So, you think you've got your malware defenses up to snuff, right? Antivirus tools on the mail gateway? Check. AV deployment on all company-owned desktops and laptops? Check. Firewalls blocking all services except those with a defined business need? Check. Thorough malware defenses against infected telecommuters using the VPN from their laptops, home desktops and even handheld devices? Um … well, …
Sadly, many organizations today haven't adequately addressed the potential for malicious code infection via telecommuters. Often, a home user gets infected by some pathogen on the Internet and then sets up a VPN connection to the corporate network. Once connected, the infected home system acts like the Typhoid Mary on the internal network -- spreading the malicious code and bypassing your perimeter defenses, including Internet firewalls. How can you stop this plague in your environment? The solution requires both policy and technology.
Make sure to define policies that require home users to keep up-to-date AV tools installed on their systems, regardless of whether the machine is owned by the user or the company. In today's new-worm-every-day world, require that the AV tool be configured to automatically download new signatures each day and define specific penalties for disabling the AV tool and its update capabilities.
Get more info on securing remote users with these SearchSecurity.com resources:
Also, specify in your policy that the corporation reserves the right to search the computers of any VPN users across the network, again, regardless of whether the system is owned by the employee or the corporation. Employ a warning banner to launch during the VPN login that requires users to click "OK", acknowledging that their personal systems could be searched remotely when an incident occurs. Enlisting permission from the system owner -- the employee, allows your incident-response team to legally conduct the analysis required to address the problem. Without this policy and warning banner, you have no business searching an employee-owned machine. Alternatively, you can create a policy that limits VPN access to only corporate-owned computers. Of course, your company will need to purchase machines for all telecommuters, so make sure the budget can adequately afford you going that route.
Fortunately, many VPN gateways now offer the capacity to interrogate the client to ensure the host system is running an active AV tool with up-to-date signatures and a personal firewall. Activate these capabilities if your infrastructure supports them; Users wanting access to the corporate playground, first must prove they won't infect the other kiddies. Also, make sure your VPN gateway passes all traffic through a firewall that performs comprehensive filtering -- only allowing access to absolutely required services and only to those servers that each remote user needs. Furthermore, consider deploying network-monitoring tools, including network-based intrusion-detection and intrusion-prevention systems, on network segments associated with the VPN and filtering devices -- this will enable you to detect and thwart attacks early.
About the author
Ed Skoudis, CISSP, is cofounder of Intelguardians Network Intelligence, a security consulting firm, and author of Malware: Fighting Malicious Code (Prentice Hall, 2003).
This was first published in September 2004