VPN Policy?

samturner · 2016-12-13T10:49:06.000Z

Hi Guys!

We are currently starting to migrate our home workers away from Remote Desktop servers for access, to VPN connections.

I feel like we should have form of signed agreement before we start giving access but unsure how we would even word it.

The VPN is being setup on a company device.

How does everyone else manage remote access to the company network?

danielpretorius7517 · 2016-12-13T11:08:52.000Z

If the VPN is being setup on a company device then I would assume said device is already governed by a set of company policies and fair use agreements, including sufficient security protection and monitoring. If this is the case then I don’t think there is much of a need to go into a great deal of detail over the use of the VPN, other than the basics such as, protect your credentials, use for work use only etc. Having them re-read your IT policy and sign it is not a bad idea though.

If you don’t have any of those sorts of things in place then you have a lot of work to do!

dtapley · 2016-12-13T11:24:24.000Z

OneFire:

If the VPN is being setup on a company device then I would assume said device is already governed by a set of company policies and fair use agreements, including sufficient security protection and monitoring. If this is the case then I don’t think there is much of a need to go into a great deal of detail over the use of the VPN, other than the basics such as, protect your credentials, use for work use only etc. Having them re-read your IT policy and sign it is not a bad idea though.

If you don’t have any of those sorts of things in place then you have a lot of work to do!

Agreed. Company owned devices are governed by an IT Policy. If you don’t have one, now may be a good time to get one. It took a lot of push to get my HR department to agree to one. Even now they have been slow to roll it out. I think what finally turned them was when I told them I was very unhappy with the position they put me in by not helping me set an IT Policy. We had a user get terminated. HR promised to give them all the pictures on their company supplied phone. Meanwhile they’d been taking naked selfies and sending them to people via text or even company email. I told HR straight up that if this person wanted to, I could be blamed for those pictures ending up somewhere they shouldn’t. HR’s response was, “Well you could prove it via the IP address etc.” My response, “Then this company will be footing the bill for my defence.”

bensimpson3 · 2016-12-13T12:28:54.000Z

We have an acceptable use/acceptable care policy that covers company devices and data and specifically mentions VPN access from personal or company devices.

chris0984 · 2016-12-13T13:04:50.000Z

I have a VPN policy for company owned laptops. It basically lists all the Do’s and Don’ts. It also says that after hours support is not available unless pre arranged. The laptops I gave my users for VPN access are locked down with my security software on them, USB ports are disabled, and nothing is installed on them but the OS. The only shortcuts on the desktop are for the VPN and Remote Desktop so they can access their workstation. The policy also makes them responsible for the laptops, any damage that happens while in their possession they are responsible for. They sign it, a copy goes to them and a copy goes in their file and a copy back to the IT department.

kerriedouglas · 2016-12-13T14:34:11.000Z

Create an end user agreement and acceptable use policy. Have the users read and sign annually. There are some good examples at SANS.org

johnnelson3 · 2016-12-13T18:45:37.000Z

We have policy that covers network access. It includes the VPN.

Authentication is integrated with AD.

mhunt · 2016-12-13T19:54:31.000Z

Anyone with a laptop gets VPN access.

They’ve never written any IT policy here, despite my best efforts.

It is what it is.

brycemaryott · 2016-12-13T19:57:38.000Z

It’s access to a company device, so it should say things like “DON’T LET YOUR TEENAGED SON USE YOUR COMPUTER TO WATCH VIDEOS BECAUSE THEY WILL TURN OUT TO BE PORN YES THEY ARE OR ARE YOU SAYING YOU ARE WATCHING PORN ON A COMPANY COMPUTER I DIDN’T THINK SO”

johncombs · 2016-12-13T20:02:24.000Z

We have an IT policy for that. It covers use and care of company assets, i.e. laptops, cell phones, mifi devices, etc… It also includes an acceptable usage agreement when it comes to network traffic, it does mention VPN use also.

mathewbradley-tschirgi8192 · 2016-12-13T20:06:02.000Z

Employee specific remote desktops through Xenapp that are accessed through Citrix Receiver.

toospicy · 2016-12-13T20:07:22.000Z

We have an IT document focused on technology use, acceptable and unacceptable uses and what not. It specifically defines VPN usage within.

francoperrotta · 2016-12-13T20:21:12.000Z

If you have the budget, i would suggest Direct Access. You would need the users to be on Windows 10 Enterprise however.

corymartinson · 2016-12-13T20:25:21.000Z

Bryce Maryott:

It’s access to a company device, so it should say things like “DON’T LET YOUR TEENAGED SON USE YOUR COMPUTER TO WATCH VIDEOS BECAUSE THEY WILL TURN OUT TO BE PORN YES THEY ARE OR ARE YOU SAYING YOU ARE WATCHING PORN ON A COMPANY COMPUTER I DIDN’T THINK SO”

I’m not a licensed physician, but I think I can diagnose high blood pressure based on your posts alone.

will4291 · 2016-12-13T20:36:14.000Z

VPN w/ RDP. Any devices setup for VPN are company owned and existing policies regarding appropriate use of company equipment still apply.

bbigford · 2016-12-13T21:02:20.000Z

RADIUS. Client connects to the network, firewall checks with RADIUS server, server then checks security group membership, etc.

drewlubken0647 · 2016-12-13T22:04:23.000Z

I work for a bank so we have a specific remote access policy that covers how we connect in each over our vendors when needed and how we monitor those connections and how VPN access for employees with it is handled and how we monitor that. It also includes what we do to secure those laptops used remotely and the requirements we make any vendors systems meet before they can remotely connect to our network and how we verify those requirements are being met. Auditors sure make it hard to slack off on documentation, they seem to really really love paperwork

yanceylandrum6175 · 2016-12-14T00:20:38.000Z

SANS has several good policy templates; here is one to get you started: https://www.sans.org/security-resources/policies/network-security/pdf/remote-access-policy

We cobbled ours together from several sources.

brycemaryott · 2016-12-14T04:35:49.000Z

vmx1200:

Bryce Maryott:

It’s access to a company device, so it should say things like “DON’T LET YOUR TEENAGED SON USE YOUR COMPUTER TO WATCH VIDEOS BECAUSE THEY WILL TURN OUT TO BE PORN YES THEY ARE OR ARE YOU SAYING YOU ARE WATCHING PORN ON A COMPANY COMPUTER I DIDN’T THINK SO”

I’m not a licensed physician, but I think I can diagnose high blood pressure based on your posts alone.

A) You’re actually right.

B) That wasn’t a hypothetical. Porn over the company VPN and through our monitoring.

jasonkrumm · 2016-12-14T08:34:21.000Z

Bryce Maryott:

It’s access to a company device, so it should say things like “DON’T LET YOUR TEENAGED SON USE YOUR COMPUTER TO WATCH VIDEOS BECAUSE THEY WILL TURN OUT TO BE PORN YES THEY ARE OR ARE YOU SAYING YOU ARE WATCHING PORN ON A COMPANY COMPUTER I DIDN’T THINK SO”

Too much caps lock!

But I see your point