.

Policy for personal laptops at work

<<

tux633k

Newbie
Newbie

Posts: 9

Joined: Sat Apr 10, 2010 9:50 pm

Post Thu May 20, 2010 3:42 pm

Policy for personal laptops at work

Hi guys,

I was wondering what others are doing when individuals bring in their personal laptops to the corporate network.  Personally I would like to prevent this altogether, but we also provide users with VPN access and so those that simply bring their laptops in think what is the difference between connecting to the corporate network and going in through VPN.  I'm faced with a double-edged sword so I was wondering if there were any opinions on this topic.

Thanks for your help!
CEH, MCP, CSCS, CHP
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu May 20, 2010 4:34 pm

Re: Policy for personal laptops at work

You should ideally get management to formally disallow that in your information security policies. If you have a problem with users disobeying policies, you could look at NAC, 802.1x, etc.

VPN access is best used only on corporate laptops that you have control over. You're right that there's not much difference between bringing in random machines and allowing random machines to establish VPN connections. Although, this can obviously vary quite a bit based on how you're implementing VLANs, DMZs, ACLs, etc.
The day you stop learning is the day you start becoming obsolete.
<<

sachitre

Newbie
Newbie

Posts: 22

Joined: Sat Jan 09, 2010 7:55 am

Post Thu May 20, 2010 8:07 pm

Re: Policy for personal laptops at work

Hi,

You can allow staff to use VPN but create different groups and control what each group can access.

Home Users - Use their own laptop but get least access. Restrict access to specific IP address and ports that you know wont allow worms or virus to spread to your network.

Remote office users - Use the office provided laptop have all your end point protection and AV software running. Get more access since these laptops are controlled by you. However they should not be given full access. I would still restrict these to specific resources only.

If your VPN server supports you can also enforce or do a sanity check before allowing clients to connect. Also its important to have a policy (check SANS) for remote access.

Think of plugging in a PC or laptop that is infected or pwned into your corporate network. What risks do you see of doing this? This will help you build your case.

Cheers
CISSP, GPEN, CCNA
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu May 20, 2010 9:21 pm

Re: Policy for personal laptops at work

My experience with this is that management is the biggest policy violator when it comes to personal equipment in the office. 
~~~~~~~~~~~~~~
Ketchup
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Fri May 21, 2010 8:38 pm

Re: Policy for personal laptops at work

The policy we apply is only company owned and managed systems are allowed to connect to the network. Anything else is a breaks of company policy and is dealt with by official channels.

For VPN software, the VPN client is only installed on the company laptops. We don't allow the software to be installed on personal machines.
Yes, they could get a copy of the VPN software, but without a certificate issue from our internal CA, they won't be able to make a connection. Look for a stronger method of authentication if your current solution is simple PPTP or a shared secret.

Without know why home users need to VPN to your network, I can only offer general advice :-)

I'd change your policy to company only managed machines to have access via VPN and look to offer web services for causal use. OWA is a great example of allowing staff to stay connected, as email is one of the top must have access requirements. No VPN required.

To help with remove VPN from home machines and stop personal machines being added to the network, show the cost of:

A) clean up a virus/worm outbreak on the LAN from a home system
b) The cost of installing and managing NAP/NAC
c) The cost of employing extra staff to manage and support 20 new types of computers
d) The addition cost of supporting all the calls on staff with VPN problems on their home machines
e) The cost of having company data saved to employees' personal machines and the company and never being able to get it back or delete it when they leave.

Money and unnecessary expenditure tends to get management attention to change poor policies.
<<

kennut

User avatar

Newbie
Newbie

Posts: 46

Joined: Thu Apr 16, 2009 10:41 pm

Post Wed May 26, 2010 10:51 pm

Re: Policy for personal laptops at work

I'm actually more concern on the software that are installed on their machines. I have a case when I did the audit for a client, they have an employee notebook scheme (deducted from their salary over a period of time). Funny thing is the management allowed them to use either licensed Win XP and not. so you use original Win XP, you pay more. Imagine 250 notebooks used in the company for "business purposes", with majority using bootlegged XP and Office 2007.

We highlighted this to the management as a key concern. (company was listed), so they ended up buying original XP licenses and some uses free Open Office instead.

so better take that up in mind.
Done all 3 certs, now going for CISSP.....
<<

tux633k

Newbie
Newbie

Posts: 9

Joined: Sat Apr 10, 2010 9:50 pm

Post Wed Jun 02, 2010 4:50 pm

Re: Policy for personal laptops at work

Thanks for all the suggestions and tips...  In our case, we're a smaller company and it's usually about a handful of individuals (including an upper mgmt user) particularly engineers that use their personal laptops.  They complain that the systems that are company provided are too slow for their needs and get much more done with their own computers.  I'm definately going to take your advise to see if something can be done to enhance security.  Thanks again.
CEH, MCP, CSCS, CHP
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Thu Jun 03, 2010 8:21 am

Re: Policy for personal laptops at work

If you're a Microsoft shop, you could investigate Network Access Protection (NAP) in Windows Server 2008.  Basically it will not allow any computer on the network until it passes tests which could be presence of antivirus, installed patches, etc.

I've seen this in use especially in college campuses, but also companies that have lots of guest access.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

tux633k

Newbie
Newbie

Posts: 9

Joined: Sat Apr 10, 2010 9:50 pm

Post Wed Jun 30, 2010 7:20 pm

Re: Policy for personal laptops at work

I really like NAP idea and will do some investigating - thank you.  I hope it doesn't require us to be full 2008 Domain Controllers as we still have some mixed (older systems) of 2003 and we're trying to get rid of the last few 2000 servers.
CEH, MCP, CSCS, CHP

Return to Compliance, Regulations &amp; Standards

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software