Like it or not, your corporate network will soon be everywhere - maybe even in some employees' kitchens or guest bedrooms. It might also reach into airports, hotels and McDonald's. Some users might even access the network from their local commuter trains.
Accompanying all this extended access, though, are heightened security risks. How do you mitigate them?
First, IT and executive decision-makers must define who should have access to what and set rules that govern user network-connection attempts. Then, IT can implement technology to enforce those rules in an automated fashion.
For example, Knowles Electronics, a maker of microphones and receivers for the hearing health industry in Illinois, has a policy to restrict remote user access to servers hosting applications they actually need.
"We got hit with the Blaster worm when a home user tapped into a machine he didn't really require access to," explains Rich Dase, technology director.
For its international mobile workforce of about 200, Knowles uses services provided by Fiberlink Communications, which installs virtual private network (VPN) encryption software, personal firewalls and antivirus software on user devices and centrally enforces security policies for the company. Knowles sets its own rules dictating the conditions under which users can connect.
"The policy might be that devices on dial-up connections must have a personal firewall configured a certain way and updated within the past three days," says Dase. "If Fiberlink doesn't discover those conditions when a user tries to connect, it rejects the access."
Protect Data in Transit
It's essential to use VPN encryption to protect data on a public network, says Dave Passmore, research director at Burton Group in Utah. IPsec and browser-based Secure Sockets Layer (SSL) are the primary encryption technologies for avoiding data theft by eavesdropping or sniffing.
"SSL is clientless, so it is coming on strong. It also works great through NAT [Network Address Translation] routers, which employees are increasingly using at home," notes Passmore. NAT translates private IP addresses into a single, globally unique IP address for routing across the public Internet. Passmore recommends NAT-enabled routers for telecommuters to mask their home computers' IP addresses from viruses and address-spoofers lurking on the Internet.
LandAmerica Financial Group in Virginia uses both SSL and IPsec for its remote workforce. "Using SSL, a home user only needs access to the Internet and a Web browser," explains Matt Matin, a security and systems engineer at LandAmerica. "IPsec requires special client software, but its strength is that it also works with non-Web-based applications."
Avoid Internet Infections
An oft-cited security challenge is the risk that remote devices will pick up viruses and worms from the Internet and then infect the corporate network.
Dase says his company is "trying to be more aggressive" about patching host software with vulnerability fixes as they become available.
Keeping up with patches is a must, but it can be a challenge. So host-based intrusion-prevention software and network intrusion-detection systems can work at corporate sites in the interim to ferret out unusual protocol behaviours and known malicious bit patterns.
In addition, "Truly paranoid people do not allow split tunnels for home users," says Passmore. Split tunnelling involves a single home-user connection supporting both an encrypted tunnel for corporate network access and an unencrypted direct link to the public Internet. A more secure alternative is to route all remote-user Internet links through the corporate network.
But it can be costly to backhaul all traffic through the enterprise site. And the corporate firewall will need greater processing capabilities.
Passmore warns companies that allow split tunnelling to make sure that the home computer has antivirus software and that it's up to date.
"Remote polling for this purpose is now a major part of the network manager's job," he says.
Get Back to Basics
Enterprise use of effective password protection is crucial - but woefully scarce, "even though it's been 20 years since the movie War Games," says Lance Hayden, a manager in the Advanced Services for Network Security Practice at Cisco Systems. His group conducts network vulnerability assessments for organisations to help them find and plug security holes.
Hayden is referring to the 1983 film about a computer hacker who nearly starts a global nuclear war because of a lack of password protection in a military computer system.
Even though people seem to understand the need for password protection, "we continue to see remote access servers with no passwords or poor passwords that are easily guessed," says Hayden.
And user education about the importance of security and the basics of how to use it goes a long way.
Consider the notorious former Morgan Stanley executive who sold his BlackBerry device containing confidential information for $15.50 on eBay last summer. Cluing him in that removing the battery from the device wouldn't erase the data might have prevented the blunder.
In addition, it's a good idea to implement power-on passwords and encrypt any stored confidential data so that it isn't comprehensible to anyone who inherits, steals, finds, or in this case buys, the device.