Slashdot Mirror
Remote Access Policies
Samalie writes "My company is considering implementing a formal remote access policy (and agreement for staff to sign) for users who access our network from home via VPN. Does anyone out there have any suggestions as to what this policy/agreement should contain? Anyone have their own corporate policy that I can borrow from? This is the first time I've come across anyone wanting a formal policy for this & online searches haven't been very helpful."
Did you even look at SANS?
The templates provided by SANS are a good place to start:
All of them are here:
http://www.sans.org/resources/policies/
Here's the remote access policy example:
http://www.sans.org/resources/policies/Remote_Access_Policy.pdf [PDF]
A link to the SANS Institute example for a Remote Access Policy doc (PDF format):
http://www.sans.org/resources/policies/Remote_Access_Policy.pdf
This is the first time I've come across anyone wanting a formal policy for this & online searches haven't been very helpful.
It looks like there's a trend going on; most of the last few Ask Slashdot articles seem to be written by people who can't be bothered to do a little work.
"We'll need 2000 crickets, 4 cans of Easy Cheese, and the fluid from 18 glowsticks for this plan to work...." - ph0n1c
above what you should already have for them to use a computer.
Seriously. It's all going to be the same stuff. What makes people think behavior will be different depending on which keyboard they happen to be behind.
You could make a VPN boot disk.
This way you can separate what is on their machine with the VPN instance. Requires no brain power to use. Boot's up, big VPN icon. Click enter password, good to go.
Obviously, encrypt it.
The Kruger Dunning explains most post on
KISS principle: just say the VPN should only be used as you'd use the connection at work. (Keep it work-related, no excessive personal utilisation. No pr0n or illegal material. Don't forward the connection in any way - including web proxies and Tor. Keep your security software up to date. Take reasonable measures to ensure private keys, passwords and other security devices are not lost. Report any potential breaches immediately.)
What rules do you want to set up? What do you want to allow and disallow of your users / employees?
Figure this out, write it down, get a lawyer to look at it, and you're done.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
We require all users with remote access to use corporate laptops that are locked down. You cannot connect your personal computer via vpn. Also there is the standard "treat it as if you were sitting at your desk, all rules regulations etc. still apply."
Either give people laptops or give them a way to do what they need to do on servers you control.
This can be a web-based front-end to the applications they use, an ftp site so they can up/download files and edit them on their home computer, or even something like Windows Terminal Services or Citrix.
If your company is enlightened enough to not use Microsoft, there are even more options available.
If you allow people to remote login, you need to make very sure that not only is the VPN tunnel secure against attacks, but that their machine can't do anything hostile to your LAN in case their password is compromised. Of course, you should be doing that anyways but many companies don't treat computers in the network as "presumed hostile" to every other device on the network. You should always do that, but If you are going to allow remote login it's even more important.
As a bonus, if you put most of your business-critical applications on a server you control, it's easier to make sure data gets backed up and you can usually get away with a longer computer-replacement cycle or buy slightly cheaper computers when you do replace them. Of course, you'll pay more for server costs and you'll need more expertise in your IT dept. to manage it, but in many shops this is worth it.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Inform: part from the little "purpose" bit, the SANS does not do much.
(2) A legal rope to hang a user with. What most of the SANS doc is.
Folks, nobody reads a document like this. They will lose interest after the first few lines then either skip to the signing bit or throw it away.
Real security comes from informing the user, not from baffling and swamping them with techno-legal bs.
If you want real security, then clearly explain the issues.
Engineering is the art of compromise.
The last few companies I've worked for make it mandatory for new employees to sign an AUP (Acceptable Use Policy). Sorta like a blanket coverage for all IT services, including networks usage. Depending on how large the company you're working for, you might be able to convince your HR to get all the existing employees to sign, too. That way you can avoid getting the employees to sign another document/agreement if you should implement new IT services.
my company requires the following
1. A specific virus scanner (Nortan AV yuck)
2. A specific Firewall with company preset settings (blackice is what it used to be called its something else now)
3. We are assigned an RSA SecurID FOB which my manager must periodically re-confirm that I am authorized to use (like once a year)
basically it is a Huge pain only slightly offset by the convenience
Before putting too much effort into this policy thing... Can I ask you one question: What's management going to do if someone breaks it? The majority of security policies only exist for two reasons -- to fire anyone who questions them and make management feel safe in having "done something to solve the problem". It's rather like expecting a terrorist to care that his car bomb is taking up two parking spaces... If this is management's only goal, just write some boiler-plate, broadly generalized piece that sounds really great but doesn't give any technical guidance. As a bonus, it'll never have to be updated after that, saving countless hours that would otherwise be spent securing the network.
Note: This post contains 30% recycled sarcasm.
#fuckbeta #iamslashdot #dicemustdie
I find that whatever the user signs, it always gets broken one time or another. That is why I use - whenever possible - system policies instead of making them sign anything. If they can't do what you don't want them to do, it ought to be more reliable.
The main idea is: restrict their remote access to what they really need. Some purist will reply 'oh yeah, but even if you do that, there's a way around for such and such reason.' or that it will become too restrictive. My answer: adapt to your user needs without letting it be the Wild Wild West.
Maybe both signing an agreement AND enforcing policies is the best way to go.
Here's a few things that are different and need to be considered when working from home. These are all things that I've been thinking about a lot for our company and, in my opinion, are very real issues for any company:
1) Local shortcuts on your PC with saved passwords to work resources (eg, VPN connection details, saved passwords in web browser to access work webmail/intranets, etc)
2) Log files for work-related chat - MSN, IRC, etc can sometimes contain confidential details.
3) Work documents and other files.
You can't just say you don't need a policy other than some vague notion of basic computer knowledge. Most people wouldn't think twice about downloading an important document and putting it on their computer at home.
The two obvious risks that might lead to information leakage are a) their computer is compromised b) their computer is stolen. It's just a standard risk management excercise from here on it.
No Windows allowed unless on a company owned machine with absolutely no privaledges and a hardcore resident anti-malware tool running. If possible disable IE & Outlook too. If user is accessing via wifi require wpa2 encryption. Otherwise your users are gonna get you infected with their home Limewiring habits or at least have their login info stolen by a keylogger
"A truly wise man realizes he knows nothing."
So what do your users do with VPN access? Access your network, yeah... then what? Email? Web access? You should already have AUPs for all of that, and access to those services via VPN is no different than if they're connected in the office.
What you may be looking for is controlling the access, i.e. firewalls and virus scanners etc. If that's important, set up two-tier access:
1. For users who have a laptop, put the access controls there, and make them only access the VPN via their company provided and controlled laptop. Then you set up the controls (firewall, virus scan, etc.) once and they apply whether they are directly connected or VPN'd in.
2. For users who don't have a laptop, set up a remote desktop-type system where they use a web browser to access the remote desktop with SecurID.
3. And I almost hate to mention this, but if most of your users are only accessing e-mail, think about setting up a Blackberry server. Sorry. Got my flame-retardant suit on. :)
-- "In order to have power, I must be taken seriously." -Mojo Jojo
Did an executive really just say, "I think we should have a formal policy"? Don't create bureaucracy and policy just for the sake of having bureaucracy and policy (making management look busy). Build your policy on the demands of your organization, and formalize it when it's necessary to do so.
That being said, if your business doesn't deal much with sensitive data, you could get by with allowing personal computers, with up-to-date anti-virus software (maybe the company can pay for AV software for home computers). If you do deal with sensitive data, I would recommend issuing laptops to employees that need to work from home, and only allow VPN from those systems. Use certificates.
Unless, of course, you work for a porn company. Then porn away.
Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)
http://www.lawrenceperson.com/
They are generic reference documents to use as a guide not as a final product. Even the guy who wrote the Remote Access policy for SANS thinks it's a joke.
People who bite the hand that feeds them usually lick the boot that kicks them
Ground rules.
The computer, as provided by (name of employer) are the sole property of (name of employer).
All use of this computer is subject to monitoring, logging and review by (name of employer)'s IT department.
No modifications of any kind may be made to (name of employer)'s computer by the employee.
VPN Rules..
#1 Only computers provided by (name of employer) (with appropriate user restrictions, group policies, security software, etc...) are allowed to connect via VPN.
#2 Only computers provided by (name of employer) may be connected to the network used for VPN access, at the time of VPN access.
ie - home/personal computers must be disconnected before connecting the work computer - unless the work computer is on a completely separated / isolated network from the home / personal computers.
#3 Any personal use of work computer will result in loss of VPN privelege on first offense, no exceptions.
Who is general failure, and why is he reading my hard drive?
no, you dont have anything to add to the policy...
youre a system administrator, not a lawyer, or a board director, or an hr manager, or anything else so you dont know what the company needs. you just know how to enforce their policy and keep systems patched and secure. nothing to see here, move along.
Good people go to bed earlier.
1. If you connect to the VPN and place your own machine's IP onto our network... we will kill you.
Signing below indicates that you have read the policy in question and agree to adhere to it.
Mainly your legal counsel's advice. If you can't afford that, don't bother - you couldn't afford to make your policy stick when it counted, either.
That is all.
Provide VPN access, but limit them to only remote-desktopping into their current work desktop... then they are stuck with the restrictions, mappings, proxies, policies and resources they are usually allowed and have been signed off on. This is what we do to our "normal" vpn users. Also, Juniper Networks provides a nice sslvpn via web interface for those not able to handle a vpn client that this setup works wonders for...
Walk with Music;
What an incredibly totalitarian policy you propose. Someone does a web search to find directions to a restaurant on a work computer, and you can them? Glad I don't work from your company. In real life, a certain amount of personal use gets mixed in with the work use, and a successful company will judge its employees based on whether they get the job done.
I don't have a formal policy, but I work with students on data that falls under privacy laws.
What we tell them is:
- Access from one computer only and that has to be specially secured
-- Linux: Keep intsllation current, close all ports for incomming data, web-surfing only
with current firefox or opera and limited to what is absolutely neccessary for their work.
-- Windows: In addition a current anti-virus software. Discouraged.
- We provide a computer for the VPN/SSH access for the thesis duration for the secured installation
and even a second one for ordinary work, if they do not have one.
- We warn them that loss of data would possibly be a criminal offense on their part (privacy laws)
and that they need to be very careful.
If you are really paranoid, gibve your users that second computer, or alternatively a CD-system created/modified by you for the remote access, and make using that mandatory. I think you will find that formal agreements carry little impact, as neglience is allways relative to the competence level of the person acting. Better to secure the access and not rely on legal stuff. If you require a specific installation for remote access, everybody not using it is doing something contrary to agreement regardless of competence level. You could even hardcode the VPN keys on a boot-CD (e.g. a modified Knoppix) to make it hard to circumvent this "remote Terminal" set-up.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
My company is so paranoid about unauthorized file transfers that they have discontinued VPN and only allow Citrix. The Citrix configuration is setup so that it will not permit saving to the local computer's hard drive. On one hand, it lessens some risks that could occur if your personal computer was connected by VPN. On the other hand, it makes for a lot of email traffic as people send themselves files so they can work on them outside of Citrix.
--
Luck is just skill you didn't know you had.
#1 Keep the VPN use work related. Follow the same network policies as if in the workplace.
#2 Scan the home PC on a regular basis for malware. Last thing the company needs is trade secrets, password and login info, and email stolen by some hacker who happened to get a key logger trojan on the Home PC, and then sell them to the higher bidder or steal corporate bank and credit card accounts. That means keeping your Antivirus programs updated every day and scan for viruses at least three times a week.
#3 You are on the honor system, Work can only monitor your activities on the VPN network, but not your Home PC and the Internet being used by your home PC. Yes it is alright to check your local email on your home computer, but use common sense and don't spend a lot of time doing personal things on your home computer and home Internet connection. We'll notice it when the VPN activity stops for more than 15 minutes, and your work productivity drops on the VPN. Yes you can take two 15 minute breaks and lunch hour or half hour, but we'll really notice it when you do nothing on the VPN for hours. Either you are goofing off and doing personal things, or the connection is dead, but we can tell by pinging your home computer to test if the connection is dead and deduce your wasting time.
#4 Keep all company email professional. Make effective use of company email and web sites and software. Don't use them and act like you do when you are posting Anonymous trolls on the Internet or your Myspace page.
#5 Do not access other user's accounts unless you are given permission by management for troubleshooting something or testing out software. We know that your profile might not have the same issues as a coworker, but only IT staff should be loging in as other employee's accounts only for testing purposes. Do not use an alias either on the VPN or create a fake account via a hack, but use the account and account name assigned to you.
#6 Do not save work data on your personal hard drive, instead store it on a server drive.
#7 Do not run cracking and/or hacking tools on the VPN, do not do any denial of service attacks over the VPN.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
The machines I login to cat the policy at the beginning of every session. I'll just send you my username and password and then you can read it for yourself.
Any security policy that relies on employees voluntarily keeping to an agreement is doomed to fail. Either make it impossible to access in any way other than intended, or don't do it.
One of the things that really scare IT shops about Remote access is the fact that they really can't control the systems at home (if they are not systems given to take home).
Since computers are pretty fast and Virtual Machine technology is pretty far along, try a custom VM image using Vmware, parallels, virtualbox, etc and let users do work within that environment on their home systems.