Endpoint
10/7/2010
10:28 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Two Ways For SMBs To Secure Their Home Workers

Giving work-at-home employees unfettered access to your systems is so 1999; now, clean virtual private networks or terminal services can help

In the slowly recovering economy, telecommuting has become an essential way for businesses to retain valuable workers, increase productivity, and support "green" initiatives. But from a security perspective, telecommuting can also be dangerous -- if you don't have the right technologies in place.

For small and midsize businesses (SMBs), telecommuting is taking off. Nearly 60 percent of SMBs plan to increase their use of telecommuting to cut costs in the next 12 months, according to survey conducted by Staples Advantage, the IT service of the well-known office-supply chain. Yet many SMBs don't have the expertise in-house to deal with security -- about 40 percent rely on external IT support to run their operations, the study found.

"Technology has now made it a lot easier for people to telecommute, and the evolution of this technology is such that we are going to see more and more organizations have people working from home," says Jim Lippie, president of Thrive Networks, which handles Staples' IT service.

Managing the security of telecommuters is a challenge, especially if workers share their computers with other family members. Tackling the problem generally involves one of two solutions, according to security experts. You can leave management of devices in the hands of employees and use network access controls to enforce controls. Or you can give the telecommuter a "virtual desktop" hosted on your company network, enabling you to manage the home worker's devices from the data center.

Pairing network access controls with a virtual private network can give SMBs some control over their remote employees' systems and help ensure the most obvious security measures have been taken, says Dave Ahrens, security architect for Internet telecommunications firm Avaya.

"Some solutions do push down a system check to make sure that the end user's PC is up to date with patches and up to date with antivirus," Ahrens says. "Those are all capabilities that VPN vendors are providing."

In addition, current virtual private networks allow the company to put stronger authentication controls in place, deterring potential attackers. Companies should not, however, treat the data coming from their employees' systems as clean.

"It depends on the budget for a small or medium enterprise, but once you have the VPN, you can put a firewall behind it to filter out any traffic that is coming through ... or an IPS [intrusion prevention system] or an IDS [intrusion detection system]," Ahrens says.

For companies that want to centralize the management of their telecommuters' desktops, a terminal server is an ideal solution, Thrive's Lippie says. The telecommuter logs into the terminal server using strong authentication and is presented with a desktop on which to work. However, the desktop is running on the terminal server, not on the worker's home machine.

The ability to separate a telecommuter's system from the corporate network makes terminal servers very secure, Lippie says.

"When they are in the terminal server, it does not matter how messed up their home computer is," he says.

Thrive recommends terminal servers to its clients as the preferred method of allowing employees to work from home securely and still access corporate resources. While Citrix is the most well-known vendor of terminal servers, Microsoft's Small Business Server also has the option to run terminal services.

"Having a terminal server -- or something of its kind -- is absolutely essential," Lippie says. "The last thing you want from an IT management perspective is to have multiple different people working from their home machines with very little oversight or policy enforcement."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web