Slashdot Mirror
Remote Access Policies
Samalie writes "My company is considering implementing a formal remote access policy (and agreement for staff to sign) for users who access our network from home via VPN. Does anyone out there have any suggestions as to what this policy/agreement should contain? Anyone have their own corporate policy that I can borrow from? This is the first time I've come across anyone wanting a formal policy for this & online searches haven't been very helpful."
above what you should already have for them to use a computer.
Seriously. It's all going to be the same stuff. What makes people think behavior will be different depending on which keyboard they happen to be behind.
You could make a VPN boot disk.
This way you can separate what is on their machine with the VPN instance. Requires no brain power to use. Boot's up, big VPN icon. Click enter password, good to go.
Obviously, encrypt it.
The Kruger Dunning explains most post on
What rules do you want to set up? What do you want to allow and disallow of your users / employees?
Figure this out, write it down, get a lawyer to look at it, and you're done.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Either give people laptops or give them a way to do what they need to do on servers you control.
This can be a web-based front-end to the applications they use, an ftp site so they can up/download files and edit them on their home computer, or even something like Windows Terminal Services or Citrix.
If your company is enlightened enough to not use Microsoft, there are even more options available.
If you allow people to remote login, you need to make very sure that not only is the VPN tunnel secure against attacks, but that their machine can't do anything hostile to your LAN in case their password is compromised. Of course, you should be doing that anyways but many companies don't treat computers in the network as "presumed hostile" to every other device on the network. You should always do that, but If you are going to allow remote login it's even more important.
As a bonus, if you put most of your business-critical applications on a server you control, it's easier to make sure data gets backed up and you can usually get away with a longer computer-replacement cycle or buy slightly cheaper computers when you do replace them. Of course, you'll pay more for server costs and you'll need more expertise in your IT dept. to manage it, but in many shops this is worth it.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
my company requires the following
1. A specific virus scanner (Nortan AV yuck)
2. A specific Firewall with company preset settings (blackice is what it used to be called its something else now)
3. We are assigned an RSA SecurID FOB which my manager must periodically re-confirm that I am authorized to use (like once a year)
basically it is a Huge pain only slightly offset by the convenience
I find that whatever the user signs, it always gets broken one time or another. That is why I use - whenever possible - system policies instead of making them sign anything. If they can't do what you don't want them to do, it ought to be more reliable.
The main idea is: restrict their remote access to what they really need. Some purist will reply 'oh yeah, but even if you do that, there's a way around for such and such reason.' or that it will become too restrictive. My answer: adapt to your user needs without letting it be the Wild Wild West.
Maybe both signing an agreement AND enforcing policies is the best way to go.
Did an executive really just say, "I think we should have a formal policy"? Don't create bureaucracy and policy just for the sake of having bureaucracy and policy (making management look busy). Build your policy on the demands of your organization, and formalize it when it's necessary to do so.
That being said, if your business doesn't deal much with sensitive data, you could get by with allowing personal computers, with up-to-date anti-virus software (maybe the company can pay for AV software for home computers). If you do deal with sensitive data, I would recommend issuing laptops to employees that need to work from home, and only allow VPN from those systems. Use certificates.
They are generic reference documents to use as a guide not as a final product. Even the guy who wrote the Remote Access policy for SANS thinks it's a joke.
People who bite the hand that feeds them usually lick the boot that kicks them
My company uses a router and we're all in a NAT environment. We just use simple Hamachi + VNC to get directly into my PC at night. No one notice and we're happy with that.
I took a different approach, we use Citrix for remote access. We have the Java client installed and have a link to the zero touch client which doesn't need to be installed to run. That way you can get in from all but the most severely locked down internet kiosks. There's no risk to the corporate network and it enables my user to be productive from anywhere. It's also WAY faster than a VPN for most types of work.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
#2 Only computers provided by (name of employer) may be connected to the network used for VPN access, at the time of VPN access.
ie - home/personal computers must be disconnected before connecting the work computer
Just how do you propose to enforce this policy?
My company is so paranoid about unauthorized file transfers that they have discontinued VPN and only allow Citrix. The Citrix configuration is setup so that it will not permit saving to the local computer's hard drive. On one hand, it lessens some risks that could occur if your personal computer was connected by VPN. On the other hand, it makes for a lot of email traffic as people send themselves files so they can work on them outside of Citrix.
--
Luck is just skill you didn't know you had.
#1 Keep the VPN use work related. Follow the same network policies as if in the workplace.
#2 Scan the home PC on a regular basis for malware. Last thing the company needs is trade secrets, password and login info, and email stolen by some hacker who happened to get a key logger trojan on the Home PC, and then sell them to the higher bidder or steal corporate bank and credit card accounts. That means keeping your Antivirus programs updated every day and scan for viruses at least three times a week.
#3 You are on the honor system, Work can only monitor your activities on the VPN network, but not your Home PC and the Internet being used by your home PC. Yes it is alright to check your local email on your home computer, but use common sense and don't spend a lot of time doing personal things on your home computer and home Internet connection. We'll notice it when the VPN activity stops for more than 15 minutes, and your work productivity drops on the VPN. Yes you can take two 15 minute breaks and lunch hour or half hour, but we'll really notice it when you do nothing on the VPN for hours. Either you are goofing off and doing personal things, or the connection is dead, but we can tell by pinging your home computer to test if the connection is dead and deduce your wasting time.
#4 Keep all company email professional. Make effective use of company email and web sites and software. Don't use them and act like you do when you are posting Anonymous trolls on the Internet or your Myspace page.
#5 Do not access other user's accounts unless you are given permission by management for troubleshooting something or testing out software. We know that your profile might not have the same issues as a coworker, but only IT staff should be loging in as other employee's accounts only for testing purposes. Do not use an alias either on the VPN or create a fake account via a hack, but use the account and account name assigned to you.
#6 Do not save work data on your personal hard drive, instead store it on a server drive.
#7 Do not run cracking and/or hacking tools on the VPN, do not do any denial of service attacks over the VPN.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
You are thinking about the practical and security aspects, which is good and necessary. There are also very real legal issues to consider. The export restrictions pertaining to the remote location in question are one obvious example. Another biggie is the Fair Labor Standards Act. Be aware of your obligations here or you could find yourself in big trouble. I never give anyone VPN access unless it is approved by their direct supervisor, and I make sure that the supervisor is aware of their responsibility to comply with the FLSA.
Folks, nobody reads a document like this. They will lose interest after the first few lines then either skip to the signing bit or throw it away.
Why is it when we ask people to read through a 2-page user policy, they skip through and don't even bother reading to just sign it, yet those same people will sit down and pour through 3 inches of legal documents for 4 hours when buying a home?
If you want real security, then clearly explain the issues.
Bullshit. If you want real Security, enforce the punishment. Yes, it's that simple, and is also the answer to my previous question.
People read through 3 inches of legal docs when buying a home because they know damn well they could get burned legally.
Name the last time someone you know got fired for breaking a Security policy, or losing a laptop and not following protocol properly to report the company confidential data loss.
I thought so.
'Nuff said.
How do you VPN through a web interface? A java applet full of exploits to hijack the networking drivers? Seriously I'm interested to know.
With two factor authentication and ssl tranporting Citrix secure ica protocol there's plenty of secrecy and authentication The fact that only the display and printer are mapped back to the client (and we use the upd, no native drivers) means there's not really any exposure to client malware. Files only traverse through a user browsing back to the local pc and all files are scanned. We also use the old file explorer view so we don't have exposure to folder content browsing bugs which are the only attack vector I am aware of through the callback mechanism. This is certainly a MUCH smaller attack surface than a full vpn connection where to be functional all sorts of ports need to be open.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I'm not arguing with this; you're right on. I was simply disputing the notion put forth by the post I was responding to. geekmux said that if these legal agreements had teeth, people would read them and offered as an example the notion that people generally read the paperwork that they have to sign when they purchase a home. I maintain that the current financial mess is due, in part, to the fact that people don't read legalese even when not doing so can have dire consequences. So giving these agreements more teeth would be of little help in getting people to read and adhere to them :-/
.sig: file not found
> The fact that only the display and printer are mapped back to the client (and we use the upd, no native drivers) means there's not really any exposure to client malware.
Yes, but what about user input? Malware could easily intercept key strokes, and that could be sensitive information. Do you use passwords, for example? I know single sign on is the big thing, but I have not seen a single place where it actually works.
One of the things that really scare IT shops about Remote access is the fact that they really can't control the systems at home (if they are not systems given to take home).
Since computers are pretty fast and Virtual Machine technology is pretty far along, try a custom VM image using Vmware, parallels, virtualbox, etc and let users do work within that environment on their home systems.
Why is it when we ask people to read through a 2-page user policy, they skip through and don't even bother reading to just sign it, yet those same people will sit down and pour through 3 inches of legal documents for 4 hours when buying a home?
The terms "paper drill" and "check-the-blocks" comes to mind. I don't really care about the implications of my company's VPN policy...at least not compared to the implications of the documentation associated with home-ownership.