Hi guys,

I was wondering what others are doing when individuals bring in their personal laptops to the corporate network.  Personally I would like to prevent this altogether, but we also provide users with VPN access and so those that simply bring their laptops in think what is the difference between connecting to the corporate network and going in through VPN.  I'm faced with a double-edged sword so I was wondering if there were any opinions on this topic.

Thanks for your help!

Hi,

You can allow staff to use VPN but create different groups and control what each group can access.

Home Users - Use their own laptop but get least access. Restrict access to specific IP address and ports that you know wont allow worms or virus to spread to your network.

Remote office users - Use the office provided laptop have all your end point protection and AV software running. Get more access since these laptops are controlled by you. However they should not be given full access. I would still restrict these to specific resources only.

If your VPN server supports you can also enforce or do a sanity check before allowing clients to connect. Also its important to have a policy (check SANS) for remote access.

Think of plugging in a PC or laptop that is infected or pwned into your corporate network. What risks do you see of doing this? This will help you build your case.

Cheers

The policy we apply is only company owned and managed systems are allowed to connect to the network. Anything else is a breaks of company policy and is dealt with by official channels.

For VPN software, the VPN client is only installed on the company laptops. We don't allow the software to be installed on personal machines.
Yes, they could get a copy of the VPN software, but without a certificate issue from our internal CA, they won't be able to make a connection. Look for a stronger method of authentication if your current solution is simple PPTP or a shared secret.

Without know why home users need to VPN to your network, I can only offer general advice :-)

I'd change your policy to company only managed machines to have access via VPN and look to offer web services for causal use. OWA is a great example of allowing staff to stay connected, as email is one of the top must have access requirements. No VPN required.

To help with remove VPN from home machines and stop personal machines being added to the network, show the cost of:

A) clean up a virus/worm outbreak on the LAN from a home system
b) The cost of installing and managing NAP/NAC
c) The cost of employing extra staff to manage and support 20 new types of computers
d) The addition cost of supporting all the calls on staff with VPN problems on their home machines
e) The cost of having company data saved to employees' personal machines and the company and never being able to get it back or delete it when they leave.

Money and unnecessary expenditure tends to get management attention to change poor policies.

Thanks for all the suggestions and tips...  In our case, we're a smaller company and it's usually about a handful of individuals (including an upper mgmt user) particularly engineers that use their personal laptops.  They complain that the systems that are company provided are too slow for their needs and get much more done with their own computers.  I'm definately going to take your advise to see if something can be done to enhance security.  Thanks again.

I really like NAP idea and will do some investigating - thank you.  I hope it doesn't require us to be full 2008 Domain Controllers as we still have some mixed (older systems) of 2003 and we're trying to get rid of the last few 2000 servers.