Out of sight, out of mind
Four companies share the tools and strategies they use to secure home offices.
 
|
|||
 | |||
|
Axcelerant's CTO Jeff Christy likes to say, "We treat ourselves like customers." While the managed VPN services provider counts 35 Fortune 1000 companies as customers, it also provides remote access to its 70-plus employees. As such, Axcelerant knows from both angles the challenges network executives face when securing remote offices.
Axcelerant's service includes sophisticated broadband provisioning and security management software combined with a VPN/firewall appliance from NetScreen or SonicWall, or if a software VPN is in place, a firewall device from ZyXel.
"We can architect a secure solution, but the issue comes down to that architecture staying in place and making sure the home users aren't doing something that directly compromises security," Christy says.
Advertisement: |
Typical misbehavior includes unplugging or plugging around the VPN appliance, or plugging the system directly into a broadband modem. Teleworkers often try to improve productivity, by sharing a printer between their family machines and their work machine. But Christy has seen numerous situations in which home users want to do things they don't want the company to see.
Educating firms of the dangers is a challenge, too. "Enterprises will tell us, remote users can shut down the VPN as long as they're not connected to the corporate network," he says. "The trouble is, that remote system is a corporate asset, which logs onto specific servers and intranet pages, and Windows caches all those passwords. Once you disable the VPN, all that information is now accessible to hackers."
Two networks in one
SonicWall's new Tele3 Trusted Zone (TZ) addresses this two-network problem, and makes it easier for teleworkers to safely share peripherals and files on a home network. The device includes two physical ports, WorkPort and HomePort. Typically, you attach all the peripherals to HomePort, and only the corporate PC to WorkPort. Then you create a firewall policy between the two interfaces that lets the corporate PC access specific home devices on HomePort, but doesn't let HomePort devices access anything on WorkPort.
Peter Silvo, corporate services manager at storage network company Network Appliance, in Sunnyvale, Calif., relies on Axcelerant's managed VPN service to connect 900 employees' home offices, and recently launched a small pilot program of the Tele3 TZ.
"A lot of people share the connection with a spouse or a roommate, who sometimes works for a competitor. But with the TZ, the work machine is protected. If somebody's kid downloads a virus, only the systems on the HomePort get infected."
Silvo's strategy is to educate and trust his users, and he shores things up so if something happens he can catch it right away.
Double-edged sword
The network director of a large software company in Silicon Valley (who requested anonymity) credits much of his company's success on its ability to hire talent from all over the world. While he, too, contracted with Axcelerant to manage his company's VPN, he still found managing remote workers troublesome.
Although out of sight, remote users were always on his mind. "If an employee and his spouse are hooking their computers together, we could be hooking ourselves up with a competitor and we don't have a lot of control over that. Even though we wrote policies and tried to educate people, we just don't have a lot of control over that kind of behavior."
This network director detected a lot of deviant behavior by watching network traffic, spam and e-mail from unknown sources, but the job was difficult and time-consuming. So when Axcelerant finished the beta-test cycle of its new remote security policy-monitoring program, Scout, his company began a large pilot program.
The Scout agent sits on the remote user's PC and sends an alert to the network if that machine deviates from its security policy. Scout can send the administrator an e-mail or Axcelerant can disable the VPN tunnel.
"My security team's given it the thumbs up," the network director says. "Anyone logging in remotely will have SecureID and the Scout agent running on the system."
Oil and water
For many companies, the combination of Axcelerant's managed VPN service, SonicWall Tele3 TZ and Scout Agent might seem sufficient, even overkill for some. But Schlumberger Network & Infrastructure Solutions, a 75-year old multinational information services firm, has taken a different approach. Because much of the company's work is in oil field services, 5,000 employees are nomads, working for long stretches on oil rigs in remote places.
"By 1982, we'd mapped 80% of the world's well sites, proprietary data we've kept secure for our customers. We've done it with our road warriors, whom we've had to keep linked to our [research and development] groups in metropolitan areas," says Kosta Gioukaris, business development manager for Schlumberger.
The challenge for Schlumberger was how to grant road warriors access to e-mail, applications and time sheets while on oil rigs or traveling. The company developed its own connectivity products, the DeXa Suite of Services. Today, Schlumberger nomads use a variety of remote access technologies, including the company's DeXa.Net VPN services, DeXa.Badge smart card certificate authentication product, and Check Point Software's VPN-1 SecureClient. Some remote workers access server-based applications using products from Neoteris, Tarantella or i-Planet.
Schlumberger's security is based on three policies: All applications are kept on the corporate servers; mandatory use of smart cards to access all PCs, buildings and floors; and certificate authentication challenges at 15-minute intervals.
Gioukaris has little concern for home office security. "The moment you pull the smart card from the reader, the PC no longer has any access to company services. Then employees can use the broadband connection for anything they want," he says.
While workers are generally accepting of the policies, Gioukaris says they've asked to store their password onto a PC so they wouldn't have to type in their username and password so frequently. "But we've enforced it rather stringently," he says.
A Schlumberger employee adds, "It can be distracting at first, but one gets used to it."
| Tools
of the trade Particulars on the products and services these firms rely on to secure corporate home offices. |
||||||||||||||||
|
RELATED LINKS
