Addressing teleworker network security risks.
Robert Frances Group (RFG) believes teleworkers accessing corporate resources via virtual private network (VPN) connections can potentially pose security risks beyond those presented by employees working on-site. IT executives should ensure that protective measures deployed to shield corporate systems from outside abuse or misuse also cover the needs of teleworkers, and evaluate additional products that can alleviate the security risks those workers may represent.
Business imperatives:
- Teleworkers using VPN facilities through an Internet connection, such as a cable, DSL, or satellite feed, may create unintentional back doors into corporate networks. IT executives should ensure that these systems are protected by the same layers as corporate resources, and take further steps to protect corporate networks and systems from unauthorised access through those channels.
- New antivirus, firewall, intrusion detection system (IDS), and VPN products offer features important to corporate use, including central monitoring and management facilities and integrated access management. These solutions can block a user's login attempt if defensive products required by corporate security policies are not installed and operating properly. IT executives should evaluate these offerings to determine where they should be deployed to properly protect teleworkers' computer systems.
- Teleworkers' environments are often difficult to regulate, especially if employees provide their own equipment, forcing the IT department to support non-standard hardware and software configurations. Further, new Internet connection sharing facilities in recent operating system releases and other software products may make other systems in the home or home office risks that are neither visible to nor controlled by the IT department. IT executives should evaluate hardware-based solutions, where available, and include the potential for cost savings in terms of reduced administration and support overhead when calculating the cost of such solutions.
Teleworkers often operate in uncontrollable and unpredictable environments. Some of the security risks they present include:
- Systems used for multiple purposes may have a higher risk profile for viruses, Trojan horses, distributed denial of service (DDoS) worms and so forth.
- It is difficult to deploy software to and dictate the configurations of systems not directly controlled by the IT department.
- Internet connection sharing may allow other, "invisible" systems on the teleworker's local network to access corporate resources.
- Split tunnelling sidesteps protective measures such as Web content filters and proxy-based antivirus filters.
Who's Using the PC
Teleworkers' systems are often used for multiple purposes - for example, even if the system was supplied by the company, it is not unusual for the worker to allow a family member to use the system to browse the Web or access e-mail. Further, because the system is typically connected to the corporate network only a certain number of hours per day, it can be more difficult for the IT department to inventory the software products installed and dictate which will be used. This is especially the case where the user provides the system, as the company often has far less say in the software installed on the client system in these situations.
Unfortunately, some new technologies have made the problem worse, not better. For example, Internet connection sharing facilities in the latest versions of various operating systems, as well as software products designed to perform the same task, may inadvertently extend access to corporate resources to other systems in the remote location, such as a child's or spouse's personal system. IT executives should weigh these risks against the cost of providing equipment for teleworkers; they may help justify the deployment of new systems even in environments where teleworkers are willing and able to provide their own equipment.
Another new risk is "split tunnelling", which routes Internet traffic through the existing connection, passing only data destined for the corporate network through the VPN. This technology is a boon for network bandwidth usage, as it offloads teleworker Web browser activity back to the user's ISP. However, it also exposes the corporate network to an increased level of risk of attack via the client system. For example, distributed denial of service (DDoS) worms might find an unimpeded path into the corporate network from an infected client system.
The authorised client systems themselves may represent security risks. As with internal client systems, antivirus and similar products are typically deployed on teleworkers' systems. However, robust firewall and intrusion detection systems, Web content filtering software, and other products also typically protect internal systems. If the protective envelopes for these products do not extend to teleworkers, security holes may be created into the company.
IT executives should review the security policies established for internal systems as well as the company's network infrastructure, and make a list of all of the software and hardware products required to properly protect client systems. IT executives should then determine what protective measures are deployed to protect teleworkers, and ensure that the same layers are in place for them. IT executives should further determine whether those facilities are locked down, preventing teleworkers from disabling them for any reason.
Bring It on Home to Me
Taking a page from the book written by antivirus vendors, several companies have released new products onto the market that help address the issues of centralised management for a variety of defensive measures. Some of these companies include Check Point Software Technologies, Cisco Systems, Computer Associates International, F-Secure, NetScreen Technologies and Zone Labs. These vendors' products span the range of security options, including antivirus, firewall, IDS, and VPN products that provide central management and policy control/enforcement.
Some companies have taken central management a step further by integrating their products with the VPN client software. These products can be configured to check for specific client configurations, and deny access to users who do not meet requirements for the proper installation and operation of security products such as firewall and antivirus software. This can address some of the issues associated with users disabling services without permission. InfoExpress and Sygate Technologies provide such products.
Adding centralised management features and tying the authentication process to a software/configuration inventory can help ensure that client systems are running required software products before accessing corporate resources. However, IT executives should also note that these products are typically licensed on a per-user basis. IT executives should take additional steps to catalogue all systems in use at a teleworker's location, or ensure that only the authorised system can access corporate resources.
Networking hardware OEMs have also updated their offerings with low-cost router/firewall/VPN devices designed for home users who need to access corporate resources. Two notable manufacturers of these devices are LinkSys Group and NetGear. The products replace traditional hubs or cable/DSL routers, and provide additional protection in the form of firewall services. Some models also include VPN functionality, offloading that task from the client workstation as well.
These products are often initially more expensive to deploy than their equivalent software applications. However, IT executives should note that the potential long-term cost savings might mitigate this initial expense. Specifically, offloading the aforementioned tasks to a hardware device alleviates IT help desk chores by placing the services the company is responsible for in a controlled environment - the hardware device. The IT department can once again have near-complete control over the user's environment without the necessity of dealing with different versions of client operating systems, end-user tampering with product settings, etc. These devices also allow deployments in environments that might otherwise be difficult, such as in cases where the employee supplies the equipment - it may no longer be necessary to install software products on the user's system.
However, IT executives should not treat these products as a silver bullet to solve all security risks faced by teleworkers. These products are task-specific options that address only a portion of the problem. IT executives should focus instead on providing teleworkers with an environment as close as possible to the security levels internal workstations experience. In fact, it is likely that a combination of hardware and software products will be required to address teleworker security risks.
For instance, a number of companies employ Web content filtering products that operate at the proxy server level, either to prevent employees from browsing unauthorised Web content or to provide additional levels of antivirus protection. Such facilities typically require client-side browser configuration changes, regardless of any need for a hands-off deployment. In fact, they can even eliminate the possibility of bandwidth savings obtained via split tunnelling or other techniques, as Web browsing often makes up the bulk of a session's traffic.
To determine the appropriate configuration for a given class of teleworker, IT executives should develop user application profiles for their environments. Those profiles should compare a user's need to access each application with the security risks associated with that access. Every attempt should be made to duplicate the corporate security facilities for the teleworker while still providing effective access to the required applications.
Mission Possible
RFG believes protecting teleworker computer systems, and protecting corporate resources from the risks those systems may create, is a difficult but not unsolvable task. IT executives should ensure that the same measures provided to client systems located within the walls of the company are extended to teleworking environments. IT executives should also evaluate mechanisms to either protect all systems at each teleworker's location, or ensure that only the authorised systems can access corporate resources. Finally, IT executives should continue to evaluate new hardware and software products to identify opportunities for increased security levels and reduced administrative overhead.
Chad Robinson is a senior research analyst with The Robert Frances Group, an advisory service for Global 2000 and mid-market executives concerned with managing the business of IT
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.