Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Access Policies

Posted by samzenpus on from the write-it-down-from-home dept.

Samalie writes "My company is considering implementing a formal remote access policy (and agreement for staff to sign) for users who access our network from home via VPN. Does anyone out there have any suggestions as to what this policy/agreement should contain? Anyone have their own corporate policy that I can borrow from? This is the first time I've come across anyone wanting a formal policy for this & online searches haven't been very helpful."

10 of 178 comments (clear)

  1. Just obvious stuff by _merlin · · Score: 4, Insightful

    KISS principle: just say the VPN should only be used as you'd use the connection at work. (Keep it work-related, no excessive personal utilisation. No pr0n or illegal material. Don't forward the connection in any way - including web proxies and Tor. Keep your security software up to date. Take reasonable measures to ensure private keys, passwords and other security devices are not lost. Report any potential breaches immediately.)

  2. Too long by EmbeddedJanitor · · Score: 5, Insightful
    There are two purposes for such documents:
    Inform: part from the little "purpose" bit, the SANS does not do much.
    (2) A legal rope to hang a user with. What most of the SANS doc is.

    Folks, nobody reads a document like this. They will lose interest after the first few lines then either skip to the signing bit or throw it away.

    Real security comes from informing the user, not from baffling and swamping them with techno-legal bs.

    If you want real security, then clearly explain the issues.

    --
    Engineering is the art of compromise.
    1. Re:Too long by petard · · Score: 4, Insightful

      Why is it when we ask people to read through a 2-page user policy, they skip through and don't even bother reading to just sign it, yet those same people will sit down and pour through 3 inches of legal documents for 4 hours when buying a home?

      If you want real security, then clearly explain the issues.

      Bullshit. If you want real Security, enforce the punishment. Yes, it's that simple, and is also the answer to my previous question.

      People read through 3 inches of legal docs when buying a home because they know damn well they could get burned legally.

      Name the last time someone you know got fired for breaking a Security policy, or losing a laptop and not following protocol properly to report the company confidential data loss.

      I thought so.

      'Nuff said.

      The current problems which are being, at least partially, blamed on deceptive lending practices in the mortgage industry would suggest that many people do not actually read through the legal documents they sign when they purchase a home. Do you think that for these deceptive loans, the stack of legal documents did not contain the truth? Of course it did. It was just buried in a pile of legalese, and people simply went with what the nice broker told them.

      --
      .sig: file not found
  3. Policies don't solve problems. people solve them. by girlintraining · · Score: 4, Insightful

    Before putting too much effort into this policy thing... Can I ask you one question: What's management going to do if someone breaks it? The majority of security policies only exist for two reasons -- to fire anyone who questions them and make management feel safe in having "done something to solve the problem". It's rather like expecting a terrorist to care that his car bomb is taking up two parking spaces... If this is management's only goal, just write some boiler-plate, broadly generalized piece that sounds really great but doesn't give any technical guidance. As a bonus, it'll never have to be updated after that, saving countless hours that would otherwise be spent securing the network.

    Note: This post contains 30% recycled sarcasm.

    --
    #fuckbeta #iamslashdot #dicemustdie
  4. Uh, yes you do by trawg · · Score: 4, Insightful

    Here's a few things that are different and need to be considered when working from home. These are all things that I've been thinking about a lot for our company and, in my opinion, are very real issues for any company:

    1) Local shortcuts on your PC with saved passwords to work resources (eg, VPN connection details, saved passwords in web browser to access work webmail/intranets, etc)

    2) Log files for work-related chat - MSN, IRC, etc can sometimes contain confidential details.

    3) Work documents and other files.

    You can't just say you don't need a policy other than some vague notion of basic computer knowledge. Most people wouldn't think twice about downloading an important document and putting it on their computer at home.

    The two obvious risks that might lead to information leakage are a) their computer is compromised b) their computer is stolen. It's just a standard risk management excercise from here on it.

  5. Re:Is this real? by s-twig · · Score: 5, Insightful

    Did he even know SANS existed? You could be bothered to post a wry comment but couldn't muster the extra key strokes to make yourself helpful. C'mon be nice. :)

  6. What about their work desktop policies? by cez · · Score: 4, Insightful

    Provide VPN access, but limit them to only remote-desktopping into their current work desktop... then they are stuck with the restrictions, mappings, proxies, policies and resources they are usually allowed and have been signed off on. This is what we do to our "normal" vpn users. Also, Juniper Networks provides a nice sslvpn via web interface for those not able to handle a vpn client that this setup works wonders for...

    --
    Walk with Music;
  7. Completely ridiculous by JoeBuck · · Score: 4, Insightful

    What an incredibly totalitarian policy you propose. Someone does a web search to find directions to a restaurant on a work computer, and you can them? Glad I don't work from your company. In real life, a certain amount of personal use gets mixed in with the work use, and a successful company will judge its employees based on whether they get the job done.

  8. Re:Use Laptops by [ByteMe] · · Score: 4, Insightful

    Okay...I'll ask...

    For one thing you state that "you can get in from all but the most severely locked down internet kiosks". I guess you look at that as a feature, while I look at it as a malfunction. You've now extended your boundary and your risk to every poorly managed internet kiosk that any of your users use. So, you've never seen an internet kiosk in a hotel or other location that has questionable software, even obvious malware, installed?

    Then, you claim "there's no risk to the corporate network". I don't know what sort of company you use, but if you think that providing a full desktop via Citrix, with access to all a user's regular internal documents and resources, to an endpoint that cannot be proved to be secure, is a "no risk" proposition then I would recommend you reconsider.

    Not saying that Citrix doesn't have a place--but the authentication/authorization needs to be two-factor (not just a re-usable username/password combo) and the authenticated user should ideally only have read access and then only to less sensitive files. If someone needs the ability to modify files, or to access particularly sensitive ones, then the Citrix client just can't be proved to be providing enough assurance that the underlying OS/hardware isn't compromised. And *that* is why I have three separate laptops from three separate organizations just to be able to get my job(s) done...

  9. Re:Is this real? by tyler.willard · · Score: 4, Insightful

    Did he even know SANS existed?

    The inquirer did say:

    ...online searches haven't been very helpful...

    This ain't my area either but googling for:

    corporate vpn policy

    produces sans' example policy as the first hit. As such, it looks to me like the OP was in order.