Problem solve Get help with specific problems with your technologies, process and projects.

Guarding against malware infection from remote users

Learn how securing your telecommuters can fortify your network against malicious code attacks.

This tip originally appeared on

So, you think you've got your malware defenses up to snuff, right? Antivirus tools on the mail gateway? Check. AV deployment on all company-owned desktops and laptops? Check. Firewalls blocking all services except those with a defined business need? Check. Thorough malware defenses against infected telecommuters using the VPN from their laptops, home desktops and even handheld devices? Um … well, …

Sadly, many organizations today haven't adequately addressed the potential for malicious code infection via telecommuters. Often, a home user gets infected by some pathogen on the Internet and then sets up a VPN connection to the corporate network. Once connected, the infected home system acts like the Typhoid Mary on the internal network -- spreading the malicious code and bypassing your perimeter defenses, including Internet firewalls. How can you stop this plague in your environment? The solution requires both policy and technology.

Make sure to define policies that require home users to keep up-to-date AV tools installed on their systems, regardless of whether the machine is owned by the user or the company. In today's new-worm-every-day world, require that the AV tool be configured to automatically download new signatures each day and define specific penalties for disabling the AV tool and its update capabilities.

Also, specify in your policy that the corporation reserves the right to search the computers of any VPN users across the network, again, regardless of whether the system is owned by the employee or the corporation. Employ a warning banner to launch during the VPN login that requires users to click "OK", acknowledging that their personal systems could be searched remotely when an incident occurs. Enlisting permission from the system owner -- the employee, allows your incident-response team to legally conduct the analysis required to address the problem. Without this policy and warning banner, you have no business searching an employee-owned machine. Alternatively, you can create a policy that limits VPN access to only corporate-owned computers. Of course, your company will need to purchase machines for all telecommuters, so make sure the budget can adequately afford you going that route.

Fortunately, many VPN gateways now offer the capacity to interrogate the client to ensure the host system is running an active AV tool with up-to-date signatures and a personal firewall. Activate these capabilities if your infrastructure supports them; Users wanting access to the corporate playground, first must prove they won't infect the other kiddies. Also, make sure your VPN gateway passes all traffic through a firewall that performs comprehensive filtering -- only allowing access to absolutely required services and only to those servers that each remote user needs. Furthermore, consider deploying network-monitoring tools, including network-based intrusion-detection and intrusion-prevention systems, on network segments associated with the VPN and filtering devices -- this will enable you to detect and thwart attacks early.

About the author:
Ed Skoudis, CISSP, is cofounder of Intelguardians Network Intelligence, a security consulting firm, and author of Malware: Fighting Malicious Code (Prentice Hall, 2003).

Next Steps

Find out the client-side security considerations for SSL VPNs.

Get expert advice on how to create comprehensive policies concerning employee discipline and information security.

Learn more on how banners can enforce network security.

Dig Deeper on Enterprise desktop management