Ryan Spanier, Systems Engineer
For the purposes of this article, it is assumed that the client is using a secure connection, i.e., one with good encryption and secure authentication. The client also needs idle timeout restrictions. The Cisco VPN and the Sonicwall Global VPN Client meet all of the above requirements.
The main issue with giving users virtual private network (VPN) access is that it changes the dynamics of the financial institution’s perimeter network. In a network without VPN access there is normally one entrance and exit for all external traffic, the Internet connection. This connection is protected by a single or multiple layer(s) of security which can include a firewall, an intrusion detection system (IDS) or an intrusion prevention system (IPS) device.
Giving users VPN access effectively creates a “tunnel” which bypasses these devices. Now the network has multiple points of entry: one for the Internet and one for each external device connected by VPN. Each of these entry points has to be protected individually, which creates administrative and technical difficulties. Listed below are some ways to mitigate the risks involved along with possible problems.
- Personal Firewall – Home PCs create a direct link between the Internet and the corporate office while connected via VPN. The computer must be protected while it is not connected to the institution’s network as well, since a vulnerability can be exploited at any time. This necessitates a personal firewall being installed on each computer.
- Personal Software – Since the home computer is not a member of the corporate domain there is no centralized patch management solution for it. That means there is no guarantee that all security and software patches have been downloaded and applied. If a program is not patched it could contain publicly known vulnerabilities which directly compromise the internal security of the network. Furthermore, software considered unauthorized for a work environment could easily be installed on a home PC, including Internet games, spyware, malware and chat programs. All of these applications can create further vulnerabilities on the PC.
- Antivirus Software – Having an up-to-date antivirus product is essential for a secure work environment. A home computer does not have access to the company’s corporate antivirus software suite (although some licenses allow installation on home PCs). The user will need to acquire an approved antivirus program and keep its definitions up-to-date.
Since administrators have no personal contact with home machines the above methods can only be enforced through policy. There are no guarantees that any of these methods are ever in place. A company policy for remote access needs to be in place before any users start connecting remotely. Gladiator Technology Services, Inc. currently has a policy template for remote access. Please contact Erin Willis at firstname.lastname@example.org for additional information on network policies.
VPN access is not the only choice for remote access. Depending on the needs of your users, the following methods may be better suited to your needs.
- Outlook Web Access (OWA) – If your main goal is to allow users to have access to their corporate email from home this is a good option. OWA allows all the functionality of Outlook but can be run anywhere there is an Internet connection. This limits the access to all other network resources so your risks of data exposure are very low.
- Citrix Metaframe Server – Citrix gives users access to all resources provided by servers inside the network. It is secure and easy to use. It also has very granular access rules so you can specify limited rights to user groups and full rights to others (such as domain administrators). Furthermore, no data is stored locally, so there is no risk of access from poorly secured home PCs. It is also accessible from anywhere with an Internet connection and does not need a client (it is automatically installed over the web). The catch is the cost of the product. The Citrix application must be purchased and run on an application server running Terminal Services, which must also be purchased. This option should be considered if there is a need for multiple users to have remote access. If a single user needs access this is overkill.
Balancing the needs of your financial institution’s employees and officers with the security demands of the real world can be a daunting task. Many users will accept nothing less than total physical access to the network. However, there are alternatives to VPN access that meet or even exceed user demands with far less security ramifications. With this in mind, VPN access should be the last option considered for telecommuters, not the first. Examine the true needs of the user and one should find that Citrix or OWA meets them all.