

          by tomsal ·

          In reply to Bull’s Eye

 me *everything* that goes wrong with their home computer will somehow, in someway be YOUR fault!

          Little Johnny’s game screwed up the system so now it crashes all the time….must be that thing the IT guys at work did.

          Suzy’s AOL chatting and sharing music files got viruses out the ying yang on the computer….must be that thing the IT guys at work did.


        • #3195264

          shoot Big 110k to save 11k

          by djameson ·

          In reply to Bull’s Eye

          you could do better then that price a Netscreen, they are rated as one of the most secure firewall/vpn appliances priced PER USER also throw on there IDS software… Got to have it if you have a VPN.

          Also… If this is a windows world. and you have access to a website, IIS5 and IIS6 can be set up to relay pages through a network, it is sneaky but you could affectively poke a pinhole in your network and forward it to theirs using your windows box as a proxy of sorts, this is by no means secure, but it is a hell of a lot more secure then poking 1500 uncontrolled pinholes in the network.

          or… firewall your network from them, and build a VPN into their network… No risk to your part of the network, you just have to support it.

    • #3181993

      Eleven thousand dollars?

      by dc guy ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      Where is this county, Montana? No, you say you have more employees than the total population of those counties.

      There is something else going on here. Nobody in a municipal government of any size would bother doing something this paltry, difficult, and dangerous just to save $11,000.

      Your protestations and reasoned arguments will fall on deaf ears. The decision has already been made based strictly on some strange political issue. Keep a very low profile and don’t get caught in the crossfire.

      • #3181851

        Yep, make sure you protect yourself

        by dcstraindcstrain ·

        In reply to Eleven thousand dollars?

        Whatever it is you write up for management make sure you insert a little something about the possible “personal liability” exposure for the person or persons responsible for this project. I wouldn’t put any emphasis on it… just add it toward the end like any other item. Whoever sits at the buck stopping desk will notice it.

        Also, if you want to steer them away from the VPN idea, give them a at least one or two other choices, and before you do that, find someone else to suggest the other choices so they can take the blame if someone brings the whole damn system down because of it.

        Just keep one thing in mind: “When things go wrong, someone has to be the patsy.”

    • #3181973

      Reply To: Pro’s and Con’s of VPN at home for Employees.

      by lsmith1989 ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      Wow, this amazes me.

      #4 alone should be enough to convince most Exec.s that makes this decision to reconsider.

      I would stick with the costs versus the benefits and security risks in doing this.

      If the big dogs still don’t see how big of a security hole this is and how much public money it will cost, then there is definitely management problems.

    • #3181903

      Check out your States laws

      by twells1970 ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      I know in my state an employer must provide the employee with the information. I believe most do. For Ca check out this sight: paragraph 226. Check with your department of labor for specifics. Having been in managment and IT I know this is a tricky situation.

    • #3181824

      shitty VPN

      by korgmeister ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      i dont think this would be effective decision. i suggest County’s IT Department setup a server and let the employee access the the server via public internet. of course there is need to hired some security engineer if the data is sensitive. by doing this, the employee doesnt have to worried whether their computer is infected with virus or any other threat.

      setting up a main server and let the employee access via internet can save a lot of time and work, because you are just using the existing technology available.

      to secure up the main server, there is a lot of ways, like using ssl, aes, use linux as the server would save you tons of money! etc.. etc.

    • #3195417

      Zero Dollar Savings

      by niekamp ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      This plan is extremely flawed and not very well thought out. Depending on the number of employees supported, the cost to support will rise dramatically. On average, these type of support calls can run in excess of two hours. With responsibility for a Global IT Help Desk at a large organization who does not offer home network support “offically” but often is required to support an executive wanting to connect his/her company owned asset to their home network, these calls are extremely expensive! Further, security and virus threats far outweigh an $11k savings. Who is going to be responsible for ensuring these “home” computers have up to date antivirus, spyware, security patches, etc. in order to provide the least threat to the organization? Cannot be effectively policed… Crazy plan!

    • #3195384

      Why VPN

      by michael professional ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      I work for a large company and we can via the Internet print out our pay stubs as we wish. As far as I know having them mailed isn’t an option I have nor do I care to have them mailed to me.

      Having said that, I simply don’t understand the need for providing VPNs to every employee. Let them use the InterNet to get the information. Sounds like the Sheriff’s Dept hasn’t done a good business case including ROI.

    • #3195331

      11,000 in savings but how much more for the county

      by rrosca ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      I’m willing to bet that the $11,000 the police department will save will cost the county more than ten times as much if they will support vpn access for something like 1500 people. Not all of these people will use it but even if only one third do, it’s still an expensive proposition.

      I’d run this by the county administrator.

      On the other hand…if this goes through you’ll never be laid off 🙂

    • #3195254

      No VPN from non-managed PC’s

      by mfitch ·

      In reply to Pro’s and Con’s of VPN at home for Employees.

      Our policy is NO VPN installed on PC’s unless the company manages (ie. locks thoroughly) the computer. The implication of us locking the machine is Johnny has no AOL access, no file sharing services, etc.

      When a VPN tunnel is established between a remote computer and the VPN network, any ‘malware’ on the home computer can pass thru the VPN to the internal network. Unless you turn off split tunneling, you can still have an open connection to the untrused/unprotected Internet, and a link in to the trusted network; the potential is an outside threat can use the remote machine as a gateway into the trusted network.

      One design alternative I can accept as reasonably secure has been suggested aready: an SSL VPN appliance on a DMZ, coupled with a WTS/metaframe server on the internal network. One solution I use has a java client that installs from the SSL VPN, eliminating the need to load and support ‘fat’ VPN clients on machines in an unknown state. The SSL VPN then proxies to an internal WTS server, and the home machine never physically touches your secure internal network.

      There are some cases when a really corrupt machine or IE browser won’t properly launch the SSL VPN; how you handle that support is a matter of conscience, we suggest they get in touch w/their PC’s manufacturer or outside support service to get the machine to a working baseline.

      The one vulnerability remaining is the disclosure of ids/passwords thru malicious programs on the home computer (i.e. many trojans capture keystrokes and forward back over the Internet). 2-factor authentication such as single-use password tokens will reduce that vulnerability/threat.

      When you add this all up, you have spent more than the $11k in savings, but implemented a solution that can provide further remote access functionality. It will, however, be cheaper and more secure than supporting VPN software on these unknown home machines.

      • #3195206

        Prove the Problem with a Pilot; Expose the Risk

        by wiredlessmvp ·

        In reply to No VPN from non-managed PC’s

        Someone else has already said that this is likely a political decision. With 1500 potential users, it simply can’t be about $11K /yr. This is masked as a budget merit badge or positioning by the department to have a good “definitions” battle with the county IT group or something that only egos know.

        A) another legal perspective / approach
        B) piloting it if you know it’s a “done deal”.

        If you can push back, push back with legal arguments. Having a position that interfaces regularly with our county’s IT group and with the county executives, I have found that the one argument that a county executive listens to quickly is the argument of lawsuits.

        I believe it’s worthwhile to get an appointment with the county’s legal experts. Ask them: if you extend the county network into a home or into another piece of equipment, is that property subject to subpeona and can the information on the equipment (by nexus) be viewed for “public information”…. ( the Freedom of Information Act may also play a part in the legal ramifications). How does that stack up against a person’s right to privacy? The Sheriff’s department wants access to personal PCs because…..? Because the PCs would be considered a part of the network, to some degree, could it not be argued that for security purposes, network traffic be monitored? With that monitoring, how can objectionable sites / traffic be managed, or confronted? All sorts of questions about appropriateness come up, questions that will get more personal in the next few years. Your question proves it.

        You may not win the political battle unless you give those fighting it a graceful way out, a non-confrontational way to test assumptions and the ability to buy the time needed to do the first two. I recommend you recommend a pilot.

        Find a sampling of easy-to-support users, helpdesk addicts and one exec of the exec staff that is for the proposal as it now stands. I’d also invite someone at the county IT group to be an advisor (hey, you need their expertise somewhere in the workflow: get them in early to see their point of view). Set it up and run it for x pay-periods with the intent of guaranteeing a solid up-to-date security manual /policy. With an objective of delivering the policy, you have the freedom to expose the risks..a) If you must move ahead, pilot it..and costs tied to the risks. By deonstrating the extensions of support needed to manage devices and software, by highlighting configuration stumbling blocks (an SLA nightmare), by illustrating the good, the bad and the ugly before a full blown implementation puts reputations at risk, a pilot gives you opportunities to document total cost of management.

Viewing 17 reply threads