So in a previous life, I worked for a large enterprise which had many laptop users and a good size remote workforce. When I first took my laptop home for the night, I realized that for one, I could connect to any wireless network… and two I was no longer behind my web filtering servers. This article reminded me on how often this issue is overlooked: Postal Service Suspends Telecommuting
So hopefully some folks out there know that as soon as a device leaves your network, it can be exposed to any number of threats when it is not protected by the corporate firewall, IPS, and . So how does one fix this? Well in this day an age, you cannot get away from the fact you will have remote users. You can either provide them equipment or venture down the path of BYOD. Either way you need to make sure that your security policies are in effect no matter where they go.
So how does one do this? Well there are actually many ways to protect a remote system from connecting to untrusted networks such as Open Wi-Fi at the local coffee shop or the very scary home network. One suggestion I made in my past life was to ensure that the only thing a remote computer can connect to when off the corporate network is the corporate VPN. Shields up on everything else!
You know? That thing you are always turning off? Well rumor has it, it can be very useful! It is even more useful when you utilize the location specific rules (Domain, Private, and Guest Networks). You can create rulesets to address when a system is on any of the above types of networks. The Domain network is only connected when the system can communicate with the Windows domain controllers. All other networks fall into the Private/Public setting. Those are the ones that you should create very restrictive rule sets. One good one is to create a rule for your VPN to connect out to the corporate VPN server. Windows firewall rules also allow you to specify a specific interface. This could be your VPN adapter. You could default most of your rules to only work on that adapter.
Endpoint Security Products
Many of the popular enterprise AV products provide similar functionality as Windows Firewall. So if Group Policies are not your thing, you can look at building a configuration through the management console for your product. Same idea, lock it down and only allow the VPN adapter to have access out.
So what about the BYOD clients? Well only thing I can recommend here is the use of VDI (Virtual Desktop Infrastructure) and/or Terminal Services. If you can, don’t allow connections to the host drives or other peripherals. Keep those devices in as much of a sandbox as possible. If you are really paranoid, you can have them boot off approved USB drives into a solution such as BeCrypt’s tVolution solution (previously Trusted Client). This provides a trusted bootable OS that can then be connected to the corporate VPN and allow access to the network using a VDI or Terminal Server solution.
So why don’t all organizations utilize the suggested solutions? Well they are not always easy to implement. They do require extensive testing to get things just right. Some of them are not cheap either, as they require a beefier infrastructure than the company may have. And of course, when faced with difficulties in using a product, as humans, we try to find a way around that which is preventing us from updating our twitters. But like all things IT and Security, careful planning and proper implementation is the key to success. Some of these projects cannot be done over night and require a good bit of knowledge to flawlessly execute it.
Of course properly training your workforce is also helpful! Good luck out there!