SMB Networks / Managing Remote Users /

Remote manager's security cheat sheet

By Toni Kistner
Net.Worker, 02/26/01

Most teleworkers routinely troubleshoot their PCs; some even manage small-office networks. But when it comes to security, we're all in over our heads. Do you need a VPN? A firewall? Both? Why? Reading up only makes it worse. Encryption . . . authentication . . . IPSec . . . L2TP. . . Diffie-Helman. . . Blowfish. . . . Everything's an algorithm. Great.

To find out what network managers and teleworkers need to know to buy smart, we asked Leslie Stern, senior product marketing manager with CheckPoint Software Technology, the enterprise market leader in integrated VPN appliances and software-based firewalls.

What's what. For starters, a remote access VPN secures the data in transit between your home office and the corporate network. A desktop firewall secures the PC from Internet attack. If you put a VPN client on a remote system that isn't protected by a firewall, the VPN session is vulnerable - the whole corporate network is vulnerable. In most cases, remote workers need both, Stern says.

One product or two. One big issue is whether you should use a separate VPN client and desktop firewall, typically from different vendors, or an integrated VPN and firewall. As the product manager of CheckPoint's VPN-1 Secure Client, Stern is a big fan of integration.

"It's not trivial to get a personal firewall and a VPN client to coexist. And even the most basic management functions, like adding and deleting users, has to be done twice," she says.

Also, integration allows the firewall and VPN to work in concert. Each time a user establishes a VPN connection, the machine and security policy will be checked to ensure there's nothing risky in the machine's configuration. If the machine is configured correctly, the user gets a VPN session. But if the user tries to uninstall the firewall or alter the security policy, he won't get a VPN session, she adds.

Easy management. You need to roll out firewalls to everyone, keep them up to date, specify a security policy central and ensure all your users are using the software appropriately. You want to specify the security policy and have it pushed out to all clients; you want as much automation as possible. You want centralized policy management you can update remotely. And think scalability: How will this product serve you in five years? Will it adapt to many new clients, small offices or the ability to connect to many larger nets?

Speed tweaks. Consider how performance is optimized, Stern says. "You want it to do selective encryption, to specify at the network gateway that only certain types of traffic need to be encrypted. You might not want to encrypt traffic going to public Web servers, like CNN.com. You want the ability to do 'split tunneling.' Some network managers want all remote VPN traffic to go through the corporate gateway, so they can see what people are doing. You want the choice, though."

Kistner is manager editor of the Net.Worker section. She can be reached at tkistner@nww.com.