Can someone give me a good assesment/comparison of the likely security risks involved if a home user's system connects to a corporate network with VPN and uses remote destop to run their computer at the office.

Thart's been done here for some time with some users and some want to expand that. Our network admin is pushing to stop doing that all together.

What's the likelyhood of a virus infected home system (one not part of our domain) transmitting a virus into our network while connected with e VPN connection and using Remote Desktop?

Is the risk more or less than them transmitting data back and forth vie Emial or a USB drive? Browsing the internet while at work?

Personally, I think the rish is minimal but I'd like to get the perspective of others.

I addressed this with my IT consultant, who specailzes in security(he runs audits on banks), and he suggested a cisco firewall (http://www.tribecaexpress.com/Cisco_PIX_501.htm). When I started working here he didn't want to open the ports due to security risks. Now, 2 years later, I mentioned it again and he suggested the above item.

That keeps only those who you want out OUT and those you want in, IN. We do run through Cisco with Cisco's VPN client. My question has more to do with, if the home user's PC is incected with worms, how do you protect the corporate system? Does the Cisco firewall take care of that? I know there ARE some hardware and software products (Vista server, even 2003 server) that can enforce "health" policies and only allow those systems with the proper "health" to connect. Just not sure what that all entails and it's it's really that big a threat that it should be done.

As it is, out IS group is no longer allowing VPN connections except from corporate computers (not home user's personal systems) with the exception of IS staff (which I'm one). This seems backwards in an age where companies are promoting more distributed, remote flexible workforces.


I addressed this with my IT consultant, who specailzes in security(he runs audits on banks), and he suggested a cisco firewall (http://www.tribecaexpress.com/Cisco_PIX_501.htm). When I started working here he didn't want to open the ports due to security risks. Now, 2 years later, I mentioned it again and he suggested the above item.

Hey,

I’m also thinking that the risk for infection is minimal with the VPN connection.

But what are they doing on there systems (Office, mail, drafting, …) Why not using Citrix instead? Here we use Citrix for everything but drafting.
The workstations in the company here are TC’s with Citrix. The laptops have also Citrix for them that uses it at there home, on the road. Just need an internet/network connection and of you go. It’s faster than VPN and has a better security.

GreetZzz,
mE!
8)

All of our home users, myself included, have company issued laptops.

If you are going to work at home then there is no reason to use a personal computer for employment related needs. If the company wants you to work at home then they need to provide a safe, secure manner for you to do so. This means their computer, their software, their security, and their means of access.

All the home user needs, and should already have, is internet and a firewall/router.

Hey,Here we use Citrix for everything but drafting.
The workstations in the company here are TC’s with Citrix. The laptops have also Citrix for them that uses it at there home, on the road. Just need an internet/network connection and of you go. It’s faster than VPN and has a better security.
8)

I'm not sure what we use... My company's personal VNC has a Cisco Cert Mgr in the folder (when following the shortcut to the folder). I also have Citrix and TightVNC shortcuts in the Start menu, but have never used them.

Try turning the question around, and ask if there are any documented instances of a virus or other malware passing to an inside computer from an outside computer via VPN and Remote Desktop access. I've never heard of an instance, and it really doesn't seem reasonable. After all, RDP essentially remaps the screen and IO devices between two PCs, and there's not really a clear vector for infection, AFAIK (and I know I'm not current on security issues) virii don't spread that way.

It's not impossible, but unlikely in the extreme. closing ports is a knee-jerk response (and generally a good one I should add) but if the goal is to encourage productivity, then some things need to be opened up, After all, the only really safe computer is one that is powered off, and it's not all that useful.

Hey,

For the use of Citrix here we have 2 installations:
1. Server installation for the use for the intern network with SAP, Excel, Word, mail, DWF-viewer
2. Server installation for the use of an extern network like internet with a secure gateway and also the needed programs.
For both installations the users are working directly on the servers from wherever they are.

Maybe you can check this site for more info: http://www.citrix.com/lang/English/ps2/technology/index.asp

What happens when you open the Citrix prog on your system?

GreetZzz,
mE!
8)

In my case (although I'm an exception to this rule being in our IS dept), I don't "work from home" officially. That is, I'm not a home based employee and as part of my job, I don't regularly work from home. However, there are times when I do it. Support call early in the morning or late at night, or a process I have running over the weekend I want to check on without driving a 1/2 hour to keep tabs on it.

My home use (as well as others here) is so minimal that it's not worth the expense of a laptop in my opinion. I've going to have to pay 2-3 times as much as I would a desktop to get the same performance and I'm going to lug it home risking damage only for it to be used once or twice a month? My thought was that the putting the Cisco VPM software on my (and others) home system was a quick, cheap alternative to give me and the company flexability.

In many cases, I know the company wouldn't shell out the additional coin for a laptop for a user but allowing them access from home does provide them with flexability that they appreciate and like.

For the most part, all anyone does is VPN in so they can pull a network license of AutoCAD or run remote desktop. I'm not sure where I'd look to find documented cases of viruses spreading this way. If there's a worm that propogates via network, I'm sure it's possible. Once VPN'd in, I can access all network resources (servers/drives - outside Remote Desktop) as long as I've supplied a user name and password to get to them.
Just curious what others are doing. What we were previously doing seemed like a nice quick cheap way to give users aditional flexability if they needed it with minimal company expense. It's not that the compasny wanted or required it, it's the employees who wanted this type of setup. If the company wants someone to work from home, they are issued a laptop or a desktop for home.