How do we control these laptops (and private computers), as they are by definition "untrusted" and are bypassing the firewall controls? The research is interesting -- there is by no means a consensus, but most seem to agree that to merely ban laptops and private home machines from the network is a "blunt instrument" approach -- that the problem will not go away and needs to be handled and appropriate controls put in place.
Today we have larger concerns, but some of the same issues. Here are some thoughts:
- Before a machine is allowed to plug into the network it must be approved. This will limit somewhat just "anyone" connecting. (Don't forget there may be visitors, contractors, etc. Have a policy and follow it.)
- Part of that policy can be that the machine must be running antivirus software and it must be updated.
- Only allow them access through a remote access system. You can do this from home or remote connections, as well. Yes, even on the network, set up remote access that they must use. You can set up the remote access to quarantine their systems until they've been checked for viruses. One possible product for this is Microsoft's Internet Authentication Server. I quote:
IAS Network Access Quarantine Control provides phased network access for remote client computers by restricting them to a quarantine mode. After the client computer configuration is either brought into or determined to be in accordance with your organization's network policy, quarantine restrictions, which consist of Quarantine IP Filters and Session Timers, are removed and standard remote access policy is applied to the connection.You can read more here.
- Another option to keeping them from accessing local area network resources directly is to insist that an IPsec authentication (AH) is the only policy that requires a certificate. Your resident machines, of course, can have a certificate. Approved visiting scientists can be given a certificate after proof of their compliance, and certs can be set for very short validity times and even revoked.
Dig Deeper on Unified endpoint management
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.