Republished with permission from WatchGuard Technologies, Inc.

  WatchGuard LiveSecurity
 
 

Extending the Perimeter: 
Protecting the Telecommuter and the Road Warrior (Part 2)

Fredrick M. Avolio
Avolio Consulting

Introduction
Last time, in Part 1, we looked at the challenges we face when we allow holes in our network security defense perimeter. Specifically, I addressed the desktop and mobile systems of our telecommuters and travelers. In this column I discuss and recommend some acceptable use policies for the road warrior and telecommuter. I erroneously called them acceptable use guidelines last time, and I repent of that. The term "guideline" communicates that we are making a suggestion rather than issuing an edict, as these must be.

The Easy Stuff
In my previous article on the risks of "road warrior" computing, I suggested that we need to be concerned about:

  • computer virus infection
  • loss or destruction of corporate information
  • theft of corporate property
  • theft of corporate information
  • password pilfering leading to network break-in. 

We should make sure we have responsesboth procedural and mechanicalto each of these. The solutions suggested in Part 1 must be required. That's the easy part. The following is also fairly easy.

1. Have a policy that says the IT staff will regularly get their hands on any remote PCs. They will check all software, especially any related to security and/or regulated by policy. They will also back up the disks. For road warriors whose permanent base is the office, these checks will be easier to implement. For the occasional visitor, they may take more effort to orchestrate. It's worth the effort.

2. Remote users must have anti-virus (AV) software properly installed on every computer used for business. This might mean providinggratisthe same AV software for home computers that we provide in the office. Along with this, we provide an explanation of how to update AV software on the remote systems over the Internet or from a connection to the office. We might choose to put it on a Web page, e-mail the update procedure and tell them to "click here," or physically mail out floppies or a CD monthly. Sending periodic notices helps remind users to keep their AV defenses current.

3. Remote disks must be backed up. We provide the software, the media, and the reminding. We might also provide a means to do it easily via a Web interface.

4. Allow only encrypted remote connections to the enterprise network, such as those provided by Watchguard Mobile User VPN. At no time will we allow reusable passwords to flow unprotected outside of our network. This is easy since we control the access points (unless we allow modems on desktop computers).

The Hard Stuff
If we do not provide effective services to support our road warriors and telecommuters, they might go elsewhere for these services, leaving gaping (and unknown) holes in our security perimeter. But proper support is difficult and requires vigilance. While some security can be assisted by our efforts (as above), preventing other security holes relies solely on the obedience and good will of our users. Unfortunately, we are competing for attention and compliance. And we are up against one of the strongest forces in the universe: the desire of an individual to accomplish his or her job. Nonetheless, these policies are not unreasonably inconvenient, and if implemented will go a long way toward minimizing risks: 

1. Corporate computers are provided for corporate business only. We know that people will use them to shop on the Internet and to send e-mail to Aunt Ida and Uncle Pete, but we don't want them running a second business from it, nor do we want it to be used as the household Internet machine. Why? Fewer hands touching the computer mean fewer things to worry about.

2. Do not use remote back-up services. While we want users to back up their computers, we do not want confidential data in the hands of a third party, and passed on unencrypted channels. We should inform users of the dangers and provide easier and more secure ways for them to safely back up their data.

3. Sensitive internal e-mail should remain within the organization's e-mail servers and computers. Where exceptions are made to this rule and people are allowed to access work e-mail from home or the road, we need to make the process for doing so clear and easy. Sensitive data should never be forwarded to outside, personal e-mail accounts (unless it is always encrypted. This is difficult, but not impossible, to require and mechanically enforce). 

4. Avoid remote connection via kiosks. Remote logins from home or hotel room are almost always less risky than reading e-mail from a kiosk on a conference show floor. At a kiosk, is the user really using Netscape Communicator or Internet Explorer? It could be a reasonable facsimile that captures data and passwords. After the user finishes, will he or she remember to remove passwords and user names? Will he delete the e-mail he downloaded? Since the answer to these questions is usually "No," never allow remote reading of e-mail from such locations. 

Closing Thoughts
Firewalls are excellent devices, but once we unplug our computers and carry them outside of our firewallour "security perimeter"all bets are off. If we carry our computing outside of our firewall, we have to carry protection outside with us. We must be mindful of the threats and counter them accordingly. Products and policies exist to help protect our information and, correctly used, they can greatly minimize the risks.