I allow VPN access to my networks but only allow port 3389 for users
to access their own desktops - policies that apply while they are at
their desks stil apply and I have not heard of any viri working over
3389 *yet* but I guess that is what defense in depth is for?
On 24/08/05 01:19 -0000, nick_hunt@mascohq.com wrote:
Hello all
I have been getting asked a lot lately about the possibility of
letting users access corporate resources with their home computers via
SSL VPN that has NAC features on it. I keep on fighting it, mostly
because I think it will cause a lot of support calls, but more
importantly because I am afraid of the possible vulnerabilities of
allowing un-managed machines access to our network. I was wondering
if anyone knew of any statistics or good articles on the letting users
access corporate data with their home machines.
Would the recent examples of _corporate_ laptops roaming around the world
before returning to the corporate network and bringing it down not be
sufficient?
Home machines are generally less secure than corporate systems, and they
definitely follow different security policies.
The security implications that I am most worried about is:
1) worm propagation: afraid infected machine will allow a worm onto
our network. Even though the SSL vpn does a check to see if AV is
running and def's are up to date, and also does not give an IP on our
network, there is the possibility of users uploading infected files to
websites or network shares.
And a new virus/worm coming out for which your A/V vendor does not have a
signature blows all the checks out of the water.
A VPN is simply an extension of your corporate network. If you allow access
to file shares, you are allowing unknown hosts into your trusted network. I
would not normally allow a VPN into my systems unless I trust the
administrators of those hosts.
Devdas Bhagat
