RE: [bugtraq] Re: Home laptops on a corporate network

This would potentially become a problem as the list of required applications grows...for small corporate environements microsoft office may be the only requirement. For R&D operations you need compliers, source control tools, remote management products, test harnesses ....the list goes on..


-----Original Message-----
From: owner-bugtraq@xxxxxxxxxxxxxxxxxxxxxx [mailto:owner-bugtraq@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Johnny Wong
Sent: Thursday, 10 May 2007 1:18 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: [bugtraq] Re: Home laptops on a corporate network

I have an idea and would like to throw it to the list. Maybe we could
create LiveCDs for these users. And the only way they can access to
the corporate network is through this CD. The CD will be customised
with the VPN client, office apps etc. That way, it is not possible
for information to leak from a more secure state to one which is unknown.


At 07:34 AM 9/05/2007, Yousef Syed wrote:
Just wondering...
But is it possible to setup a locked-down VMWare image for external
laptop users to use if they really-really need access your corporate
network. (a small subsection of the network inside its own DMZ
specifically designed to share data)

Personally, I can't think of a reason why an external laptop (or USB
drive for that matter) would need access to the internal corporate
network anyway. They can be provided with separate access to get onto
the internet from a segmented system that has no access to the
Internal system.


On 08/05/07, Ansgar -59cobalt- Wiechers <bugtraq@xxxxxxxxxxxxxxxx> wrote:
On 2007-05-08 christopherkelley@xxxxxxxxxxx wrote:
I'd recommend NOT doing this. Especially if you are trying comply with
HIPAA. Keep in mind that you will have little to no management
capability over these personal laptops, which means you have no ability
to verify patch level and AV update on these machines that may have EPHI
on them. Not to mention the fact that these employees are probably
taking them home and plugging them into their home networks, where they
(or their kids) are running bearshare, gnutella, grokster, bitorrent,
and surfing to unfiltered web sites. Not only does this mean that they
are potentially exposing critical data in this manner, it also means
they are bringing potentially infested computers into the soft chewy
center of your network.

Whenever you have an employee with a laptop, you create a liability to
your network, allowing them to use personal laptops presents an even
bigger liability. IMHO, this level of risk is unacceptable, especially
from a HIPAA compliance standpoint.

I wholeheartedly second that recommendation. Allowing corporate data on
private computers (or private computers on a corporate network) is a
bad, BAD practice. Never EVER do that. You really want to do the exact
opposite: establish a policy that *prohibit* employees from transferring
corporate data to private computers, and have it signed by each

Ansgar Wiechers
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Yousef Syed
"To ask a question is to show ignorance; not to ask a question, means
you remain ignorant" - Japanese Proverb