Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Remote Access Policies

samzenpus posted more than 5 years ago | from the write-it-down-from-home dept.

Networking 178

Samalie writes "My company is considering implementing a formal remote access policy (and agreement for staff to sign) for users who access our network from home via VPN. Does anyone out there have any suggestions as to what this policy/agreement should contain? Anyone have their own corporate policy that I can borrow from? This is the first time I've come across anyone wanting a formal policy for this & online searches haven't been very helpful."

cancel ×

178 comments

Sorry! There are no comments related to the filter you selected.

Is this real? (2, Informative)

Anonymous Coward | more than 5 years ago | (#25741635)

Did you even look at SANS?

Re:Is this real? (5, Insightful)

s-twig (775100) | more than 5 years ago | (#25742125)

Did he even know SANS existed? You could be bothered to post a wry comment but couldn't muster the extra key strokes to make yourself helpful. C'mon be nice. :)

SANS Templates (5, Informative)

Wanker (17907) | more than 5 years ago | (#25741643)

The templates provided by SANS are a good place to start:

All of them are here:

http://www.sans.org/resources/policies/ [sans.org]

Here's the remote access policy example:

http://www.sans.org/resources/policies/Remote_Access_Policy.pdf [sans.org] [PDF]

Too long (5, Insightful)

EmbeddedJanitor (597831) | more than 5 years ago | (#25741747)

There are two purposes for such documents:
Inform: part from the little "purpose" bit, the SANS does not do much.
(2) A legal rope to hang a user with. What most of the SANS doc is.

Folks, nobody reads a document like this. They will lose interest after the first few lines then either skip to the signing bit or throw it away.

Real security comes from informing the user, not from baffling and swamping them with techno-legal bs.

If you want real security, then clearly explain the issues.

What about their work desktop policies? (4, Insightful)

cez (539085) | more than 5 years ago | (#25742295)

Provide VPN access, but limit them to only remote-desktopping into their current work desktop... then they are stuck with the restrictions, mappings, proxies, policies and resources they are usually allowed and have been signed off on. This is what we do to our "normal" vpn users. Also, Juniper Networks provides a nice sslvpn via web interface for those not able to handle a vpn client that this setup works wonders for...

Re:What about their work desktop policies? (2, Interesting)

Brian Gordon (987471) | more than 5 years ago | (#25742713)

How do you VPN through a web interface? A java applet full of exploits to hijack the networking drivers? Seriously I'm interested to know.

Re:What about their work desktop policies? (4, Informative)

inKubus (199753) | more than 5 years ago | (#25743923)

Yes, they use a java app which utilizes the SSL capabilties in the browser to create a tunnel. Usuallly they do like a lightweight remote desktop type thing, or you can spawn something that redirects IP. Lastly, they usally have a link to install a package for a standard IPSEC VPN client. Cisco offers this in their ASA (formerly PIX) firewalls, Sonicwall does also. It's helpful for users logging in from a non-company computer as there's not much config/support required. Obviously your LAN needs to be secure also, in case they log in at an airport kiosk and forget to log out or something. With RADIUS and some auditing, you're almost as safe as in the office.

Re:Too long (5, Interesting)

geekmux (1040042) | more than 5 years ago | (#25742611)

Folks, nobody reads a document like this. They will lose interest after the first few lines then either skip to the signing bit or throw it away.

Why is it when we ask people to read through a 2-page user policy, they skip through and don't even bother reading to just sign it, yet those same people will sit down and pour through 3 inches of legal documents for 4 hours when buying a home?

If you want real security, then clearly explain the issues.

Bullshit. If you want real Security, enforce the punishment. Yes, it's that simple, and is also the answer to my previous question.

People read through 3 inches of legal docs when buying a home because they know damn well they could get burned legally.

Name the last time someone you know got fired for breaking a Security policy, or losing a laptop and not following protocol properly to report the company confidential data loss.

I thought so.

'Nuff said.

Re:Too long (1)

ion.simon.c (1183967) | more than 5 years ago | (#25742635)

*hands you an imaginary +1 mod point of "good job!"*

Re:Too long (4, Insightful)

petard (117521) | more than 5 years ago | (#25742767)

Why is it when we ask people to read through a 2-page user policy, they skip through and don't even bother reading to just sign it, yet those same people will sit down and pour through 3 inches of legal documents for 4 hours when buying a home?

If you want real security, then clearly explain the issues.

Bullshit. If you want real Security, enforce the punishment. Yes, it's that simple, and is also the answer to my previous question.

People read through 3 inches of legal docs when buying a home because they know damn well they could get burned legally.

Name the last time someone you know got fired for breaking a Security policy, or losing a laptop and not following protocol properly to report the company confidential data loss.

I thought so.

'Nuff said.

The current problems which are being, at least partially, blamed on deceptive lending practices in the mortgage industry would suggest that many people do not actually read through the legal documents they sign when they purchase a home. Do you think that for these deceptive loans, the stack of legal documents did not contain the truth? Of course it did. It was just buried in a pile of legalese, and people simply went with what the nice broker told them.

Re:Too long (3, Insightful)

guruevi (827432) | more than 5 years ago | (#25743133)

And most of those people actually thought they could get away with it, that is legally stealing from the banks. I had similar offers made when I was looking for a home and I KNEW something was fishy about having loans that are cheaper than the deprecation of it's own value although I'm not a lawyer (if yearly inflation rates are higher than your APR something is wrong because then the bank would over time pay you to loan their money).

Also I know that VARIABLE percentages means that the person loaning to you can jack up the prices as they want (just look at your energy bill with variable adjustments) but unlike an energy bill which you can change every year, you make the choice for the next 15-30 years no matter what happens to either yourself or the economy. It's a matter of federal law that rates and types are made clear to the buyer before lending and usually it's either on the first or last page, requiring a signature next to it.

If people are too stupid and like to listen to their SALESman instead of forking over $200 to a real-estate lawyer (that's what it costed my parents 2 years ago) to review and make clear the paperwork to them then that's their own fault.

Re:Too long (3, Interesting)

petard (117521) | more than 5 years ago | (#25743293)

If people are too stupid and like to listen to their SALESman instead of forking over $200 to a real-estate lawyer (that's what it costed my parents 2 years ago) to review and make clear the paperwork to them then that's their own fault.

I'm not arguing with this; you're right on. I was simply disputing the notion put forth by the post I was responding to. geekmux said that if these legal agreements had teeth, people would read them and offered as an example the notion that people generally read the paperwork that they have to sign when they purchase a home. I maintain that the current financial mess is due, in part, to the fact that people don't read legalese even when not doing so can have dire consequences. So giving these agreements more teeth would be of little help in getting people to read and adhere to them :-/

Re:Too long (2, Insightful)

Anonymous Coward | more than 5 years ago | (#25743049)

The problem is, even if users DO read it, will they understand this, for example?

Frame Relay must meet minimum authentication requirements of DLCI standards.

(from the SANS Remote Access Policy doc). I'm gonna go out on a limb and say "no."

Re:Too long (2, Insightful)

Anonymous Coward | more than 5 years ago | (#25744059)

Because if YOU are buying a home, which is perhaps the biggest investment you'll ever make, the biggest risk you'll ever take, and which offers potentially the biggest benefit you'll ever receive from a purchase, then you better damn well believe that you will read and understand every single cotton picking stroke of the pen located on the fibers of ten feet thick of legal document.
 
But when you are filling out what you perceive to be some silly formality in order to obtain access to some system, a system that belongs to someone else, that was paid for by someone else, which is maintained by someone else, and which you will use for the benefit of someone else (allowing, of course, for the fact that the aforementioned someone else will, in exchange, pay your living), well, need I say any more? Of course you won't care what is written on that silly form.

Re:Too long (0)

Anonymous Coward | more than 5 years ago | (#25744179)

Enforce the punishment to gain security? Sure... It's as simple as stopping all crime in the US.

Security policies and punishment only are useful for keeping the honest people honest. The criminals don't follow the rules and risk that they'll not get caught and therefore avoid the punishment. Even without enforcing punishment, the biggest difficulty I've seen is detecting security violations. They can come from nearly anywhere. If they can be and are detected, a simple email "Do not do that!" will keep the honest people honest. No firing needed.

Re:SANS Templates (3, Funny)

clockwise_music (594832) | more than 5 years ago | (#25742251)

Don't make users sign it. That's ridiculous. But here's what it should be:

1. Same restrictions as what you have from work. No pr0n, nothing illegal.

2. User must have at least xp sp2 with patches installed with virus scanner X - or whatever your default company policy is. Or give them a pre-setup laptop. (Probably save you money in the long term, less chance of viruses etc)

3. Users must email their manager every 10 minutes to let them know that they're online.

Re:SANS Templates (1)

Swizec (978239) | more than 5 years ago | (#25742859)

3. Users must email their manager every 10 minutes to let them know that they're online.

The poor manager sob, wouldn't want to be him.

Very first (non-sponsored) hit on Google! (3, Insightful)

Swift Kick (240510) | more than 5 years ago | (#25741657)

A link to the SANS Institute example for a Remote Access Policy doc (PDF format):

http://www.sans.org/resources/policies/Remote_Access_Policy.pdf [sans.org]

This is the first time I've come across anyone wanting a formal policy for this & online searches haven't been very helpful.

It looks like there's a trend going on; most of the last few Ask Slashdot articles seem to be written by people who can't be bothered to do a little work.

Re:Very first (non-sponsored) hit on Google! (5, Funny)

Anonymous Coward | more than 5 years ago | (#25741863)

most of the last few Ask Slashdot articles seem to be written by people who can't be bothered to do a little work.

That's why I got into computers.

Re:Very first (non-sponsored) hit on Google! (4, Interesting)

kido9797 (786057) | more than 5 years ago | (#25742111)

My company uses a router and we're all in a NAT environment. We just use simple Hamachi + VNC to get directly into my PC at night. No one notice and we're happy with that.

Re:Very first (non-sponsored) hit on Google! (1)

Orion Blastar (457579) | more than 5 years ago | (#25742665)

Which begs the question, is there an "Ask Slashdot" question that cannot be answered by a Google search?

If most "Ask Slashdot" questions can be answered by Google, and Slashdot screens them out by searching Google first, and after finding an answer tell the submitter to F-ing Google it and cancel the story. There there wouldn't be any material for "Ask Slashdot".

A good question to ask Slashdot that Google couldn't answer is "What web site can I buy a Rose Ratchet Whatchamigiger (From a "Pinky and the Brain" episode) and also ask what it is used for.

Another good question would be "Where do I find '101 BASIC Computer Games', a book that has been out of print since the 1980's and uses Darth Mouth and Microsoft BASIC."

Re:Very first (non-sponsored) hit on Google! (0)

Anonymous Coward | more than 5 years ago | (#25743887)

"begs the question"?... Really?... Here?

Re:Very first (non-sponsored) hit on Google! (0)

Anonymous Coward | more than 5 years ago | (#25743951)

Answering your second good question:

https://www.powells.com/s?kw=101+BASIC+Computer+Games

$45

You don't need a policy (3, Interesting)

geekoid (135745) | more than 5 years ago | (#25741669)

above what you should already have for them to use a computer.

Seriously. It's all going to be the same stuff. What makes people think behavior will be different depending on which keyboard they happen to be behind.

You could make a VPN boot disk.
This way you can separate what is on their machine with the VPN instance. Requires no brain power to use. Boot's up, big VPN icon. Click enter password, good to go.
Obviously, encrypt it.

Uh, yes you do (4, Insightful)

trawg (308495) | more than 5 years ago | (#25741831)

Here's a few things that are different and need to be considered when working from home. These are all things that I've been thinking about a lot for our company and, in my opinion, are very real issues for any company:

1) Local shortcuts on your PC with saved passwords to work resources (eg, VPN connection details, saved passwords in web browser to access work webmail/intranets, etc)

2) Log files for work-related chat - MSN, IRC, etc can sometimes contain confidential details.

3) Work documents and other files.

You can't just say you don't need a policy other than some vague notion of basic computer knowledge. Most people wouldn't think twice about downloading an important document and putting it on their computer at home.

The two obvious risks that might lead to information leakage are a) their computer is compromised b) their computer is stolen. It's just a standard risk management excercise from here on it.

Re:Uh, yes you do (1)

Yeorwned (1233604) | more than 5 years ago | (#25742511)

1) Use an RSA key generating card for logins 2) Using an instant messenger for confidential information? Sounds like VPN policy is the last thing you should be worried about... 3) Document management, such as Sharepoint. Gotta agree that another policy isn't exactly effective. Survey says majority of all users do not actually read them and the ones that do forget the details shortly thereafter. So your employees are now liable for damages? What are you going to do? Fire and sue them for the $500 of equity in their home?

Don't forget legal issues (1, Interesting)

Anonymous Coward | more than 5 years ago | (#25742607)

You are thinking about the practical and security aspects, which is good and necessary. There are also very real legal issues to consider. The export restrictions pertaining to the remote location in question are one obvious example. Another biggie is the Fair Labor Standards Act. Be aware of your obligations here or you could find yourself in big trouble. I never give anyone VPN access unless it is approved by their direct supervisor, and I make sure that the supervisor is aware of their responsibility to comply with the FLSA.

Re:Uh, yes you do (1)

inKubus (199753) | more than 5 years ago | (#25743945)

If your documents are that sensitive, why aren't you using DRM? But true, threats, especially a message displayed at every login stating the policy, go a long way to keeping people on their toes. Periodically audit the machines remotely to see if there are any copied files, also.

Re:You don't need a policy (1)

amirulbahr (1216502) | more than 5 years ago | (#25742797)

I second this idea. Alternatively, make all access through a remote desktop session (be it RDP, VNC, SSGD, Sun Ray, NX, etc). Don't allow access to the intranet or file servers or other server applications expect the remote desktop.

This way, when they log in to the work session they feel like they are logged in at work.

Just obvious stuff (4, Insightful)

_merlin (160982) | more than 5 years ago | (#25741673)

KISS principle: just say the VPN should only be used as you'd use the connection at work. (Keep it work-related, no excessive personal utilisation. No pr0n or illegal material. Don't forward the connection in any way - including web proxies and Tor. Keep your security software up to date. Take reasonable measures to ensure private keys, passwords and other security devices are not lost. Report any potential breaches immediately.)

Re:Just obvious stuff (1)

jbruno (1406365) | more than 5 years ago | (#25744167)

KISS = Keep It Simple Stupid. How is this simple? 99.9% of people I know don't follow this advice.

Well... (3, Interesting)

TheSpoom (715771) | more than 5 years ago | (#25741683)

What rules do you want to set up? What do you want to allow and disallow of your users / employees?

Figure this out, write it down, get a lawyer to look at it, and you're done.

Use Laptops (5, Informative)

George Beech (870844) | more than 5 years ago | (#25741685)

We require all users with remote access to use corporate laptops that are locked down. You cannot connect your personal computer via vpn. Also there is the standard "treat it as if you were sitting at your desk, all rules regulations etc. still apply."

Re:Use Laptops (5, Funny)

Anonymous Coward | more than 5 years ago | (#25741737)

I second this. As an employee, I don't want to pollute my personal computer with work related stuff. It takes away valuable pr0n storage space.

Re:Use Laptops (1)

George Beech (870844) | more than 5 years ago | (#25741799)

I actually find that they still find ways to get pr0n on them ... Although the proxy logs are entertaining sometimes when a lot of people are working from home. Oh and one thing i forgot ... don't allow split-horizon vpn.

Re:Use Laptops (3, Informative)

tftp (111690) | more than 5 years ago | (#25741811)

I third this. You can't expect your employees to comply to boring rules in a boring piece of paper. You need to make it plain impossible to connect using home computers. Give the user a laptop and he can carry it home if he wants. Give him an RSA token to be doubly sure.

Re:Use Laptops (5, Interesting)

afidel (530433) | more than 5 years ago | (#25742121)

I took a different approach, we use Citrix for remote access. We have the Java client installed and have a link to the zero touch client which doesn't need to be installed to run. That way you can get in from all but the most severely locked down internet kiosks. There's no risk to the corporate network and it enables my user to be productive from anywhere. It's also WAY faster than a VPN for most types of work.

Re:Use Laptops (4, Insightful)

[ByteMe] (145131) | more than 5 years ago | (#25742699)

Okay...I'll ask...

For one thing you state that "you can get in from all but the most severely locked down internet kiosks". I guess you look at that as a feature, while I look at it as a malfunction. You've now extended your boundary and your risk to every poorly managed internet kiosk that any of your users use. So, you've never seen an internet kiosk in a hotel or other location that has questionable software, even obvious malware, installed?

Then, you claim "there's no risk to the corporate network". I don't know what sort of company you use, but if you think that providing a full desktop via Citrix, with access to all a user's regular internal documents and resources, to an endpoint that cannot be proved to be secure, is a "no risk" proposition then I would recommend you reconsider.

Not saying that Citrix doesn't have a place--but the authentication/authorization needs to be two-factor (not just a re-usable username/password combo) and the authenticated user should ideally only have read access and then only to less sensitive files. If someone needs the ability to modify files, or to access particularly sensitive ones, then the Citrix client just can't be proved to be providing enough assurance that the underlying OS/hardware isn't compromised. And *that* is why I have three separate laptops from three separate organizations just to be able to get my job(s) done...

Re:Use Laptops (2, Interesting)

afidel (530433) | more than 5 years ago | (#25742895)

With two factor authentication and ssl tranporting Citrix secure ica protocol there's plenty of secrecy and authentication The fact that only the display and printer are mapped back to the client (and we use the upd, no native drivers) means there's not really any exposure to client malware. Files only traverse through a user browsing back to the local pc and all files are scanned. We also use the old file explorer view so we don't have exposure to folder content browsing bugs which are the only attack vector I am aware of through the callback mechanism. This is certainly a MUCH smaller attack surface than a full vpn connection where to be functional all sorts of ports need to be open.

Re:Use Laptops (3, Insightful)

Lumpy (12016) | more than 5 years ago | (#25742453)

This is how 98% of all fortune 500 companies do this.

you're a nut if you allow a personal PC to connect to the company network.

Re:Use Laptops (1)

Macman408 (1308925) | more than 5 years ago | (#25743557)

This is how 98% of all fortune 500 companies do this.

you're a nut if you allow a personal PC to connect to the company network.

On the other hand, I'm 98% more efficient on my personal PC than on my work PC, and the cost for my RSA token is 98% less than a laptop. I'm also 98% more likely to log in remotely from my personal PC than I would be from a laptop - it's easy to log on and keep up with E-mails during off-work hours (if I want to, anyway). If I had to drag out a different computer, there's no way I'd be doing it unless I was expecting something.

My previous employer's policy was to have antivirus installed, and disallow split tunneling (to avoid the remote computer becoming a conduit between the public internet and the internal network). My current employer wants antivirus, but allows split tunneling.

Here's the real question: whose time is more valuable, the people who will be using the network remotely, or the people who will be fixing it when one of the users does something bad? The less valuable the users' time is, the better case you can make for locking the VPN connection down to prevent anything from getting fouled up.

Re:Use Laptops (0)

Anonymous Coward | more than 5 years ago | (#25742805)

that's what we do too. Everybody has to access via the corporate laptop and in 2 cases, people brought a desktop home. This way, we could make sure they were running anti-virus and it was current and also remote in for troubleshooting. Some were using VPN clients and some were using Linksys BEFVP41 routers that I preconfigured and gave to them.

Re:Use Laptops (1)

jax555 (1406263) | more than 5 years ago | (#25743079)

It can be a tricky balancing act... Sometimes, allowing people to log in through a home computer can blur the distinction between work and home (which is great if you want to eke that much more work out of people). If you lock it down, people may just leave work at work - An example - You probably wouldn't take a work laptop on holiday, but if you are at a computer anyway you might check your work email.
We had a totally slack policy before, and now they have locked it down (company laptops only). Now I don't work from home at all - Its is bloody awesome and wish it had happened earlier.

Re:Use Laptops (1)

MadMidnightBomber (894759) | more than 5 years ago | (#25744225)

Same policy here - only I can install exactly what I want on my work laptop, so in practice it is the *exact same config* as my home one - Ubuntu 8.04. So, I'm allowed to use one but not the other of two identical frickin' laptops. Go figure.

One policy: don't make it necessary (4, Interesting)

davidwr (791652) | more than 5 years ago | (#25741699)

Either give people laptops or give them a way to do what they need to do on servers you control.

This can be a web-based front-end to the applications they use, an ftp site so they can up/download files and edit them on their home computer, or even something like Windows Terminal Services or Citrix.

If your company is enlightened enough to not use Microsoft, there are even more options available.

If you allow people to remote login, you need to make very sure that not only is the VPN tunnel secure against attacks, but that their machine can't do anything hostile to your LAN in case their password is compromised. Of course, you should be doing that anyways but many companies don't treat computers in the network as "presumed hostile" to every other device on the network. You should always do that, but If you are going to allow remote login it's even more important.

As a bonus, if you put most of your business-critical applications on a server you control, it's easier to make sure data gets backed up and you can usually get away with a longer computer-replacement cycle or buy slightly cheaper computers when you do replace them. Of course, you'll pay more for server costs and you'll need more expertise in your IT dept. to manage it, but in many shops this is worth it.

Re:One policy: don't make it necessary (5, Interesting)

Achromatic1978 (916097) | more than 5 years ago | (#25742139)

Funny, you talk about being enlightened enough not to use Microsoft. I used to work there, and their VPN set up was easily one of the nicest I'd ever seen.

Smartcards and native connection stuff in Windows. Once connected you were "quarantined" until a security scan had been run on your machine, and even then you had different access based on location.

But of course, this is Slashdot...

Re:One policy: don't make it necessary (2, Interesting)

Malc (1751) | more than 5 years ago | (#25743201)

Consequences of the NT4/Win2K source code leak a few years back? Didn't that happen via VPN?

Why limit to just VPN? (2, Informative)

Viree (214760) | more than 5 years ago | (#25741773)

The last few companies I've worked for make it mandatory for new employees to sign an AUP (Acceptable Use Policy). Sorta like a blanket coverage for all IT services, including networks usage. Depending on how large the company you're working for, you might be able to convince your HR to get all the existing employees to sign, too. That way you can avoid getting the employees to sign another document/agreement if you should implement new IT services.

Big Brother Invasion (3, Interesting)

Dolphinzilla (199489) | more than 5 years ago | (#25741791)

my company requires the following

1. A specific virus scanner (Nortan AV yuck)
2. A specific Firewall with company preset settings (blackice is what it used to be called its something else now)

3. We are assigned an RSA SecurID FOB which my manager must periodically re-confirm that I am authorized to use (like once a year)

basically it is a Huge pain only slightly offset by the convenience

Re:Big Brother Invasion (1)

TheSpoom (715771) | more than 5 years ago | (#25742079)

How do they verify that you have that software installed? Or are you talking about on the remote system?

Re:Big Brother Invasion (0)

Anonymous Coward | more than 5 years ago | (#25742513)

My Co builds the check into the policy of the Checkpoint software.. It will not connect without checking one of the 2?!?! approved AV products are running.. this used to be easy to work around, but they fixed the ridiculous hole with an update. and they use RSA fobs..and they friggin can't configure the system to do password resets by the user reliably.. That dept sucks balls That is on company owned laptops or personal PCs with the software installed- they also provide the AV software.. but then again, more than a couple people have had to reinstall the OS after installing the VPN software.. Which is why I just use a VM for a plain jane install specifically to vpn...

Re:Big Brother Invasion (0)

Anonymous Coward | more than 5 years ago | (#25743011)

Most of the commercial SSL-VPN products have endpoint inspection. AFAIK, most (all?) of them use the OPSWAT libraries for Windows clients... (http://www.opswat.com/)

meaning they install a bunch of stuff on your client if you want full access. No access to your PC (i.e. kiosk)? No problem, you get web-portal access only...

(Full disclosure - I work for a company that makes/sells one of these ssl vpn products, but my statements are generic and related to most/all commercially available products in the space)

Re:Big Brother Invasion (0)

Anonymous Coward | more than 5 years ago | (#25742115)

A specific virus scanner (Nortan AV yuck)

I kind of agree. At my company we required antivirus. My response was "will not install antivirus on a Linux machine". I got an exception.

The primary reason should be obvious. My machine was not going to be a source of Windows viruses to the rest of the network. Even if they do run (I have wine installed but it takes effort to run an exe file), they aren't going to be able to spread in this weird environment.

Re:Big Brother Invasion (0)

Anonymous Coward | more than 5 years ago | (#25743019)

So how is Motorola doing these days? ;)

Re:Big Brother Invasion (0)

Anonymous Coward | more than 5 years ago | (#25743545)

Oh, so you work for GE, too?

Policies don't solve problems. people solve them. (4, Insightful)

girlintraining (1395911) | more than 5 years ago | (#25741797)

Before putting too much effort into this policy thing... Can I ask you one question: What's management going to do if someone breaks it? The majority of security policies only exist for two reasons -- to fire anyone who questions them and make management feel safe in having "done something to solve the problem". It's rather like expecting a terrorist to care that his car bomb is taking up two parking spaces... If this is management's only goal, just write some boiler-plate, broadly generalized piece that sounds really great but doesn't give any technical guidance. As a bonus, it'll never have to be updated after that, saving countless hours that would otherwise be spent securing the network.

Note: This post contains 30% recycled sarcasm.

Re:Policies don't solve problems. people solve the (1)

cryogenix (811497) | more than 5 years ago | (#25742975)

Management is usually the first to break these rules, and in my experience, NOTHING happens to others that then break them. That's why you don't make exceptions for management either. First it will be them, and then someone who works directly for them with pull etc..

Don't use 'user' policies - use 'system' policies (5, Interesting)

vawarayer (1035638) | more than 5 years ago | (#25741801)

I find that whatever the user signs, it always gets broken one time or another. That is why I use - whenever possible - system policies instead of making them sign anything. If they can't do what you don't want them to do, it ought to be more reliable.

  • Set up firewall rules that would let them connect only to your mail server, or whatever they need remotely.
  • Make them connect to a terminal server with a very restrictive set of privileges and access to the network.
  • Close unnecessary remote ports so they can't do stuff you wouldn't expect, or infect your network with worms.
  • LOG ! LOG ! LOG ! I find everything should be logged! Especially traffic going in/out the local network. Have a good log retention policy.
  • ENFORCE strong passwords and change 'em when you feel fit.
  • This list could go on...

The main idea is: restrict their remote access to what they really need. Some purist will reply 'oh yeah, but even if you do that, there's a way around for such and such reason.' or that it will become too restrictive. My answer: adapt to your user needs without letting it be the Wild Wild West.

Maybe both signing an agreement AND enforcing policies is the best way to go.

Avoid Microsoft products at all cost (3, Insightful)

ZephyrXero (750822) | more than 5 years ago | (#25741861)

No Windows allowed unless on a company owned machine with absolutely no privaledges and a hardcore resident anti-malware tool running. If possible disable IE & Outlook too. If user is accessing via wifi require wpa2 encryption. Otherwise your users are gonna get you infected with their home Limewiring habits or at least have their login info stolen by a keylogger

Re:Avoid Microsoft products at all cost (3, Informative)

mysidia (191772) | more than 5 years ago | (#25741947)

WPA2 can no longer [slashdot.org] be considered safe.

A VPN connection with strong encryption must be used.

Multi-factor authentication should be used to gain access.

And once access is gained, traffic coming in from outside should be restricted to certain safe protocols and hosts (according to the user's needs)

Re:Avoid Microsoft products at all cost (0)

Anonymous Coward | more than 5 years ago | (#25741955)

Privaledges? Really?

Look Broader (3, Insightful)

humphrm (18130) | more than 5 years ago | (#25741869)

So what do your users do with VPN access? Access your network, yeah... then what? Email? Web access? You should already have AUPs for all of that, and access to those services via VPN is no different than if they're connected in the office.

What you may be looking for is controlling the access, i.e. firewalls and virus scanners etc. If that's important, set up two-tier access:

1. For users who have a laptop, put the access controls there, and make them only access the VPN via their company provided and controlled laptop. Then you set up the controls (firewall, virus scan, etc.) once and they apply whether they are directly connected or VPN'd in.

2. For users who don't have a laptop, set up a remote desktop-type system where they use a web browser to access the remote desktop with SecurID.

3. And I almost hate to mention this, but if most of your users are only accessing e-mail, think about setting up a Blackberry server. Sorry. Got my flame-retardant suit on. :)

What are the requirements? (4, Interesting)

Fastolfe (1470) | more than 5 years ago | (#25741891)

Did an executive really just say, "I think we should have a formal policy"? Don't create bureaucracy and policy just for the sake of having bureaucracy and policy (making management look busy). Build your policy on the demands of your organization, and formalize it when it's necessary to do so.

That being said, if your business doesn't deal much with sensitive data, you could get by with allowing personal computers, with up-to-date anti-virus software (maybe the company can pay for AV software for home computers). If you do deal with sensitive data, I would recommend issuing laptops to employees that need to work from home, and only allow VPN from those systems. Use certificates.

It's simple (1)

dr_strang (32799) | more than 5 years ago | (#25741923)

Only corporate laptops get to connect to the VPN. Period. No exceptions.

Laptops aren't much more expensive than desktops these days, so it's pretty easy to get a user that has a demonstrated need for remote access a laptop. That way I still have control and they get access to the network.

Other than that, the standard AUP is extended to encompass the corporate PC, whether it's in the office or remoting in.

Rule Number 1: No Porn on the WebServer (4, Funny)

Nova Express (100383) | more than 5 years ago | (#25741937)

Unless, of course, you work for a porn company. Then porn away.

Not a formal agreement you need to worry about (1)

kalpol (714519) | more than 5 years ago | (#25742049)

A formal agreement is just window dressing. You need to make sure you have controls in place to properly approve access, periodically review access to ensure appropriateness, and remove it in a timely fashion for terminated employees.

Not SANS (4, Interesting)

FooGoo (98336) | more than 5 years ago | (#25742067)

Please don't use the SANS policy. As someone who performs risk assessments for a large company I am tired of vendors sending me SANS policies to review. They are old and outdated...some of them contain typos and it really tells me as an auditor that you really don't take security seriously because you can't take the time to tailor a document to your business needs.

They are generic reference documents to use as a guide not as a final product. Even the guy who wrote the Remote Access policy for SANS thinks it's a joke.

Company only PCs (1)

s-twig (775100) | more than 5 years ago | (#25742073)

Our company restricts access to users that are using company notebooks to access the system. There is no way we would let something on our network that we don't manage.

It's fairly simple... (2, Funny)

GuyverDH (232921) | more than 5 years ago | (#25742099)

Ground rules.

The computer, as provided by (name of employer) are the sole property of (name of employer).
All use of this computer is subject to monitoring, logging and review by (name of employer)'s IT department.
No modifications of any kind may be made to (name of employer)'s computer by the employee.

VPN Rules..

#1 Only computers provided by (name of employer) (with appropriate user restrictions, group policies, security software, etc...) are allowed to connect via VPN.

#2 Only computers provided by (name of employer) may be connected to the network used for VPN access, at the time of VPN access.
  ie - home/personal computers must be disconnected before connecting the work computer - unless the work computer is on a completely separated / isolated network from the home / personal computers.

#3 Any personal use of work computer will result in loss of VPN privelege on first offense, no exceptions.

Re:It's fairly simple... (3, Interesting)

hdparm (575302) | more than 5 years ago | (#25742173)

#2 Only computers provided by (name of employer) may be connected to the network used for VPN access, at the time of VPN access.
    ie - home/personal computers must be disconnected before connecting the work computer

Just how do you propose to enforce this policy?

Re:It's fairly simple... (0)

Anonymous Coward | more than 5 years ago | (#25743051)

And more to the point ... why? A VPN exists to communicate over an untrusted network - why bother to disconnect machines from one segment of that network?

Re:It's fairly simple... (1)

kasmq1 (1275330) | more than 5 years ago | (#25743973)

It's fairly simple, you make him a user on the laptop ( no bloody admin rights, everything should be encrypted on his laptop, he should be a admin or have special rights at work for him to be allowed to connect, only not in working hours) , you install a software(proprietary) that recognizes a PCMCIA card that is emitted to the user specifically( it's user acount&certificate. The card is pin protected. For him to connect he should be calling HD and request permission, gives the reason and specifies hours needed to work.

Re:It's fairly simple... (1)

hdparm (575302) | more than 5 years ago | (#25744215)

Well, if you're going to be that paranoid, just tell the guy to come to the office every day and forget the remote access.

Re:It's fairly simple... (1)

kasmq1 (1275330) | more than 5 years ago | (#25744257)

Naa, a user should only have remote access on one condition: emergency action ( for high availability). If you're company can afford remote access just for fun and is not a decision based on critical resource availability, then this conversation is futile since : why in the hell would you want a policy for VPN if you allow people connecting anytime they want to?Remote access should only be used in case of dire need.

Re:It's fairly simple... (1)

Fulcrum of Evil (560260) | more than 5 years ago | (#25742255)

So, if I go on a week long trip, I get to carry two laptops? That sucks (i've done it).

Completely ridiculous (4, Insightful)

JoeBuck (7947) | more than 5 years ago | (#25742297)

What an incredibly totalitarian policy you propose. Someone does a web search to find directions to a restaurant on a work computer, and you can them? Glad I don't work from your company. In real life, a certain amount of personal use gets mixed in with the work use, and a successful company will judge its employees based on whether they get the job done.

Re:It's fairly simple... (0)

Anonymous Coward | more than 5 years ago | (#25742425)

You guys are so unhip it's a wonder your bums don't fall off.

With those restrictions (and others I've read in this article) you'll be lucky to get any productive work done at all, using the VPN.

FFIEC exam guide (1)

Pagey123 (1278182) | more than 5 years ago | (#25742117)

Take a minute to peruse through the Federal Financial Institutions Examination Council IT Handbook at http://www.ffiec.gov/ffiecinfobase/html_pages/infosec_book_frame.htm [ffiec.gov] There's a section on remote access. NOTE: this is for financial institutions, and the information therein may or may not be relevant to your particular organization. But there is some helpful information within.

USB (0)

Anonymous Coward | more than 5 years ago | (#25742143)

My workplace has an interesting method of providing employees with access to the on site materials from home. They use a USB key that holds the encryption key to access the logon servers remotely. Once logged in, users are tracked as they normally would be and all normal CODE OF CONDUCT rules apply. All of our Internet and e-mail traffic is monitored by security anyways, so there is little fear that an offsite user would abuse the privileged.

hang on, the real answer is (3, Insightful)

nimbius (983462) | more than 5 years ago | (#25742157)

no, you dont have anything to add to the policy...

youre a system administrator, not a lawyer, or a board director, or an hr manager, or anything else so you dont know what the company needs. you just know how to enforce their policy and keep systems patched and secure. nothing to see here, move along.

Who benefits? (1)

Anonymous Cowhead (95009) | more than 5 years ago | (#25742197)

The policy should state that if the company wants employees to work from home, the company will provide a VPN, otherwise the employees will only work during work hours.

Important: Please read, VPN Corporate Policy #3281 (3, Funny)

theendlessnow (516149) | more than 5 years ago | (#25742239)

1. If you connect to the VPN and place your own machine's IP onto our network... we will kill you.

Signing below indicates that you have read the policy in question and agree to adhere to it.

What should your policy contain? (3, Insightful)

frank_adrian314159 (469671) | more than 5 years ago | (#25742277)

Mainly your legal counsel's advice. If you can't afford that, don't bother - you couldn't afford to make your policy stick when it counted, either.

no vpn for personal computers (0)

Anonymous Coward | more than 5 years ago | (#25742349)

...web-based solution is provided for personal computers. only company laptops are allowed to VPN.

Key points (3, Informative)

gweihir (88907) | more than 5 years ago | (#25742399)

I don't have a formal policy, but I work with students on data that falls under privacy laws.

What we tell them is:
- Access from one computer only and that has to be specially secured
    -- Linux: Keep intsllation current, close all ports for incomming data, web-surfing only
          with current firefox or opera and limited to what is absolutely neccessary for their work.
    -- Windows: In addition a current anti-virus software. Discouraged.

- We provide a computer for the VPN/SSH access for the thesis duration for the secured installation
    and even a second one for ordinary work, if they do not have one.

- We warn them that loss of data would possibly be a criminal offense on their part (privacy laws)
    and that they need to be very careful.

If you are really paranoid, gibve your users that second computer, or alternatively a CD-system created/modified by you for the remote access, and make using that mandatory. I think you will find that formal agreements carry little impact, as neglience is allways relative to the competence level of the person acting. Better to secure the access and not rely on legal stuff. If you require a specific installation for remote access, everybody not using it is doing something contrary to agreement regardless of competence level. You could even hardcode the VPN keys on a boot-CD (e.g. a modified Knoppix) to make it hard to circumvent this "remote Terminal" set-up.

Citrix (2, Interesting)

thepacketmaster (574632) | more than 5 years ago | (#25742409)

My company is so paranoid about unauthorized file transfers that they have discontinued VPN and only allow Citrix. The Citrix configuration is setup so that it will not permit saving to the local computer's hard drive. On one hand, it lessens some risks that could occur if your personal computer was connected by VPN. On the other hand, it makes for a lot of email traffic as people send themselves files so they can work on them outside of Citrix.

Re:Citrix (1)

zippthorne (748122) | more than 5 years ago | (#25742615)

Yow.

Is it at least encrypted email?

Re:Citrix (1)

Clover_Kicker (20761) | more than 5 years ago | (#25743013)

Haven't used Citrix for a while, but couldn't you still take screenshots of confidential stuff?

It wouldn't be much good for long stuff like source code, but you could snarf memos, spreadsheets, incriminating email, etc.

Re:Citrix (1)

smellotron (1039250) | more than 5 years ago | (#25743299)

Haven't used Citrix for a while, but couldn't you still take screenshots of confidential stuff?

Nothing beats a camera for screenshots. Saying "Citrix doesn't allow file downloads" might have been worthwhile if hexdumps and OCR technology didn't exist.

Orion Blastar's VPN from Home Policy (4, Interesting)

Orion Blastar (457579) | more than 5 years ago | (#25742575)

#1 Keep the VPN use work related. Follow the same network policies as if in the workplace.

#2 Scan the home PC on a regular basis for malware. Last thing the company needs is trade secrets, password and login info, and email stolen by some hacker who happened to get a key logger trojan on the Home PC, and then sell them to the higher bidder or steal corporate bank and credit card accounts. That means keeping your Antivirus programs updated every day and scan for viruses at least three times a week.

#3 You are on the honor system, Work can only monitor your activities on the VPN network, but not your Home PC and the Internet being used by your home PC. Yes it is alright to check your local email on your home computer, but use common sense and don't spend a lot of time doing personal things on your home computer and home Internet connection. We'll notice it when the VPN activity stops for more than 15 minutes, and your work productivity drops on the VPN. Yes you can take two 15 minute breaks and lunch hour or half hour, but we'll really notice it when you do nothing on the VPN for hours. Either you are goofing off and doing personal things, or the connection is dead, but we can tell by pinging your home computer to test if the connection is dead and deduce your wasting time.

#4 Keep all company email professional. Make effective use of company email and web sites and software. Don't use them and act like you do when you are posting Anonymous trolls on the Internet or your Myspace page.

#5 Do not access other user's accounts unless you are given permission by management for troubleshooting something or testing out software. We know that your profile might not have the same issues as a coworker, but only IT staff should be loging in as other employee's accounts only for testing purposes. Do not use an alias either on the VPN or create a fake account via a hack, but use the account and account name assigned to you.

#6 Do not save work data on your personal hard drive, instead store it on a server drive.

#7 Do not run cracking and/or hacking tools on the VPN, do not do any denial of service attacks over the VPN.

mod do3n (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#25742701)

the ggodwiil fucking confirmed: OF AMERICA) today, I see the same intentions and

You can use my account (2, Funny)

itamblyn (867415) | more than 5 years ago | (#25742809)

The machines I login to cat the policy at the beginning of every session. I'll just send you my username and password and then you can read it for yourself.

VPN doesn't cut it anymore (0)

Anonymous Coward | more than 5 years ago | (#25742817)

We just implemented a policy on remote usage since we basically only allowed company laptops and pda's to access remotely and even then it was an external firewalled connection.

now we are going to give out custom LiveCD's with VPN running IPSec. That way keyloggers, trojan, etc, can only be download and run in session, simple as power off and gone again.

Plus boot up password, login password and vpn info just to connect. Also trying out a usb token key like RSA but a broker that does similar thing, runs a virtual environment and virtual keyboard to bypass keyloggers or screencapture. Never know what crap is on home PC's or laptops, even so called business ones!

The policy is simple, the IPsec key is with the VPNclient, users cannot see it. So without it they cannot just copy the data and use vpn on another machine. Without it, no vpn remotely.

No home computers.. EVER (1)

cryogenix (811497) | more than 5 years ago | (#25742933)

Corporate laptops only. These are the same laptops they use at their desk which are policy controlled, and kept updated and have current antivirus etc. Every home computer ever brought in to me to be looked at by an employee has been a virus/spyware ridden infestation. There are no exceptions to the rules allowed or the CXO's will be the first to break them.

Re:No home computers.. EVER (1)

Max_W (812974) | more than 5 years ago | (#25743965)

If an employee's home computer is a virus/spyware ridden infestation, it means that he/she is not a part of right digital culture. Such an employee will find a way to do a harm to the company, not matter how hard you try to prevent.

Unfortunately it is a common situation. Look at how a computer specialist is shown in the popular show "Prison Break", an Asian guy with laptop. He is shown like a freak, a traitor, a clown. But real guys understand nothing in computer technology and proud of it. Or how McCain was proud of not using computers and Internet.

I even heard as the CEO of a large software company said in an interview that he asked his son: "Did you ever receive an important for your life meassage via e-mail?"

Unbelievable. In a world driven by computers?!?

I would say:
1) training and certification in basic computer security for any VPN user. A certification with about 30 - 40% of failure rate.
2) Compulsory usage of security cable for laptop. Correct usage should be included in training too.
3) In addition to OS password laptop must be protected by a BIOS password.

If we, say, release a monkey into an empty apartment it can do a damage no matter how we secure an apartment. The same way an untrained unaware employee will do damage in a complex network. The problem is that many leaders of industries are such untrained and unaware employees.

And when a boss shows a bad example others follow.

The change, the shift of culture is needed for such a cardinal step as introducing high speed VPNs and remote working places. The leader of a company should be the leader in computer technologies too. Showing a good example, organizing training. The time of retrograde "McCains" is over.

Simple little equation (1)

dilvish_the_damned (167205) | more than 5 years ago | (#25743077)

Gatekeepers are not supposed to be nice.

More beer == more access
Evaluated weekly.

Hanger Orthopedic (1)

DynaSoar (714234) | more than 5 years ago | (#25743857)

Based in Bethesda MD. They have many satellite offices as well as many individuals who telecommute some or all of the time. Since they deal with health care data they have to conform to HIPAA standards. They rely on their secure remote access system being available as much as possible. See if their IT department can share its policy statement.

More paperwork... (1)

nilbog (732352) | more than 5 years ago | (#25744007)

If you don't know what they should contain, then why are you making them?

"Hey guys, we don't have enough pointless paperwork. Any ideas on new things we could get people to sign?"

An agreement? (2, Insightful)

mweather (1089505) | more than 5 years ago | (#25744391)

Any security policy that relies on employees voluntarily keeping to an agreement is doomed to fail. Either make it impossible to access in any way other than intended, or don't do it.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?