Slashdot Mirror
Remote Access Policies
Samalie writes "My company is considering implementing a formal remote access policy (and agreement for staff to sign) for users who access our network from home via VPN. Does anyone out there have any suggestions as to what this policy/agreement should contain? Anyone have their own corporate policy that I can borrow from? This is the first time I've come across anyone wanting a formal policy for this & online searches haven't been very helpful."
Did you even look at SANS?
The templates provided by SANS are a good place to start:
All of them are here:
http://www.sans.org/resources/policies/
Here's the remote access policy example:
http://www.sans.org/resources/policies/Remote_Access_Policy.pdf [PDF]
A link to the SANS Institute example for a Remote Access Policy doc (PDF format):
http://www.sans.org/resources/policies/Remote_Access_Policy.pdf
This is the first time I've come across anyone wanting a formal policy for this & online searches haven't been very helpful.
It looks like there's a trend going on; most of the last few Ask Slashdot articles seem to be written by people who can't be bothered to do a little work.
"We'll need 2000 crickets, 4 cans of Easy Cheese, and the fluid from 18 glowsticks for this plan to work...." - ph0n1c
above what you should already have for them to use a computer.
Seriously. It's all going to be the same stuff. What makes people think behavior will be different depending on which keyboard they happen to be behind.
You could make a VPN boot disk.
This way you can separate what is on their machine with the VPN instance. Requires no brain power to use. Boot's up, big VPN icon. Click enter password, good to go.
Obviously, encrypt it.
The Kruger Dunning explains most post on
KISS principle: just say the VPN should only be used as you'd use the connection at work. (Keep it work-related, no excessive personal utilisation. No pr0n or illegal material. Don't forward the connection in any way - including web proxies and Tor. Keep your security software up to date. Take reasonable measures to ensure private keys, passwords and other security devices are not lost. Report any potential breaches immediately.)
What rules do you want to set up? What do you want to allow and disallow of your users / employees?
Figure this out, write it down, get a lawyer to look at it, and you're done.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
We require all users with remote access to use corporate laptops that are locked down. You cannot connect your personal computer via vpn. Also there is the standard "treat it as if you were sitting at your desk, all rules regulations etc. still apply."
Either give people laptops or give them a way to do what they need to do on servers you control.
This can be a web-based front-end to the applications they use, an ftp site so they can up/download files and edit them on their home computer, or even something like Windows Terminal Services or Citrix.
If your company is enlightened enough to not use Microsoft, there are even more options available.
If you allow people to remote login, you need to make very sure that not only is the VPN tunnel secure against attacks, but that their machine can't do anything hostile to your LAN in case their password is compromised. Of course, you should be doing that anyways but many companies don't treat computers in the network as "presumed hostile" to every other device on the network. You should always do that, but If you are going to allow remote login it's even more important.
As a bonus, if you put most of your business-critical applications on a server you control, it's easier to make sure data gets backed up and you can usually get away with a longer computer-replacement cycle or buy slightly cheaper computers when you do replace them. Of course, you'll pay more for server costs and you'll need more expertise in your IT dept. to manage it, but in many shops this is worth it.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Inform: part from the little "purpose" bit, the SANS does not do much.
(2) A legal rope to hang a user with. What most of the SANS doc is.
Folks, nobody reads a document like this. They will lose interest after the first few lines then either skip to the signing bit or throw it away.
Real security comes from informing the user, not from baffling and swamping them with techno-legal bs.
If you want real security, then clearly explain the issues.
Engineering is the art of compromise.
The last few companies I've worked for make it mandatory for new employees to sign an AUP (Acceptable Use Policy). Sorta like a blanket coverage for all IT services, including networks usage. Depending on how large the company you're working for, you might be able to convince your HR to get all the existing employees to sign, too. That way you can avoid getting the employees to sign another document/agreement if you should implement new IT services.
my company requires the following
1. A specific virus scanner (Nortan AV yuck)
2. A specific Firewall with company preset settings (blackice is what it used to be called its something else now)
3. We are assigned an RSA SecurID FOB which my manager must periodically re-confirm that I am authorized to use (like once a year)
basically it is a Huge pain only slightly offset by the convenience
Before putting too much effort into this policy thing... Can I ask you one question: What's management going to do if someone breaks it? The majority of security policies only exist for two reasons -- to fire anyone who questions them and make management feel safe in having "done something to solve the problem". It's rather like expecting a terrorist to care that his car bomb is taking up two parking spaces... If this is management's only goal, just write some boiler-plate, broadly generalized piece that sounds really great but doesn't give any technical guidance. As a bonus, it'll never have to be updated after that, saving countless hours that would otherwise be spent securing the network.
Note: This post contains 30% recycled sarcasm.
#fuckbeta #iamslashdot #dicemustdie
I find that whatever the user signs, it always gets broken one time or another. That is why I use - whenever possible - system policies instead of making them sign anything. If they can't do what you don't want them to do, it ought to be more reliable.
The main idea is: restrict their remote access to what they really need. Some purist will reply 'oh yeah, but even if you do that, there's a way around for such and such reason.' or that it will become too restrictive. My answer: adapt to your user needs without letting it be the Wild Wild West.
Maybe both signing an agreement AND enforcing policies is the best way to go.
Here's a few things that are different and need to be considered when working from home. These are all things that I've been thinking about a lot for our company and, in my opinion, are very real issues for any company:
1) Local shortcuts on your PC with saved passwords to work resources (eg, VPN connection details, saved passwords in web browser to access work webmail/intranets, etc)
2) Log files for work-related chat - MSN, IRC, etc can sometimes contain confidential details.
3) Work documents and other files.
You can't just say you don't need a policy other than some vague notion of basic computer knowledge. Most people wouldn't think twice about downloading an important document and putting it on their computer at home.
The two obvious risks that might lead to information leakage are a) their computer is compromised b) their computer is stolen. It's just a standard risk management excercise from here on it.
No Windows allowed unless on a company owned machine with absolutely no privaledges and a hardcore resident anti-malware tool running. If possible disable IE & Outlook too. If user is accessing via wifi require wpa2 encryption. Otherwise your users are gonna get you infected with their home Limewiring habits or at least have their login info stolen by a keylogger
"A truly wise man realizes he knows nothing."
So what do your users do with VPN access? Access your network, yeah... then what? Email? Web access? You should already have AUPs for all of that, and access to those services via VPN is no different than if they're connected in the office.
What you may be looking for is controlling the access, i.e. firewalls and virus scanners etc. If that's important, set up two-tier access:
1. For users who have a laptop, put the access controls there, and make them only access the VPN via their company provided and controlled laptop. Then you set up the controls (firewall, virus scan, etc.) once and they apply whether they are directly connected or VPN'd in.
2. For users who don't have a laptop, set up a remote desktop-type system where they use a web browser to access the remote desktop with SecurID.
3. And I almost hate to mention this, but if most of your users are only accessing e-mail, think about setting up a Blackberry server. Sorry. Got my flame-retardant suit on. :)
-- "In order to have power, I must be taken seriously." -Mojo Jojo
Did an executive really just say, "I think we should have a formal policy"? Don't create bureaucracy and policy just for the sake of having bureaucracy and policy (making management look busy). Build your policy on the demands of your organization, and formalize it when it's necessary to do so.
That being said, if your business doesn't deal much with sensitive data, you could get by with allowing personal computers, with up-to-date anti-virus software (maybe the company can pay for AV software for home computers). If you do deal with sensitive data, I would recommend issuing laptops to employees that need to work from home, and only allow VPN from those systems. Use certificates.
Only corporate laptops get to connect to the VPN. Period. No exceptions.
Laptops aren't much more expensive than desktops these days, so it's pretty easy to get a user that has a demonstrated need for remote access a laptop. That way I still have control and they get access to the network.
Other than that, the standard AUP is extended to encompass the corporate PC, whether it's in the office or remoting in.
This is a sig. It is like every other sig in the world, except that it is mine, and it is different.
Unless, of course, you work for a porn company. Then porn away.
Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)
http://www.lawrenceperson.com/
A formal agreement is just window dressing. You need to make sure you have controls in place to properly approve access, periodically review access to ensure appropriateness, and remove it in a timely fashion for terminated employees.
12:50 - press return.
They are generic reference documents to use as a guide not as a final product. Even the guy who wrote the Remote Access policy for SANS thinks it's a joke.
People who bite the hand that feeds them usually lick the boot that kicks them
Our company restricts access to users that are using company notebooks to access the system. There is no way we would let something on our network that we don't manage.
Ground rules.
The computer, as provided by (name of employer) are the sole property of (name of employer).
All use of this computer is subject to monitoring, logging and review by (name of employer)'s IT department.
No modifications of any kind may be made to (name of employer)'s computer by the employee.
VPN Rules..
#1 Only computers provided by (name of employer) (with appropriate user restrictions, group policies, security software, etc...) are allowed to connect via VPN.
#2 Only computers provided by (name of employer) may be connected to the network used for VPN access, at the time of VPN access.
ie - home/personal computers must be disconnected before connecting the work computer - unless the work computer is on a completely separated / isolated network from the home / personal computers.
#3 Any personal use of work computer will result in loss of VPN privelege on first offense, no exceptions.
Who is general failure, and why is he reading my hard drive?
Take a minute to peruse through the Federal Financial Institutions Examination Council IT Handbook at http://www.ffiec.gov/ffiecinfobase/html_pages/infosec_book_frame.htm There's a section on remote access. NOTE: this is for financial institutions, and the information therein may or may not be relevant to your particular organization. But there is some helpful information within.
My workplace has an interesting method of providing employees with access to the on site materials from home. They use a USB key that holds the encryption key to access the logon servers remotely. Once logged in, users are tracked as they normally would be and all normal CODE OF CONDUCT rules apply. All of our Internet and e-mail traffic is monitored by security anyways, so there is little fear that an offsite user would abuse the privileged.
no, you dont have anything to add to the policy...
youre a system administrator, not a lawyer, or a board director, or an hr manager, or anything else so you dont know what the company needs. you just know how to enforce their policy and keep systems patched and secure. nothing to see here, move along.
Good people go to bed earlier.
The policy should state that if the company wants employees to work from home, the company will provide a VPN, otherwise the employees will only work during work hours.
1. If you connect to the VPN and place your own machine's IP onto our network... we will kill you.
Signing below indicates that you have read the policy in question and agree to adhere to it.
Mainly your legal counsel's advice. If you can't afford that, don't bother - you couldn't afford to make your policy stick when it counted, either.
That is all.
Provide VPN access, but limit them to only remote-desktopping into their current work desktop... then they are stuck with the restrictions, mappings, proxies, policies and resources they are usually allowed and have been signed off on. This is what we do to our "normal" vpn users. Also, Juniper Networks provides a nice sslvpn via web interface for those not able to handle a vpn client that this setup works wonders for...
Walk with Music;
What an incredibly totalitarian policy you propose. Someone does a web search to find directions to a restaurant on a work computer, and you can them? Glad I don't work from your company. In real life, a certain amount of personal use gets mixed in with the work use, and a successful company will judge its employees based on whether they get the job done.
...web-based solution is provided for personal computers. only company laptops are allowed to VPN.
I don't have a formal policy, but I work with students on data that falls under privacy laws.
What we tell them is:
- Access from one computer only and that has to be specially secured
-- Linux: Keep intsllation current, close all ports for incomming data, web-surfing only
with current firefox or opera and limited to what is absolutely neccessary for their work.
-- Windows: In addition a current anti-virus software. Discouraged.
- We provide a computer for the VPN/SSH access for the thesis duration for the secured installation
and even a second one for ordinary work, if they do not have one.
- We warn them that loss of data would possibly be a criminal offense on their part (privacy laws)
and that they need to be very careful.
If you are really paranoid, gibve your users that second computer, or alternatively a CD-system created/modified by you for the remote access, and make using that mandatory. I think you will find that formal agreements carry little impact, as neglience is allways relative to the competence level of the person acting. Better to secure the access and not rely on legal stuff. If you require a specific installation for remote access, everybody not using it is doing something contrary to agreement regardless of competence level. You could even hardcode the VPN keys on a boot-CD (e.g. a modified Knoppix) to make it hard to circumvent this "remote Terminal" set-up.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
My company is so paranoid about unauthorized file transfers that they have discontinued VPN and only allow Citrix. The Citrix configuration is setup so that it will not permit saving to the local computer's hard drive. On one hand, it lessens some risks that could occur if your personal computer was connected by VPN. On the other hand, it makes for a lot of email traffic as people send themselves files so they can work on them outside of Citrix.
--
Luck is just skill you didn't know you had.
#1 Keep the VPN use work related. Follow the same network policies as if in the workplace.
#2 Scan the home PC on a regular basis for malware. Last thing the company needs is trade secrets, password and login info, and email stolen by some hacker who happened to get a key logger trojan on the Home PC, and then sell them to the higher bidder or steal corporate bank and credit card accounts. That means keeping your Antivirus programs updated every day and scan for viruses at least three times a week.
#3 You are on the honor system, Work can only monitor your activities on the VPN network, but not your Home PC and the Internet being used by your home PC. Yes it is alright to check your local email on your home computer, but use common sense and don't spend a lot of time doing personal things on your home computer and home Internet connection. We'll notice it when the VPN activity stops for more than 15 minutes, and your work productivity drops on the VPN. Yes you can take two 15 minute breaks and lunch hour or half hour, but we'll really notice it when you do nothing on the VPN for hours. Either you are goofing off and doing personal things, or the connection is dead, but we can tell by pinging your home computer to test if the connection is dead and deduce your wasting time.
#4 Keep all company email professional. Make effective use of company email and web sites and software. Don't use them and act like you do when you are posting Anonymous trolls on the Internet or your Myspace page.
#5 Do not access other user's accounts unless you are given permission by management for troubleshooting something or testing out software. We know that your profile might not have the same issues as a coworker, but only IT staff should be loging in as other employee's accounts only for testing purposes. Do not use an alias either on the VPN or create a fake account via a hack, but use the account and account name assigned to you.
#6 Do not save work data on your personal hard drive, instead store it on a server drive.
#7 Do not run cracking and/or hacking tools on the VPN, do not do any denial of service attacks over the VPN.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
You are thinking about the practical and security aspects, which is good and necessary. There are also very real legal issues to consider. The export restrictions pertaining to the remote location in question are one obvious example. Another biggie is the Fair Labor Standards Act. Be aware of your obligations here or you could find yourself in big trouble. I never give anyone VPN access unless it is approved by their direct supervisor, and I make sure that the supervisor is aware of their responsibility to comply with the FLSA.
The machines I login to cat the policy at the beginning of every session. I'll just send you my username and password and then you can read it for yourself.
We just implemented a policy on remote usage since we basically only allowed company laptops and pda's to access remotely and even then it was an external firewalled connection.
now we are going to give out custom LiveCD's with VPN running IPSec. That way keyloggers, trojan, etc, can only be download and run in session, simple as power off and gone again.
Plus boot up password, login password and vpn info just to connect. Also trying out a usb token key like RSA but a broker that does similar thing, runs a virtual environment and virtual keyboard to bypass keyloggers or screencapture. Never know what crap is on home PC's or laptops, even so called business ones!
The policy is simple, the IPsec key is with the VPNclient, users cannot see it. So without it they cannot just copy the data and use vpn on another machine. Without it, no vpn remotely.
Corporate laptops only. These are the same laptops they use at their desk which are policy controlled, and kept updated and have current antivirus etc. Every home computer ever brought in to me to be looked at by an employee has been a virus/spyware ridden infestation. There are no exceptions to the rules allowed or the CXO's will be the first to break them.
Management is usually the first to break these rules, and in my experience, NOTHING happens to others that then break them. That's why you don't make exceptions for management either. First it will be them, and then someone who works directly for them with pull etc..
Gatekeepers are not supposed to be nice.
More beer == more access
Evaluated weekly.
I think you underestimate just how much I just dont care.
Based in Bethesda MD. They have many satellite offices as well as many individuals who telecommute some or all of the time. Since they deal with health care data they have to conform to HIPAA standards. They rely on their secure remote access system being available as much as possible. See if their IT department can share its policy statement.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
If you don't know what they should contain, then why are you making them?
"Hey guys, we don't have enough pointless paperwork. Any ideas on new things we could get people to sign?"
or else!
If you deal with any kind of personal medical information, you have to be HIPAA compliant as well, and their requirements are your requirements.
For those requirements go here http://www.cms.hhs.gov/EducationMaterials/Downloads/SecurityStandardsTechnicalSafeguards.pdf
I'm a happy pessimist. I expect and prepare for the worst, when it doesn't happen I am pleasantly surprised.
Any security policy that relies on employees voluntarily keeping to an agreement is doomed to fail. Either make it impossible to access in any way other than intended, or don't do it.
"Does anyone out there have any suggestions as to what this policy/agreement should contain?"
Easy, one line should do it: "Don't be a dick."
Bleh. You sound like the kind of admin I love to hate. Those policies are ludicrously restrictive. There's no point in even bothering in remote access if you're gonna cripple it like that.
I access my company's SVN repo from home by connecting to it using SSH and port forwarding. It works fine. You're too paranoid.
== Jez ==
Do you miss Firefox? Try Pale Moon.
1. If you connect to the VPN and place your own machine's IP onto our network.
Does that refer to Intelectual Property (e.g. pr0n)or an address??
Ubuntu is an African word meaning 'I can't configure Debian'
Ah, good old ice, it's good to see you once more :)
Using Ironkey, a secure USB device and MokaFive will give any company a level of security second to none. Ironkey is the most secure USB memory stick on the market. To gain access to the contents of an Ironkey the user must enter the password created for that device. It allows company admins to create security policies on what applications can run on their 1,2,4,8 gig memory sticks. With their new SilverBullet functionality if a key is lost/stolen the admin can remotely kill the memory stick the next time is connects to the internet. What happends if the user never connects to the internet again... well thats a policy item which can be set which requires the user to connect to the internet after some number of times of usage of the USB stick self destructs. MokaFive is a virtual desktop solution which uses VMwares virtual desktop to create "LivePCs". I use my 8 gig stick to run a Windows 2003 Small Business Server. The virtual desktops can be run on an Apple, Windows or Linux system. Changes to the virtual machine by company admins update the users LivePC automatically. One of the features of MokaFive is the ability for the LivePC to automatically connect via a VPN without the user knowing the server IP, ID or password. These all get set by the MokaFive administrator. I set this up for a major electronics company for use by their sales people around the world.
I would recommend that your company actually provides securely configured wifi routers to its employees so that you don't risk that someone hijacks the private network and plays out a full Man-in-the-Middle attack.
From the dark, old days of the Internet when men were men, women were men, and children FBI agents
Excellent point. Too many people forget that effective communication includes actual message reception and their understanding of the message, not just the delivery.
In the end, life in IT is better if the users understand policies, procedures, etc. and thus can try to follow them (though nothing is guaranteed). Nothing wrong with creative approaches to making this happen.
And while some enjoy the vengeance, being able to hang personnel out to dry does nothing to alleviate the mess that still needs cleaned up.
One of the things that really scare IT shops about Remote access is the fact that they really can't control the systems at home (if they are not systems given to take home).
Since computers are pretty fast and Virtual Machine technology is pretty far along, try a custom VM image using Vmware, parallels, virtualbox, etc and let users do work within that environment on their home systems.
"# LOG ! LOG ! LOG ! I find everything should be logged! Especially traffic going in/out the local network. Have a good log retention policy."
You will drown yourself in logs. The more you log, the more bad apples get through because you are flooded with data that is mostly useless.
"# ENFORCE strong passwords and change 'em when you feel fit."
If you change passwords, people will need to remember new ones. They won't and will write it down on a post-it. And then they will stick the post-it on the monitor for all to see.
Knowledge is power. Knowledge shared is power lost.
How about keeping it simple with "don't be evil"?
NIST SP800-114 provides a great guideline for teleworkers and remote access. Definitely a must read for providing a resource to your employees. http://csrc.nist.gov/publications/nistpubs/800-114/SP800-114.pdf
Confidentiality, Integrity, Availability: without Availability the other two are assured, as is Bankruptcy.
Part of the telecommuting rules for my work stipulates the wifi security measure required when connecting from home.
1) WPA secured connection
2) Disable SSID broadcast
3) Enable MAC filtering
A new one I would add after the WPA crack, disable TKIP and only use AES encryption.
Before I started working from home I actually had left my wifi open for neighbors.
If you go the route whereby you issue everyone with a laptop and install a VPN client on the laptop, then I would also prevent the use of the VPN client when the user is in the office to call outward.
I would not want to think of my office network being bridged to another LAN over a tunnel created from the inside. It's especially fun to bash Microsoft here, but windows PCs will find gaps in the network and merrily bond with anything it can connect to by any method. It's like having a swinger installed on your PC.
Nullius in verba
1. VPN connections are not to be used for transmission of data deemed insecure by our Global Security department. This includes protocols such as: telnet, pop, smtp, ssh, rsync, IM, http, https, pops, spop, ftp, tftp, netbios, smb, dns, ntp, vnc, rdp.
2. VPN connections should not utilize any ports from 0-1023. Communication on these ports if forbidden.
3. VPN connections should not use dynamic ports in the 49152-65535 range. These confuse our IDS system.
4. VPN connections are allowed on approved registered ports in the 1024-49151 range as long as they do no include any of the protocols listed in #1. The company reserves the rights to ports 1024-20056, 30022-40085, 19872-28029, 31082-62892, 25010-30023, and 50000-65534. The rest may be used by the user for all of your communication needs.
Note: We have made it easy to request a new port registration. First VPN into the corporate network then either send an email to newport@company.com with the requested port in the subject line and justification in the message part, or use our new secure web interface off the company portal. Just click on the Easy to to Business With section and then click on New Port.
At our place (consutling shop, mostly laptops) we used to have a common "lock-down" policy in place. Read: Don't install anything not approved. If you happen to enjoy it you are breaking the rules. Unfortunatly due to the natur of our business this is counter-productive. No choice - nothings gets done. Projects/clients have requirements that are simply ignored by central IT. So there was a constant bending of the rules. It also falls short of malware. Nobody installs "evil software" on purpose. And virus scanners are not a viable prtection against root-kits. We have turned this upside down. You can use whatever. Macs PCs. You can use whatever software. BUT you have to make sure that some best practices are being followed. Of course you have to run firewall and that (we provide these). You have to follow US-CERT alerts (everyone gets those through mail). Install all patches that are required for _your_ kit. If in doubt, talk to central IT. If an employee is willing to "sign" this he/she get's almost card blanche. Otherwise you will be stuck with office and Solitaire. Guess what people go for. Grain of salt: All the people that are allowed to join this program are tech consultants.
I work at a web development company and for us to access our production servers we need to VPN to our colocation. To get VPN access we are required to read a 100 page word document and sign a sheet of paper stating that we agree to the terms. This has to be done each year as the terms get updated. Most of the document contains clauses to protect the company by enforcing strong passwords, denying malicious behaviour, doing stupid stuff, etc.. We do this because it makes our clients feel safe and secure, which in turn gets us more business.
I think you're confusing policy with mechanism.
A security policy describes intent. It might say for example that certain staff are allowed to perform certain operations on certain information and facilities, that contractors are allowed another set of operations on more restricted information. And likely there will be a contractual agreement which refers to this policy and identifies the consequences of noncompliance. To answer your question, this says what management is going to do if someone breaks policy.
Then there's mechanism. This is the blueprint for all of the procedures and artifacts which directly or indirectly serve to implement said policy. Likely it's not a failing of policy but of mechanism if trade secrets are exposed on a public web server, for example, though on the other hand it's true that many sites have no formal security policy at all, and thus have no tenable position if an exploit should take place due to ineffective mechanism. The mechanism only exists to implement a given policy.
Now, if you look closely, you'll see that there is a missing piece in this whole equation. We have security policy and mechanism. We have a contract which binds individuals to abide by the policy. Ordinarily such a contract contains reciprocal clauses which identify the rights and responsibilities of both parties. But how many of these contracts, do you suppose, spell out what the employer will do to protect the employee from accidental access to inappropriate materials? In all of the complexity around information security, this piece is often overlooked, and though it may be an innocent oversight, it leaves the employee in a very vulnerable position.
I was once in a situation where an employer required me to take a corporate laptop home with me every night. The nature of my work meant that said laptop was full of proprietary software and data. The employer provided no disk encryption, no locking or tamperproofing mechanisms, nothing. I think that a lot of employees would just go along with the situation and take their chances. I don't recommend this. At the very least, get legal advice in reviewing your employment contract.
Parity: What to do when the weekend comes.
At my previous workplace, initially, we didn't have an official remote access policy. Development and IT just ssh'd in as necessary to keep the company running. Development and IT were 90% GNU/Linux. Then, one day, the Finance department (100% Microsoft) decided that remote acces would be neat. The talked to legal and presumably to some software vendor, and suddenly we had a remote access policy that mandated the use of a specific, proprietary, expensive, underpowered Microsoft-Windows-only VPN application. Dev/IT's complaints fell on deaf ears (this, arguably, was the real problem here) -- we were In Violation of the Official Policy, so obviously we were in the wrong. We continued to violate the policy to keep the company running as necessary.
There was probably some value in providing a hand-holding, easy-for-the-user remote access option. Other comments have suggested providing company laptops already set up and ready to go. Whatever you choose, please don't tie the hands of your technical people. You will make their jobs harder, reduce their productivity, and drive them out of your company.
I think one common factor in recent news articles about loss of data has been large databases on notebook computers. One of the features of mainframes were that you could access the database, but you couldn't grab the whole thing. With current Internet speeds, you can steal a large database in minutes. I think remote policies should allow transactional access but not raw access to datafiles containing personal data. This would minimize the loss of data. It is always amazing to hear 200,000 people's accounts were compromised when a notebook was misplaced. Also for development people, I like to keep a few key source files that don't change much on a USB key and the rest on line, so if the on-line parts are stolen by strangers, they don't get enough to build the software. It is just too easy to grab everything these days. Technology makes it possible, but that doesn;t mean it's wise.
Depending on the nature of your business, some "remote access" requirements can be satisfied instead by moving to something like Google Apps. You can do e-mail, and basic documents and spreadsheets over the web from anywhere.
The funniest thing about all these VPN policies is the no-pr0n part. (1) Everyone knows that The Internet is fo Pr0n and (2) Everyone knows that the pr0n is faster when surfed directly, the VPN isn't going to make things faster, its going to make things slower.
If you have an employee who uses the VPN so fetch pr0n you should fire them for being _stupid_ not for surfing pr0n per say.
Unless, of course, it's kiddie pr0n, in which case you should probably keep them on for knowing how to use a VPN for anonymizing their activities... uh... wait... that _can't_ be right...
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Excellent! So I can use IPX/SPX for my transport and go from there to my Citrix box using the ica protocol. Not a problem and I'm happy to comply with the VPN policy.