RE: Home laptops on a corporate network


Sounds like a good idea, but there are security vulnerabilities with
VMWare. Not sure if any current malware/spy ware/virus takes advantage
of these flaws though.
Also how the OS within the VMWare image is configured has a great deal
to do with how secure it is.

Sounds like it would be hard to maintain these VMs and make sure that
they are *clean*.

One way that sounds easier to configure and maintain, is setting up a
VLAN X where the VPN clients connect, then only allow RDC via port XXXX
to VLAN Y where they can access either a Terminal Server or their office
PC.
And have some nice filtering setup between the VLANs, such as a
Sonicwall, Cisco, Barracuda etc.


A lot of good ideas and questions has been posted here, but nobody has
mentioned anything about two factor authentication or password
management in combination with remote access.

Assuming you have a pretty good setup, where the clients are checked
before entering the network as well as filters to prevents all sorts of
*bad* things from happening. With weak passwords or a poor password
policy, you could have users accessing the network who should not be
there.

Seems that if you're HIPAA/SOC, you should not have remote access :-(


-Petter





-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Yousef Syed
Sent: Tuesday, May 08, 2007 4:35 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Home laptops on a corporate network

Just wondering...
But is it possible to setup a locked-down VMWare image for external
laptop users to use if they really-really need access your corporate
network. (a small subsection of the network inside its own DMZ
specifically designed to share data)


Personally, I can't think of a reason why an external laptop (or USB
drive for that matter) would need access to the internal corporate
network anyway. They can be provided with separate access to get onto
the internet from a segmented system that has no access to the Internal
system.

ys


On 08/05/07, Ansgar -59cobalt- Wiechers <bugtraq@xxxxxxxxxxxxxxxx>
wrote:
On 2007-05-08 christopherkelley@xxxxxxxxxxx wrote:
I'd recommend NOT doing this. Especially if you are trying comply
with HIPAA. Keep in mind that you will have little to no management
capability over these personal laptops, which means you have no
ability to verify patch level and AV update on these machines that
may have EPHI on them. Not to mention the fact that these employees
are probably taking them home and plugging them into their home
networks, where they (or their kids) are running bearshare,
gnutella, grokster, bitorrent, and surfing to unfiltered web sites.
Not only does this mean that they are potentially exposing critical
data in this manner, it also means they are bringing potentially
infested computers into the soft chewy center of your network.

Whenever you have an employee with a laptop, you create a liability
to your network, allowing them to use personal laptops presents an
even bigger liability. IMHO, this level of risk is unacceptable,
especially from a HIPAA compliance standpoint.

I wholeheartedly second that recommendation. Allowing corporate data
on private computers (or private computers on a corporate network) is
a bad, BAD practice. Never EVER do that. You really want to do the
exact
opposite: establish a policy that *prohibit* employees from
transferring corporate data to private computers, and have it signed
by each employee.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq




--
Yousef Syed
"To ask a question is to show ignorance; not to ask a question, means
you remain ignorant" - Japanese Proverb

Relevant Pages

  • Re: Is VMS losing the Financial Sector, also?
    ... the web from the server. ... I suggested using only localhost or a private network but, ... In the Army we call that Risk Management and it can be applied to ... I was talking about business laptops that are locked down. ...
    (comp.os.vms)
  • RE: Home laptops on a corporate network
    ... The reason is that the office has a lot of fee-for-service employees, ... Home laptops on a corporate network ... on private computers is ...
    (Security-Basics)
  • RE: [bugtraq] Re: Home laptops on a corporate network
    ... Certainly you could use a LiveCD as mentioned by ... Subject: Re: Home laptops on a corporate network ... private computers is a ...
    (Security-Basics)
  • RE: Home laptops on a corporate network
    ... Home laptops on a corporate network ... One of the advantages of using SMS for patch management is you can force ...
    (Security-Basics)
  • RE: Is VMS losing the Financial Sector, also?
    ... the web from the server. ... being used means that all IE and IIS related security patches need to be ... Don't allow them on your network. ... I was talking about business laptops that are locked down. ...
    (comp.os.vms)
Loading