Tip

Guarding against malware infection from remote users

This tip originally appeared on SearchSecurity.com.

So, you think you've got your malware defenses up to snuff, right? Antivirus tools on the mail gateway? Check. AV deployment on all company-owned desktops and laptops? Check. Firewalls blocking all services except those with a defined business need? Check. Thorough malware defenses against infected telecommuters using the VPN from their laptops, home desktops and even handheld devices? Um … well, …

Sadly, many organizations today haven't adequately addressed the potential for malicious code infection via telecommuters. Often, a home user gets infected by some pathogen on the Internet and then sets up a VPN connection to the corporate network. Once connected, the infected home system acts like the Typhoid Mary on the internal network -- spreading the malicious code and bypassing your perimeter defenses, including Internet firewalls. How can you stop this plague in your environment? The solution requires both policy and technology.

Make sure to define policies that require home users to keep up-to-date AV tools installed on their systems, regardless of whether the machine is owned by the user or the company. In today's new-worm-every-day world, require that the AV tool be configured to automatically download new signatures each day and define specific penalties for disabling the AV tool and its update capabilities.


Get more info on securing remote users with these SearchSecurity.com resources:
  • Find out the client-side security considerations for SSL VPNs.
  • Get expert advice on how to create comprehensive policies concerning employee discipline and information security.
  • Learn more on how banners can enforce network security.

    Also, specify in your policy that the corporation reserves the right to search the computers of any VPN users across the network, again, regardless of whether the system is owned by the employee or the corporation. Employ a warning banner to launch during the VPN login that requires users to click "OK", acknowledging that their personal systems could be searched remotely when an incident occurs. Enlisting permission from the system owner -- the employee, allows your incident-response team to legally conduct the analysis required to address the problem. Without this policy and warning banner, you have no business searching an employee-owned machine. Alternatively, you can create a policy that limits VPN access to only corporate-owned computers. Of course, your company will need to purchase machines for all telecommuters, so make sure the budget can adequately afford you going that route.

    Fortunately, many VPN gateways now offer the capacity to interrogate the client to ensure the host system is running an active AV tool with up-to-date signatures and a personal firewall. Activate these capabilities if your infrastructure supports them; Users wanting access to the corporate playground, first must prove they won't infect the other kiddies. Also, make sure your VPN gateway passes all traffic through a firewall that performs comprehensive filtering -- only allowing access to absolutely required services and only to those servers that each remote user needs. Furthermore, consider deploying network-monitoring tools, including network-based intrusion-detection and intrusion-prevention systems, on network segments associated with the VPN and filtering devices -- this will enable you to detect and thwart attacks early.

    About the author
    Ed Skoudis, CISSP, is cofounder of Intelguardians Network Intelligence, a security consulting firm, and author of Malware: Fighting Malicious Code (Prentice Hall, 2003).

    This was first published in September 2004

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.