Securing Your Network When Employees Telecommute
As we prepare to write this, we are thinking of the many times we get up in the morning and start working at our home computer. It is possibly the most convenient invention since the washing machine, enabling us to connect to our workplace from basically anywhere and to take our desktop wherever we go. There is certainly no going back; the world has gone mobile and is only going to want more of it. Therefore, when securing our networks, we need to think that they are no longer just the small local area network inside our office, with one Internet access point. Our networks are growing less well–defined, with more than one entry point and each access having a different level of trust. Securing this increasingly complex environment now takes some serious effort.
Whether you allow your users to work from home, from the airport, or from anywhere else – any time, all the time – there are some important and serious security implications you need to consider. Here, we’ll attempt to analyze them and provide valuable insights about what to do to ensure that your remote workstations, laptops – and, especially, data – are properly protected.
Challenges and Hazards
The security challenges you will face are not necessarily the same for each remote scenario, so let us analyze first the issues with an employee working from home. We will assume that by now no organization will allow a simple, unprotected connection to an office LAN. Your remote employee will use a virtual private network (VPN).
The three most prevalent types of VPNs today are PPTP, IPSEC and SSL. IPSEC and SSL are the most secure because they can use the highest security encryption (AES 256), i.e., 256 bits of encryption and a protocol (AES) that took almost 10 years to develop and was designed to last well into the 21st Century, even with the power of computing increasing at the usual rate. SSL VPN is the most flexible, and the one we prefer.
So, the data travels from the office to the remote workstation and back, well encrypted and very secure. But when it gets to the workstation, it is unencrypted and written at least into temporary files. When the user disconnects from the VPN, these temporary files remain on the remote workstation, unencrypted and, most likely, unprotected. And if the information exchanged was confidential, you now have confidential data stored on a remote workstation you have no control over.
Now, picture the situation where this home computer is also used by someone else in the house, someone who might browse to a website that will download a Trojan on this workstation. Another hazardous home-computing scenario involves peer-to-peer networks, where users can share files with other participants without the need for a central server – even accessing another user’s documents without permission. Suddenly, those possibly confidential files that were left over from a VPN session are being shared with millions of people.
These examples are not science fiction; they do happen and have cost some companies economically, as well as damaging to their image. Ensuring that the data traveling through the VPN also stays protected when it reaches the remote computer is something we rarely consider but is something that can cost your company quite dearly.
Solutions and Tips
There are several steps you can take to ensure higher security for this traveling data. First, what is probably the most obvious thing to do, is to not allow your users to connect to the VPN using their home computer. If you have telecommuters and are in a position to enforce this, ensure that they use an employer-issued laptop and that you have full control over what’s installed on it and how it’s configured. Also, have fully working, well-updated anti-virus and endpoint security on it.
Second, ensure that the user can’t get to the Internet using that laptop unless he or she is connected through the VPN. There are plenty of software solutions on the market that allow you to block direct access to the Internet unless the VPN is on. Then, configure the VPN to redirect all traffic through the VPN itself, and on your VPN concentrator/firewall allow VPN-to-Internet traffic through a proxy that will scan this traffic for policy and viruses, just as though that laptop were within your LAN.
But this may not be enough. We all have been, at some time or another, guilty of using the computer as a babysitter. We are tired and would prefer to be left alone, so we let our children play with it. This is not a good idea, because the child (worse yet if it’s a teenager) will likely browse websites that might be infected, even unbeknownst to the owners of the sites themselves. The only way to solve this particular issue is to properly educate your users. If they are made aware of the potential risks to the company computer and data – and possibly to their own career – they will be less likely to indulge in such behavior and will watch their employer-issued laptop more vigilantly.
If for any reason you are not in a position to issue laptops to your telecommuters, but still want to allow them to work remotely, at least make sure they are not allowed to have an administrative account, and limit what their account can see and do. This won’t protect you completely, but, at a minimum, it should greatly reduce the risk of exposure. Demand that their remote PC be kept up-to-date with patches and anti-virus signatures. Also consider issuing an endpoint security license for that workstation, even though it will be installed on an asset that does not belong to your company.
If the remote user is connecting from a hotel or other remote place away from home, you run into another issue – that this computer is connecting to a network that is not yours and can be exposed to local attacks. A wireless connection at the airport is open to anyone who wants to connect. The downside of this is that your computer ends up in a possibly large network, with other people you do not know. Therefore, the possibility that someone with ill intentions may be connected to the same network is a real one. The most important thing to do in this case, and, perhaps, the only really serious protection you have, is to install endpoint security software on the laptop that can intercept connection attempts, Trojans, unauthorized or surreptitious data transfer, and other possible intrusions.
In addition, your users should be advised to stay logged onto the wireless only for the time strictly necessary and to use a VPN when transferring confidential information. It’s also a good idea to protect the laptop physically, because a high number of laptops are stolen every year. If you allow your users to check their mail remotely (by using Outlook Web Access, for example), you should ensure they do this from their own laptop and not from a public computer, which will remain at the mercy of the next customer once your user leaves. The temporary files left on that computer during your user’s session might contain data you do not want left around, and they are fully accessible to the next customer and to the administrators of that computer. This will lead to leakage of information, even though you have everything else well protected.
Whether your telecommuters are working from home or on the road, there are some general considerations that are valid in all cases. One very good way to protect potential data loss is to encrypt it, either the entire disk or only certain file systems. The second option gives you more flexibility and allows recovery of the data – if the encrypted data is on a separate logical disk – should the operating system become corrupted. Either one is a good solution to ensure that the data cannot be stolen.
Another great way to limit your risks is to avoid having the data transferred to the remote computer altogether. This is achieved by using thin-client technology, such as Citrix. With this technology, the application runs on the server, the data is processed on the server, and it never leaves the server. What does leave the server is the graphic information to ”paint” the remote screen, which contains the data in visual form but does not usually contain anything worth stealing. Even if it does, the data is usually kept in memory and is lost when the client computer is turned off. The files in the swap area will be quickly overwritten as well, so no trace of the data should be left on the client computer.
Now, we come to the subject of passwords – strangely enough, still a common issue. Too many users choose birthdates, common names, pets’ names and similarly easy-to-remember passwords. Unfortunately, what is easy for us is often even easier for hackers. A strong password is paramount to protecting your data, no matter where it is. This is particularly important for roaming users, since their computers are more likely to be stolen or somehow hacked into: an estimated 10% of all laptop computers are stolen at some point, and 97% of them are never recovered. There is a great aftermarket for stolen laptops, and even though the thieves’ usual motive is just to sell the computer – not access data – it’s a good precaution to have a strong password, along with disk or data encryption. We don’t necessarily encourage changing passwords too often. That confuses the users, and they end up choosing simple passwords to be able to remember them. Or, worse yet, they write them in the most obvious places. Passwords need to be changed but try to strike a balance so that changing the password does not become a weak point in the security chain.
Consider as well that all these rules and precautions also apply to your IT department and yourself. IT people tend to think nothing will happen to them because they know the ropes. However, they are often the cause of the most grief for their companies, since they use administrative accounts and, at times, engage in reckless behavior. In other words, they get cocky about their knowledge of IT security and start believing they are invulnerable. That often makes them the most suitable targets.
To conclude, here’s a checklist to help you secure your remote connections:
- Issue company computers that you can control and ensure that operating systems and anti-virus signatures are up to date;
- Install an endpoint security solution;
- Allow connectivity only via a VPN, preferably an SSL type, but any is better than an open connection;
- Use a software that will not allow Internet connectivity when the VPN is not on;
- Educate users to the dangers they face, ensuring they do not share their computer with their family or leave it unattended;
- Do not allow the use of administrative accounts;
- Enforce the use of strong passwords;
- Encrypt the disks or the file system containing the confidential information; and
- Do not allow the use of public computers for any reason whatsoever.
We hope this information will help you secure your network and data when employees are working from home or on the road. Implement the above suggestions, and the chances of remote workers’ files being compromised will indeed be remote.