Remote Access Policies

Samalie writes "My company is considering implementing a formal remote access policy (and agreement for staff to sign) for users who access our network from home via VPN. Does anyone out there have any suggestions as to what this policy/agreement should contain? Anyone have their own corporate policy that I can borrow from? This is the first time I've come across anyone wanting a formal policy for this & online searches haven't been very helpful."

Is this real?

[Anonymous Coward]

Did you even look at SANS?

SANS Templates

[Wanker]

The templates provided by SANS are a good place to start:

All of them are here:

http://www.sans.org/resources/policies/ [sans.org]

Here's the remote access policy example:

http://www.sans.org/resources/policies/Remote_Access_Policy.pdf [sans.org] [PDF]

Use Laptops

[George Beech]

We require all users with remote access to use corporate laptops that are locked down. You cannot connect your personal computer via vpn. Also there is the standard "treat it as if you were sitting at your desk, all rules regulations etc. still apply."

Why limit to just VPN?

[Viree]

The last few companies I've worked for make it mandatory for new employees to sign an AUP (Acceptable Use Policy). Sorta like a blanket coverage for all IT services, including networks usage. Depending on how large the company you're working for, you might be able to convince your HR to get all the existing employees to sign, too. That way you can avoid getting the employees to sign another document/agreement if you should implement new IT services.

Re:Use Laptops

[tftp]

I third this. You can't expect your employees to comply to boring rules in a boring piece of paper. You need to make it plain impossible to connect using home computers. Give the user a laptop and he can carry it home if he wants. Give him an RSA token to be doubly sure.

Re:Avoid Microsoft products at all cost

[mysidia]

WPA2 can no longer [slashdot.org] be considered safe.

A VPN connection with strong encryption must be used.

Multi-factor authentication should be used to gain access.

And once access is gained, traffic coming in from outside should be restricted to certain safe protocols and hosts (according to the user's needs)

Key points

[gweihir]

I don't have a formal policy, but I work with students on data that falls under privacy laws.

What we tell them is:
- Access from one computer only and that has to be specially secured
    -- Linux: Keep intsllation current, close all ports for incomming data, web-surfing only
          with current firefox or opera and limited to what is absolutely neccessary for their work.
    -- Windows: In addition a current anti-virus software. Discouraged.

- We provide a computer for the VPN/SSH access for the thesis duration for the secured installation
    and even a second one for ordinary work, if they do not have one.

- We warn them that loss of data would possibly be a criminal offense on their part (privacy laws)
    and that they need to be very careful.

If you are really paranoid, gibve your users that second computer, or alternatively a CD-system created/modified by you for the remote access, and make using that mandatory. I think you will find that formal agreements carry little impact, as neglience is allways relative to the competence level of the person acting. Better to secure the access and not rely on legal stuff. If you require a specific installation for remote access, everybody not using it is doing something contrary to agreement regardless of competence level. You could even hardcode the VPN keys on a boot-CD (e.g. a modified Knoppix) to make it hard to circumvent this "remote Terminal" set-up.

Re:What about their work desktop policies?

[inKubus]

Yes, they use a java app which utilizes the SSL capabilties in the browser to create a tunnel. Usuallly they do like a lightweight remote desktop type thing, or you can spawn something that redirects IP. Lastly, they usally have a link to install a package for a standard IPSEC VPN client. Cisco offers this in their ASA (formerly PIX) firewalls, Sonicwall does also. It's helpful for users logging in from a non-company computer as there's not much config/support required. Obviously your LAN needs to be secure also, in case they log in at an airport kiosk and forget to log out or something. With RADIUS and some auditing, you're almost as safe as in the office.

Re:Too long

[geekmux]

The terms "paper drill" and "check-the-blocks" comes to mind. I don't really care about the implications of my company's VPN policy...at least not compared to the implications of the documentation associated with home-ownership.

Ah, exactly my point. You don't care because IT policy violations do not hold repercussions serious enough.

You might ACTUALLY care to not only read through the document, but adhere to the policy if your job was on the line.

Sorry, but from a business standpoint, your home is likely worth far less than the millions invested in Engineering and Design, or even data within sales contact lists and internal price lists. This is why it kills me when I find corporations do not hold violators accountable.

Re:Not SANS

[FooGoo]

A conversation with the author at an airport in Texas.