Remote Access Policies

Samalie writes "My company is considering implementing a formal remote access policy (and agreement for staff to sign) for users who access our network from home via VPN. Does anyone out there have any suggestions as to what this policy/agreement should contain? Anyone have their own corporate policy that I can borrow from? This is the first time I've come across anyone wanting a formal policy for this & online searches haven't been very helpful."

Very first (non-sponsored) hit on Google!

[Swift+Kick]

A link to the SANS Institute example for a Remote Access Policy doc (PDF format):

http://www.sans.org/resources/policies/Remote_Access_Policy.pdf

This is the first time I've come across anyone wanting a formal policy for this & online searches haven't been very helpful.

It looks like there's a trend going on; most of the last few Ask Slashdot articles seem to be written by people who can't be bothered to do a little work.

Just obvious stuff

[_merlin]

KISS principle: just say the VPN should only be used as you'd use the connection at work. (Keep it work-related, no excessive personal utilisation. No pr0n or illegal material. Don't forward the connection in any way - including web proxies and Tor. Keep your security software up to date. Take reasonable measures to ensure private keys, passwords and other security devices are not lost. Report any potential breaches immediately.)

Too long

[EmbeddedJanitor]

There are two purposes for such documents:
Inform: part from the little "purpose" bit, the SANS does not do much.
(2) A legal rope to hang a user with. What most of the SANS doc is.

Folks, nobody reads a document like this. They will lose interest after the first few lines then either skip to the signing bit or throw it away.

Real security comes from informing the user, not from baffling and swamping them with techno-legal bs.

If you want real security, then clearly explain the issues.

Re:Too long

[petard]

Why is it when we ask people to read through a 2-page user policy, they skip through and don't even bother reading to just sign it, yet those same people will sit down and pour through 3 inches of legal documents for 4 hours when buying a home?

If you want real security, then clearly explain the issues.

Bullshit. If you want real Security, enforce the punishment. Yes, it's that simple, and is also the answer to my previous question.

People read through 3 inches of legal docs when buying a home because they know damn well they could get burned legally.

Name the last time someone you know got fired for breaking a Security policy, or losing a laptop and not following protocol properly to report the company confidential data loss.

I thought so.

'Nuff said.

The current problems which are being, at least partially, blamed on deceptive lending practices in the mortgage industry would suggest that many people do not actually read through the legal documents they sign when they purchase a home. Do you think that for these deceptive loans, the stack of legal documents did not contain the truth? Of course it did. It was just buried in a pile of legalese, and people simply went with what the nice broker told them.

Re:Too long

The problem is, even if users DO read it, will they understand this, for example?

Frame Relay must meet minimum authentication requirements of DLCI standards.

(from the SANS Remote Access Policy doc). I'm gonna go out on a limb and say "no."

Re:Too long

[guruevi]

And most of those people actually thought they could get away with it, that is legally stealing from the banks. I had similar offers made when I was looking for a home and I KNEW something was fishy about having loans that are cheaper than the deprecation of it's own value although I'm not a lawyer (if yearly inflation rates are higher than your APR something is wrong because then the bank would over time pay you to loan their money).

Also I know that VARIABLE percentages means that the person loaning to you can jack up the prices as they want (just look at your energy bill with variable adjustments) but unlike an energy bill which you can change every year, you make the choice for the next 15-30 years no matter what happens to either yourself or the economy. It's a matter of federal law that rates and types are made clear to the buyer before lending and usually it's either on the first or last page, requiring a signature next to it.

If people are too stupid and like to listen to their SALESman instead of forking over $200 to a real-estate lawyer (that's what it costed my parents 2 years ago) to review and make clear the paperwork to them then that's their own fault.

Re:Too long

Because if YOU are buying a home, which is perhaps the biggest investment you'll ever make, the biggest risk you'll ever take, and which offers potentially the biggest benefit you'll ever receive from a purchase, then you better damn well believe that you will read and understand every single cotton picking stroke of the pen located on the fibers of ten feet thick of legal document.
 
But when you are filling out what you perceive to be some silly formality in order to obtain access to some system, a system that belongs to someone else, that was paid for by someone else, which is maintained by someone else, and which you will use for the benefit of someone else (allowing, of course, for the fact that the aforementioned someone else will, in exchange, pay your living), well, need I say any more? Of course you won't care what is written on that silly form.

Re:Too long

[Sobrique]

Teeth is one thing, but a clear understanding of what and why is probably more useful.

People don't like to be bullied. They don't like to be told 'you will do this, or you will be fired'. It causes resistance, and adherence to the letter of the law, not the spirit of it.

Which is why it's important to make people understand the spirit of the law - tech changes, and security shifts dramatically. It requires everyone to 'buy in' (I hate that phrase) to why security is important - why it's bad to 'be polite' and hold the door for someone, without checking their ID badge. That kind of thing.

Present them with why such a policy is needed - lay out just why you're wanting to protect all your stuff. Explain what causes 'problems', and the types of thing they should be wary of.

Point out you're making every effort to avoid this sort of thing happening accidentally, which is why you've given them this mechanism for logging in, which is pretty 'safe', provided they use it under particular conditions.

And _then_ point out that you'll have to enforce rules, and if those rules are willfully broken it'll be considered a disciplinary matter.

Policies don't solve problems. people solve them.

[girlintraining]

Before putting too much effort into this policy thing... Can I ask you one question: What's management going to do if someone breaks it? The majority of security policies only exist for two reasons -- to fire anyone who questions them and make management feel safe in having "done something to solve the problem". It's rather like expecting a terrorist to care that his car bomb is taking up two parking spaces... If this is management's only goal, just write some boiler-plate, broadly generalized piece that sounds really great but doesn't give any technical guidance. As a bonus, it'll never have to be updated after that, saving countless hours that would otherwise be spent securing the network.

Note: This post contains 30% recycled sarcasm.

Uh, yes you do

[trawg]

Here's a few things that are different and need to be considered when working from home. These are all things that I've been thinking about a lot for our company and, in my opinion, are very real issues for any company:

1) Local shortcuts on your PC with saved passwords to work resources (eg, VPN connection details, saved passwords in web browser to access work webmail/intranets, etc)

2) Log files for work-related chat - MSN, IRC, etc can sometimes contain confidential details.

3) Work documents and other files.

You can't just say you don't need a policy other than some vague notion of basic computer knowledge. Most people wouldn't think twice about downloading an important document and putting it on their computer at home.

The two obvious risks that might lead to information leakage are a) their computer is compromised b) their computer is stolen. It's just a standard risk management excercise from here on it.

Avoid Microsoft products at all cost

[ZephyrXero]

No Windows allowed unless on a company owned machine with absolutely no privaledges and a hardcore resident anti-malware tool running. If possible disable IE & Outlook too. If user is accessing via wifi require wpa2 encryption. Otherwise your users are gonna get you infected with their home Limewiring habits or at least have their login info stolen by a keylogger

Look Broader

[humphrm]

So what do your users do with VPN access? Access your network, yeah... then what? Email? Web access? You should already have AUPs for all of that, and access to those services via VPN is no different than if they're connected in the office.

What you may be looking for is controlling the access, i.e. firewalls and virus scanners etc. If that's important, set up two-tier access:

1. For users who have a laptop, put the access controls there, and make them only access the VPN via their company provided and controlled laptop. Then you set up the controls (firewall, virus scan, etc.) once and they apply whether they are directly connected or VPN'd in.

2. For users who don't have a laptop, set up a remote desktop-type system where they use a web browser to access the remote desktop with SecurID.

3. And I almost hate to mention this, but if most of your users are only accessing e-mail, think about setting up a Blackberry server. Sorry. Got my flame-retardant suit on. :)

Re:Is this real?

[s-twig]

Did he even know SANS existed? You could be bothered to post a wry comment but couldn't muster the extra key strokes to make yourself helpful. C'mon be nice. :)

hang on, the real answer is

[nimbius]

no, you dont have anything to add to the policy...

youre a system administrator, not a lawyer, or a board director, or an hr manager, or anything else so you dont know what the company needs. you just know how to enforce their policy and keep systems patched and secure. nothing to see here, move along.

What should your policy contain?

[frank_adrian314159]

Mainly your legal counsel's advice. If you can't afford that, don't bother - you couldn't afford to make your policy stick when it counted, either.

What about their work desktop policies?

[cez]

Provide VPN access, but limit them to only remote-desktopping into their current work desktop... then they are stuck with the restrictions, mappings, proxies, policies and resources they are usually allowed and have been signed off on. This is what we do to our "normal" vpn users. Also, Juniper Networks provides a nice sslvpn via web interface for those not able to handle a vpn client that this setup works wonders for...

Re:What about their work desktop policies?

[bwcbwc]

In three words: don't do it. The only "safe" way to allow remote access is if you issue company laptops to all of the affected employees.

Assuming your corporate network is locked down pretty tight, the biggest thing you have to ensure is the security of the computer that the worker is using to access the VPN. The agreement and technology policy should either a) limit VPN access to company-issued computers (i.e., laptops) or b) require the use of firewall, anti-virus, hard-disk encryption and other security software from a list of approved products.

Once you open the access to non-company-owned computers, you expand your scope of security, legal and system administrative risks dramatically. For example, what happens when some PHB downloads a report from your customer/sales database to their personal laptop while on vacation in Bermuda, and someone steals the laptop? Or if there's a keylogger on the computer that they use to log into the VPN?

Unless your corporate security software licenses allow deployment of the software on non-company owned computers, you are going to incur a per-seat cost over $150 (possibly up to $500?) just to install required security software, or you will be forcing your workers to bear those costs. And then your network infrastructure team needs an on-going process to monitor those non-company computers to make sure that they are kept up to date with security updates for each of the installed products. At that point, it's more practical to issue company-owned laptops and integrate them into your standard support/licensing/update architecture.

Completely ridiculous

[JoeBuck]

What an incredibly totalitarian policy you propose. Someone does a web search to find directions to a restaurant on a work computer, and you can them? Glad I don't work from your company. In real life, a certain amount of personal use gets mixed in with the work use, and a successful company will judge its employees based on whether they get the job done.

Re:Use Laptops

[Lumpy]

This is how 98% of all fortune 500 companies do this.

you're a nut if you allow a personal PC to connect to the company network.

Re:Use Laptops

[[ByteMe]]

Okay...I'll ask...

For one thing you state that "you can get in from all but the most severely locked down internet kiosks". I guess you look at that as a feature, while I look at it as a malfunction. You've now extended your boundary and your risk to every poorly managed internet kiosk that any of your users use. So, you've never seen an internet kiosk in a hotel or other location that has questionable software, even obvious malware, installed?

Then, you claim "there's no risk to the corporate network". I don't know what sort of company you use, but if you think that providing a full desktop via Citrix, with access to all a user's regular internal documents and resources, to an endpoint that cannot be proved to be secure, is a "no risk" proposition then I would recommend you reconsider.

Not saying that Citrix doesn't have a place--but the authentication/authorization needs to be two-factor (not just a re-usable username/password combo) and the authenticated user should ideally only have read access and then only to less sensitive files. If someone needs the ability to modify files, or to access particularly sensitive ones, then the Citrix client just can't be proved to be providing enough assurance that the underlying OS/hardware isn't compromised. And *that* is why I have three separate laptops from three separate organizations just to be able to get my job(s) done...

An agreement?

[mweather]

Any security policy that relies on employees voluntarily keeping to an agreement is doomed to fail. Either make it impossible to access in any way other than intended, or don't do it.

Re:Is this real?

[tyler.willard]

Did he even know SANS existed?

The inquirer did say:

...online searches haven't been very helpful...

This ain't my area either but googling for:

corporate vpn policy

produces sans' example policy as the first hit. As such, it looks to me like the OP was in order.

Re:Not SANS

[FooGoo]

The right solution is to get with your IT, Legal, and HR departments and draft a policy.

Some things that I would expect to see in the policy would be: who is responsible for owning/maintaining/approving the policy, the criteria for allowing a user to use remote access (positions, responsibilities), the process for validating exisiting remote access users still require it (should be perfomed every 6 months minimum), any requirements imposed on remote access devices (antivirus, firewalls), penalties for non-compliance with the polcy, method of authentication (token, two-factor, whatever), and how the policy applies to third party service providers or contractors. Also, the key points of the policy should be included as an adendum in any contracts with third parties who may require remote access.

Just a few ideas....your mileage may vary.