RE: Home laptops on a corporate network

The places I come as a systems consultant don't use the measures you are
talking about here. I of cause tell them that they should but they just
look at me as if I was from the moon or what not. To make matters worse
my boss seems to think that's it a good idea to give all users local
admin rights on their pc's and tells me to do the same. I did try do
tell him that it is more then normal stupid but he wont listen to me. He
is the senior consultant and I'm the junior consultant and as such not
taken to serious even though it seems I to know more about real life
security then he does. The best solution I can offer our clients must be
the G/ON usb key. But it's also very expensive so not to many of our
costumers want it.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Shawn
Sent: 11. maj 2007 20:50
To: marc
Cc: krymson@xxxxxxxxx; security-basics@xxxxxxxxxxxxxxxxx;
security-basics-return-44327@xxxxxxxxxxxxxxxxx
Subject: RE: Home laptops on a corporate network

Wouldn't a regular vpn just open for all kinds of badware they have
on
their home computer? And if you issue a work computer for them it will
be used as their normal computer and properly be as infected as their
home computer anyways.

No.


At least not if your company properly manages it's laptops...our user's
privileges are extremely, extremely restricted through group
policy/local
security settings. They can't web browse. They can't install any
software/apps.
They can't modify any system settings. They are not at all used in
the same manner that the user's "normal" computers are. They do not pose

nearly the same risk that the user's "normal" computers do.

Furthermore, users are required to bring their laptops into the office
on
a regular basis for virus scanning/WSUS patching.

Obviously, you can tailor your own company's group policy to suite your
own specific needs.

Again, I don't think comparing company managed equipment to home
equipment
is a fair comparison at all if the company exercises any decent means of

control.


On Fri, 11 May 2007, marc wrote:

Sorry in advance for anything stupid. I'm still just a wannabe newbie
in
security :)

Wouldn't a regular vpn just open for all kinds of badware they have on
their home computer? And if you issue a work computer for them it will
be used as their normal computer and properly be as infected as their
home computer anyways. Why not use a product that can be used with
their
home computer but one that don't have to be installed. I have this usb
key I have been issued at work from this company.

http://www.giritech.com/

It's mighty fancy. It will allow me to connect to our citrix server
and
do my work without any risk of our citrix server being infected by any
thing on my work issued laptop.

Disclaimer: I do have any relations with giritech I'm just a happy
user
of their product.

And sorry for spelling mistakes, none native English speaker here. :)

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Shawn
Sent: 11. maj 2007 19:06
To: krymson@xxxxxxxxx
Cc: security-basics@xxxxxxxxxxxxxxxxx;
security-basics-return-44327@xxxxxxxxxxxxxxxxx
Subject: RE: Home laptops on a corporate network

I take it assigning the users who need to work from home company
owned/managed laptops, and then providing VPN access to these laptops,
is just not an option?

Setting up -somewhat- secure access to the corporate network from a
staffers home computer just seems like too much trouble and too much
risk
for what you gain...it'd just be easier to buy/image/issue laptops.

On Fri, 11 May 2007, krymson@xxxxxxxxx wrote:

If this scenario is an absolute must, even in the face of HIPAA (and
if this were my data, I'd be highly concerned about this company...),
then I do like having users VPN into an isolated network segment and
then connect to a Terminal Server to do their work.

However, not to throw monkeywrenches in, but this solution still does
nothing about keyloggers, screenscrapers, or even a full-blown screen
capture program running to record all this data. Even just one frame
of
a doc open can be enough to spoil your HIPAA party depending on the
data
these users have access to. Really, there's nothing you can do about
this other than disallowing their home systems.

You do have to pretend two things:
1) Assume you have the filthiest, most infected, worm-ridden home PC
ever connecting to your network.
2) Assume one of these workers will be wanting to sell this data or
maliciously gather and use it.

You can take action against 1, but you're not going to be able to
audit 2 unless you own the devices they are allowed to use.




Relevant Pages

  • RE: Home laptops on a corporate network
    ... Wouldn't a regular vpn just open for all kinds of badware they have on ... home computer anyways. ... Home laptops on a corporate network ...
    (Security-Basics)
  • RE: Home laptops on a corporate network
    ... But, yes, to your first point, you would not open up a VPN connection for their personal home computer. ... Home laptops on a corporate network ... users are required to bring their laptops into the office on ...
    (Security-Basics)
  • Re: Secure workgroups!
    ... you're mixing threat models when you introduce theft of laptops. ... stolen set) then you aren't going to get very far into the wireless network. ... I try to avoid add-ons like VPN clients and such. ...
    (microsoft.public.security)
  • Re: How secure is VPN access?
    ... It depends on how well the company provided laptops are treated. ... > Do your users have access to network resources through the VPN? ... Trojans etc. to the network from the VPN. ... not from their own home computers. ...
    (Security-Basics)
  • Re: Wi-Fi: Essential Checklist
    ... email and passwords that are sniffable via wireless ... treated in the same way when dealing with security. ... I have 5 VPN clients on my Verizon XV6700 cell phone running Windoze ... Most modern laptops will boot from USB, ...
    (alt.internet.wireless)