I was wondering what others here have for a VPN policy for home users. At the present time our policy is only corporate systems on the VPN. So that pretty much means no home systems unless it is company provided home computer which is very rare.
With the work we do most of our files are pretty big so it doesn’t seem like a big deal as it is. There is RDP access for Office files and some database apps along with email also but most all of those files are small compared to our main line of work files.
How many of you allow VPN access from home or public computers?
@VMware @Cisco
3 Spice ups
We allow VPN from home users or travelling salesmen but it is on company laptops, definitely not their personal computers.
I would strongly suggest against it if you have any proprietary information or sensitive. Our owner is the only one with vpn access from home on a personal machine. We lone out laptops to anyone who thinks that they need to work from home.
No VPN access from home PCs.
mattscan
(Matthew5502)
5
Company laptops only. And I am the only exception to that rule.
mikedavis
(Mike Davis)
6
We tried to support home users for a little while. I’m glad those days are over. Going to VMware View for remote desktop access has solved so many problems. Only a few people with company owned laptops are still using the VPN connection. If you have a choice I wouldn’t even think of giving home computers VPN access.
Depending upon your business needs you may want to consider EZ-VPN tunnels.
See:
http://www.stknetwork.com/index.php?option=com_content&view=article&id=64:cisco-asa-ezvpn-easy-vpn&catid=37:configuration-examples&Itemid=71
It’s a technology that uses the end-user’s home Internet connection for corporate access.
1 Spice up
You can even enforce AD authentication at a port-level on the remote-side.
Meaning, when a device is plugged into the remote-side VPN box it will redirect the client to a web-page where the person has to provide their AD credentials before they are provided network access.
1 Spice up
Thanks so much for all of the responses. I could see so many bad issues allowing this but figured I would ask before putting any time in to doing this.
mattscan
(Matthew5502)
10
Authentication is a must for VPN access. The other consideration, is anti-virus. Is the computer clean?
One other consideration- If the VPN is set up to use the company’s DNS and internet for outbound internet traffic, then the comapny can be held liable for improperr/illegal usage. Another issue you may run into is licensing. I read a BSA case where a company was allowing home PCs to use a terminal server that had Office on it, and they didn’t have enough license to cover those home PCs. Then the BSA requested to see those PCs, of which some had pirated software, and the company was fined, because they were used for company work being done. Lot’'s of liability with this setup. Easier, and safer to provide them with company based laptops ot desktops.
Do NOT give home PCs / devices IPsec VPN connections, just don’t go there! SSL vpn is another matter, you’re going to have to support iphone and android on it anyway and these are way worse than home PCs…
I would agree not to give access to home PCs at all. If you have to give it then your VPN concentrator has to provide remote end point scanning capability before it gives access to the office network or there have to be a mechanism to scan the VPN traffic for virus, malware, attacks etc.
There are few vendors which does it including us but if there is no such mechanism in the VPN concentrator I would suggest you to give company owned laptops to avoid a security breach.
@Phil6196 - Would you be able to point me to that BSA case study? I need the ammunition to make the case against allowing home PCs to connect to the corporate VPN.
