Remote Access Policies

Samalie writes "My company is considering implementing a formal remote access policy (and agreement for staff to sign) for users who access our network from home via VPN. Does anyone out there have any suggestions as to what this policy/agreement should contain? Anyone have their own corporate policy that I can borrow from? This is the first time I've come across anyone wanting a formal policy for this & online searches haven't been very helpful."

SANS Templates

[Wanker]

The templates provided by SANS are a good place to start:

All of them are here:

http://www.sans.org/resources/policies/

Here's the remote access policy example:

http://www.sans.org/resources/policies/Remote_Access_Policy.pdf [PDF]

Just obvious stuff

[_merlin]

KISS principle: just say the VPN should only be used as you'd use the connection at work. (Keep it work-related, no excessive personal utilisation. No pr0n or illegal material. Don't forward the connection in any way - including web proxies and Tor. Keep your security software up to date. Take reasonable measures to ensure private keys, passwords and other security devices are not lost. Report any potential breaches immediately.)

Use Laptops

[George+Beech]

We require all users with remote access to use corporate laptops that are locked down. You cannot connect your personal computer via vpn. Also there is the standard "treat it as if you were sitting at your desk, all rules regulations etc. still apply."

Re:Use Laptops

I second this. As an employee, I don't want to pollute my personal computer with work related stuff. It takes away valuable pr0n storage space.

Re:Use Laptops

[afidel]

I took a different approach, we use Citrix for remote access. We have the Java client installed and have a link to the zero touch client which doesn't need to be installed to run. That way you can get in from all but the most severely locked down internet kiosks. There's no risk to the corporate network and it enables my user to be productive from anywhere. It's also WAY faster than a VPN for most types of work.

Re:Use Laptops

[[ByteMe]]

Okay...I'll ask...

For one thing you state that "you can get in from all but the most severely locked down internet kiosks". I guess you look at that as a feature, while I look at it as a malfunction. You've now extended your boundary and your risk to every poorly managed internet kiosk that any of your users use. So, you've never seen an internet kiosk in a hotel or other location that has questionable software, even obvious malware, installed?

Then, you claim "there's no risk to the corporate network". I don't know what sort of company you use, but if you think that providing a full desktop via Citrix, with access to all a user's regular internal documents and resources, to an endpoint that cannot be proved to be secure, is a "no risk" proposition then I would recommend you reconsider.

Not saying that Citrix doesn't have a place--but the authentication/authorization needs to be two-factor (not just a re-usable username/password combo) and the authenticated user should ideally only have read access and then only to less sensitive files. If someone needs the ability to modify files, or to access particularly sensitive ones, then the Citrix client just can't be proved to be providing enough assurance that the underlying OS/hardware isn't compromised. And *that* is why I have three separate laptops from three separate organizations just to be able to get my job(s) done...

One policy: don't make it necessary

[davidwr]

Either give people laptops or give them a way to do what they need to do on servers you control.

This can be a web-based front-end to the applications they use, an ftp site so they can up/download files and edit them on their home computer, or even something like Windows Terminal Services or Citrix.

If your company is enlightened enough to not use Microsoft, there are even more options available.

If you allow people to remote login, you need to make very sure that not only is the VPN tunnel secure against attacks, but that their machine can't do anything hostile to your LAN in case their password is compromised. Of course, you should be doing that anyways but many companies don't treat computers in the network as "presumed hostile" to every other device on the network. You should always do that, but If you are going to allow remote login it's even more important.

As a bonus, if you put most of your business-critical applications on a server you control, it's easier to make sure data gets backed up and you can usually get away with a longer computer-replacement cycle or buy slightly cheaper computers when you do replace them. Of course, you'll pay more for server costs and you'll need more expertise in your IT dept. to manage it, but in many shops this is worth it.

Re:One policy: don't make it necessary

[Achromatic1978]

Funny, you talk about being enlightened enough not to use Microsoft. I used to work there, and their VPN set up was easily one of the nicest I'd ever seen.

Smartcards and native connection stuff in Windows. Once connected you were "quarantined" until a security scan had been run on your machine, and even then you had different access based on location.

But of course, this is Slashdot...

Too long

[EmbeddedJanitor]

There are two purposes for such documents:
Inform: part from the little "purpose" bit, the SANS does not do much.
(2) A legal rope to hang a user with. What most of the SANS doc is.

Folks, nobody reads a document like this. They will lose interest after the first few lines then either skip to the signing bit or throw it away.

Real security comes from informing the user, not from baffling and swamping them with techno-legal bs.

If you want real security, then clearly explain the issues.

Re:Too long

[geekmux]

Folks, nobody reads a document like this. They will lose interest after the first few lines then either skip to the signing bit or throw it away.

Why is it when we ask people to read through a 2-page user policy, they skip through and don't even bother reading to just sign it, yet those same people will sit down and pour through 3 inches of legal documents for 4 hours when buying a home?

If you want real security, then clearly explain the issues.

Bullshit. If you want real Security, enforce the punishment. Yes, it's that simple, and is also the answer to my previous question.

People read through 3 inches of legal docs when buying a home because they know damn well they could get burned legally.

Name the last time someone you know got fired for breaking a Security policy, or losing a laptop and not following protocol properly to report the company confidential data loss.

I thought so.

'Nuff said.

Re:Too long

[petard]

Why is it when we ask people to read through a 2-page user policy, they skip through and don't even bother reading to just sign it, yet those same people will sit down and pour through 3 inches of legal documents for 4 hours when buying a home?

If you want real security, then clearly explain the issues.

Bullshit. If you want real Security, enforce the punishment. Yes, it's that simple, and is also the answer to my previous question.

People read through 3 inches of legal docs when buying a home because they know damn well they could get burned legally.

Name the last time someone you know got fired for breaking a Security policy, or losing a laptop and not following protocol properly to report the company confidential data loss.

I thought so.

'Nuff said.

The current problems which are being, at least partially, blamed on deceptive lending practices in the mortgage industry would suggest that many people do not actually read through the legal documents they sign when they purchase a home. Do you think that for these deceptive loans, the stack of legal documents did not contain the truth? Of course it did. It was just buried in a pile of legalese, and people simply went with what the nice broker told them.

Policies don't solve problems. people solve them.

[girlintraining]

Before putting too much effort into this policy thing... Can I ask you one question: What's management going to do if someone breaks it? The majority of security policies only exist for two reasons -- to fire anyone who questions them and make management feel safe in having "done something to solve the problem". It's rather like expecting a terrorist to care that his car bomb is taking up two parking spaces... If this is management's only goal, just write some boiler-plate, broadly generalized piece that sounds really great but doesn't give any technical guidance. As a bonus, it'll never have to be updated after that, saving countless hours that would otherwise be spent securing the network.

Note: This post contains 30% recycled sarcasm.

Don't use 'user' policies - use 'system' policies

[vawarayer]

I find that whatever the user signs, it always gets broken one time or another. That is why I use - whenever possible - system policies instead of making them sign anything. If they can't do what you don't want them to do, it ought to be more reliable.

• Set up firewall rules that would let them connect only to your mail server, or whatever they need remotely.
• Make them connect to a terminal server with a very restrictive set of privileges and access to the network.
• Close unnecessary remote ports so they can't do stuff you wouldn't expect, or infect your network with worms.
• LOG ! LOG ! LOG ! I find everything should be logged! Especially traffic going in/out the local network. Have a good log retention policy.
• ENFORCE strong passwords and change 'em when you feel fit.
• This list could go on...

The main idea is: restrict their remote access to what they really need. Some purist will reply 'oh yeah, but even if you do that, there's a way around for such and such reason.' or that it will become too restrictive. My answer: adapt to your user needs without letting it be the Wild Wild West.

Maybe both signing an agreement AND enforcing policies is the best way to go.

Uh, yes you do

[trawg]

Here's a few things that are different and need to be considered when working from home. These are all things that I've been thinking about a lot for our company and, in my opinion, are very real issues for any company:

1) Local shortcuts on your PC with saved passwords to work resources (eg, VPN connection details, saved passwords in web browser to access work webmail/intranets, etc)

2) Log files for work-related chat - MSN, IRC, etc can sometimes contain confidential details.

3) Work documents and other files.

You can't just say you don't need a policy other than some vague notion of basic computer knowledge. Most people wouldn't think twice about downloading an important document and putting it on their computer at home.

The two obvious risks that might lead to information leakage are a) their computer is compromised b) their computer is stolen. It's just a standard risk management excercise from here on it.

Re:Very first (non-sponsored) hit on Google!

most of the last few Ask Slashdot articles seem to be written by people who can't be bothered to do a little work.

That's why I got into computers.

What are the requirements?

[Fastolfe]

Did an executive really just say, "I think we should have a formal policy"? Don't create bureaucracy and policy just for the sake of having bureaucracy and policy (making management look busy). Build your policy on the demands of your organization, and formalize it when it's necessary to do so.

That being said, if your business doesn't deal much with sensitive data, you could get by with allowing personal computers, with up-to-date anti-virus software (maybe the company can pay for AV software for home computers). If you do deal with sensitive data, I would recommend issuing laptops to employees that need to work from home, and only allow VPN from those systems. Use certificates.

Rule Number 1: No Porn on the WebServer

[Nova+Express]

Unless, of course, you work for a porn company. Then porn away.

Not SANS

[FooGoo]

Please don't use the SANS policy. As someone who performs risk assessments for a large company I am tired of vendors sending me SANS policies to review. They are old and outdated...some of them contain typos and it really tells me as an auditor that you really don't take security seriously because you can't take the time to tailor a document to your business needs.

They are generic reference documents to use as a guide not as a final product. Even the guy who wrote the Remote Access policy for SANS thinks it's a joke.

Re:Very first (non-sponsored) hit on Google!

[kido9797]

My company uses a router and we're all in a NAT environment. We just use simple Hamachi + VNC to get directly into my PC at night. No one notice and we're happy with that.

Re:Is this real?

[s-twig]

Did he even know SANS existed? You could be bothered to post a wry comment but couldn't muster the extra key strokes to make yourself helpful. C'mon be nice. :)

What about their work desktop policies?

[cez]

Provide VPN access, but limit them to only remote-desktopping into their current work desktop... then they are stuck with the restrictions, mappings, proxies, policies and resources they are usually allowed and have been signed off on. This is what we do to our "normal" vpn users. Also, Juniper Networks provides a nice sslvpn via web interface for those not able to handle a vpn client that this setup works wonders for...

Re:What about their work desktop policies?

[inKubus]

Yes, they use a java app which utilizes the SSL capabilties in the browser to create a tunnel. Usuallly they do like a lightweight remote desktop type thing, or you can spawn something that redirects IP. Lastly, they usally have a link to install a package for a standard IPSEC VPN client. Cisco offers this in their ASA (formerly PIX) firewalls, Sonicwall does also. It's helpful for users logging in from a non-company computer as there's not much config/support required. Obviously your LAN needs to be secure also, in case they log in at an airport kiosk and forget to log out or something. With RADIUS and some auditing, you're almost as safe as in the office.

Completely ridiculous

[JoeBuck]

What an incredibly totalitarian policy you propose. Someone does a web search to find directions to a restaurant on a work computer, and you can them? Glad I don't work from your company. In real life, a certain amount of personal use gets mixed in with the work use, and a successful company will judge its employees based on whether they get the job done.

Orion Blastar's VPN from Home Policy

[Orion+Blastar]

#1 Keep the VPN use work related. Follow the same network policies as if in the workplace.

#2 Scan the home PC on a regular basis for malware. Last thing the company needs is trade secrets, password and login info, and email stolen by some hacker who happened to get a key logger trojan on the Home PC, and then sell them to the higher bidder or steal corporate bank and credit card accounts. That means keeping your Antivirus programs updated every day and scan for viruses at least three times a week.

#3 You are on the honor system, Work can only monitor your activities on the VPN network, but not your Home PC and the Internet being used by your home PC. Yes it is alright to check your local email on your home computer, but use common sense and don't spend a lot of time doing personal things on your home computer and home Internet connection. We'll notice it when the VPN activity stops for more than 15 minutes, and your work productivity drops on the VPN. Yes you can take two 15 minute breaks and lunch hour or half hour, but we'll really notice it when you do nothing on the VPN for hours. Either you are goofing off and doing personal things, or the connection is dead, but we can tell by pinging your home computer to test if the connection is dead and deduce your wasting time.

#4 Keep all company email professional. Make effective use of company email and web sites and software. Don't use them and act like you do when you are posting Anonymous trolls on the Internet or your Myspace page.

#5 Do not access other user's accounts unless you are given permission by management for troubleshooting something or testing out software. We know that your profile might not have the same issues as a coworker, but only IT staff should be loging in as other employee's accounts only for testing purposes. Do not use an alias either on the VPN or create a fake account via a hack, but use the account and account name assigned to you.

#6 Do not save work data on your personal hard drive, instead store it on a server drive.

#7 Do not run cracking and/or hacking tools on the VPN, do not do any denial of service attacks over the VPN.

Re:Is this real?

[tyler.willard]

Did he even know SANS existed?

The inquirer did say:

...online searches haven't been very helpful...

This ain't my area either but googling for:

corporate vpn policy

produces sans' example policy as the first hit. As such, it looks to me like the OP was in order.