Normally, VPNs are very secure, however, I do have to agree with the CIO
on this one. Unless the user can prove that they are taking all
necessary security precautions, such as anti-virus and firewalls, and
that they are remaining up to date, they should not have their own
personal computers connected through a VPN. Company owned laptops could
still pose a problem, but are less risk.
The reason company owned laptops could still pose a problem is because
of the large number of users who are using their own private networks
and connecting the company laptop to their own network. Why does this
pose a problem? If the home computer is infected with a virus that
spreads via the network and the business laptop is not protected against
the threat, the virus could spread to the laptop and then continue to
the company network through the VPN. Yes, it is probably an unusual
circumstance, but it is possible.
Nathaniel Hall, GSEC
Intrusion Detection and Firewall Technician
Ozarks Technical Community College -- Office of Computer Networking
halln@otc.edu
417-447-7535
Cesar Diaz wrote:
List,
After years of having VPN access for our remote users without a single
know security incident, my boss and I have to justify to her boss why
VPN is secure.
The CIO wants us to only allow users to access the network from
company laptops, not from their own home computers. We currently will
allow users to install the VPN client software on their home computers
to connect remotely, or they can use Citrix through SSL access to get
to network resources. His concern is that if a users home PC is
compromised, that compromise can spread to our network.
Is this a legitimate concern? Can anyone point me in the direction of
some documentation backing either argument?
Thanks in advance for any help.
C
