May 20, 2010 at 8:42 pm #5080
I was wondering what others are doing when individuals bring in their personal laptops to the corporate network. Personally I would like to prevent this altogether, but we also provide users with VPN access and so those that simply bring their laptops in think what is the difference between connecting to the corporate network and going in through VPN. I’m faced with a double-edged sword so I was wondering if there were any opinions on this topic.
Thanks for your help!
May 20, 2010 at 9:34 pm #32242dynamikParticipant
You should ideally get management to formally disallow that in your information security policies. If you have a problem with users disobeying policies, you could look at NAC, 802.1x, etc.
VPN access is best used only on corporate laptops that you have control over. You’re right that there’s not much difference between bringing in random machines and allowing random machines to establish VPN connections. Although, this can obviously vary quite a bit based on how you’re implementing VLANs, DMZs, ACLs, etc.
May 21, 2010 at 1:07 am #32243salilParticipant
You can allow staff to use VPN but create different groups and control what each group can access.
Home Users – Use their own laptop but get least access. Restrict access to specific IP address and ports that you know wont allow worms or virus to spread to your network.
Remote office users – Use the office provided laptop have all your end point protection and AV software running. Get more access since these laptops are controlled by you. However they should not be given full access. I would still restrict these to specific resources only.
If your VPN server supports you can also enforce or do a sanity check before allowing clients to connect. Also its important to have a policy (check SANS) for remote access.
Think of plugging in a PC or laptop that is infected or pwned into your corporate network. What risks do you see of doing this? This will help you build your case.
May 21, 2010 at 2:21 am #32244KetchupParticipant
My experience with this is that management is the biggest policy violator when it comes to personal equipment in the office.
May 22, 2010 at 1:38 am #32245What90Participant
The policy we apply is only company owned and managed systems are allowed to connect to the network. Anything else is a breaks of company policy and is dealt with by official channels.
For VPN software, the VPN client is only installed on the company laptops. We don’t allow the software to be installed on personal machines.
Yes, they could get a copy of the VPN software, but without a certificate issue from our internal CA, they won’t be able to make a connection. Look for a stronger method of authentication if your current solution is simple PPTP or a shared secret.
Without know why home users need to VPN to your network, I can only offer general advice 🙂
I’d change your policy to company only managed machines to have access via VPN and look to offer web services for causal use. OWA is a great example of allowing staff to stay connected, as email is one of the top must have access requirements. No VPN required.
To help with remove VPN from home machines and stop personal machines being added to the network, show the cost of:
A) clean up a virus/worm outbreak on the LAN from a home system
b) The cost of installing and managing NAP/NAC
c) The cost of employing extra staff to manage and support 20 new types of computers
d) The addition cost of supporting all the calls on staff with VPN problems on their home machines
e) The cost of having company data saved to employees’ personal machines and the company and never being able to get it back or delete it when they leave.
Money and unnecessary expenditure tends to get management attention to change poor policies.
May 27, 2010 at 3:51 am #32246kennutParticipant
I’m actually more concern on the software that are installed on their machines. I have a case when I did the audit for a client, they have an employee notebook scheme (deducted from their salary over a period of time). Funny thing is the management allowed them to use either licensed Win XP and not. so you use original Win XP, you pay more. Imagine 250 notebooks used in the company for “business purposes”, with majority using bootlegged XP and Office 2007.
We highlighted this to the management as a key concern. (company was listed), so they ended up buying original XP licenses and some uses free Open Office instead.
so better take that up in mind.
June 2, 2010 at 9:50 pm #32247
Thanks for all the suggestions and tips… In our case, we’re a smaller company and it’s usually about a handful of individuals (including an upper mgmt user) particularly engineers that use their personal laptops. They complain that the systems that are company provided are too slow for their needs and get much more done with their own computers. I’m definately going to take your advise to see if something can be done to enhance security. Thanks again.
June 3, 2010 at 1:21 pm #32248yatzParticipant
If you’re a Microsoft shop, you could investigate Network Access Protection (NAP) in Windows Server 2008. Basically it will not allow any computer on the network until it passes tests which could be presence of antivirus, installed patches, etc.
I’ve seen this in use especially in college campuses, but also companies that have lots of guest access.
July 1, 2010 at 12:20 am #32249
I really like NAP idea and will do some investigating – thank you. I hope it doesn’t require us to be full 2008 Domain Controllers as we still have some mixed (older systems) of 2003 and we’re trying to get rid of the last few 2000 servers.
- You must be logged in to reply to this topic.