Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog - Cyber Security Awareness Month - Day 19 - Remote User VPN Access ? Are things getting too easy, or too hard? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 19 - Remote User VPN Access ? Are things getting too easy, or too hard?

Published: 2010-10-19
Last Updated: 2010-10-19 13:50:56 UTC
by Rob VandenBrink (Version: 1)
11 comment(s)

It seems lately to me that in IT  we no longer seem to have downtime, even in traditional "9 to 5" companies.  Laptops, smartphones, iPads and every other gadget out there all are internet connected, and more and more people seem to be online every waking moment.  And if they’re online, chances are they’re VPN’d in to keep tabs on things at work while they’re surfing social sites, playing flash games or whatever.  This is especially true now that VPN access is so easy, in fact it's now included in a number of smart phones and tablets.

Which brings us to the poor folks in IT.  Since everyone is online 24-7, and we’re seeing business sales offices or business partners from 12 timezones over with VPN connections in, this brings up a whole raft of problems:

When exactly can we do system maintenance?   I’m tired of waking up at oh-dark-early, only to find 6 users logged that you need to track down before you can start an upgrade.  You can’t seem to pick any time as a maintenance window without causing someone a problem. Who gets access to what.  All too often people have skipped over the data classification and server zoning steps.  Without those done, just exactly what is that business partner allowed to have when they’re VPN’d in?


The prevalence of cheap laptops, tablets, phones and electronic doo-dads, all with internet access and VPN access (especially now that we have SSL VPNs) seriously starts to blur the line as to what the corporate desktop is.  Worse yet, it blurs the line over who has bought and paid for that corporate desktop.  No matter what our policies say, we have way too many personally owned devices out there that have VPN access to corporate resources, but don’t have corporate security tools, logging or, well, anything else.  But you can bet they’ve got malware on them from the kids in the family ! (or the grown-up kids).  And just exactly how do you enforce a VPN policy and deny access to someone who wants to work after hours for free?  It’s a real challenge to make that point to a senior manager.


We’d really like to hear about any challenges you have faced on the topic of VPN access, and how you have solved them.  Even if in your view you lost the battle on one issue or another, please share – someone else may have a different approach that might help you out.   As always – our comment form stands ready to field any and all comments, questions and answers !

 

=============== Rob VandenBrink Metafore

11 comment(s)
Diary Archives