Protecting the homefront

Also: Online resources

Teleworking Top 10 Part 1: The basics Part 2: Shopping for speed Part 3: Protecting the home front Part 4: Making sure you don't get zapped Part 5: Getting gear for teleworkers Part 6: Controlling communications cost Part 7: Cat 5 vs. wireless: Pros and cons Part 8: Shopping with peripheral vision Part 9: Home-office ergonomics Part 10: Application ABCs Part 11: Wrap up

He waves to the office complex security guard at 6:13 a.m., rides the elevator to the second floor, and says hello to the secretary by name before popping into a nearby cubicle. After logging on with information gained earlier by posing as a help desk technician, he runs a program from his CD that scours your branch office network for various data files. He says goodbye to the security guard at 6:27, and you say goodbye to your corporate secrets at 6:30.

Several months later, you're deep in the middle of a well-planned hostile takeover.

The moral of the story is don't think you're immune just because you're running a corporate firewall. Nor are your teleworkers immune just because they appear to be small targets - they may very well become the target choice in the near future. If you don't want your teleworkers to be the weak link in your corporate security plan, you must take several key steps.

Audits aren't just for accountants...
The best and least expensive approach to prevent your teleworkers, mobile warriors and branch offices from becoming the weak link in your corporate security plan is to conduct a thorough security audit.

First, list all the physical and logical points of entry and interception used by hackers and viruses. Second, map out how well a variety of security products and operating system tweaks address each of the points. Third, evaluate your options based on their initial cost, installation cost, cost of upgrades, and maintenance cost over the typical PC life cycle, arriving at a total life-cycle cost. Finally, choose the mix of products that secures all points of entry while minimizing total cost.

Back to basics
But before you spend a fortune on the latest technology, spend some effort enforcing the basic rules of security. Your expensive security system will quickly succumb if your teleworkers are letting family members log onto the corporate VPN or running unauthorized software. While it's easy to control the activities of your corporate users through scripts and policies, doing the same for your teleworkers is significantly more challenging.

Review the corporate security policy. Teleworkers have specific needs and concerns, which should be addressed separately. Due to their vulnerable position, they may not be able to have access to the same assets as those working inside the corporate firewall.

It's a good idea to outline the corporation's right to secure its assets - some teleworkers can become rather possessive of the computer you provide them, simply because it's inside their home. Gently remind them that while the computer resides in their home, the corporation retains ownership. Ensure your teleworkers review and sign a copy of the policy.

Finally, educate your teleworkers. Impress upon them the consequences of downtime caused by not following the policy, and how it can affect the corporation as a whole, not to mention the teleworker's ability to do their job.

Separate and isolate
If your teleworker has a dedicated workstation, lock it down before it leaves the IT shop. Cloning a well-tweaked Windows 2000 Professional reference machine for installs will ensure uniformity. Avoid naming the computer "CorporationX-101" - choose something a little less revealing, such as "WS-11435." If the teleworker has a high-speed connection and a VPN, consider having them log on to the corporate network so you can maintain their systems as if they were local.

Naturally, you can expect some of your teleworkers to resist your security policies. If the company provided them with a computer, however, remind them that it still owns the computer, as well as every information system accessed by that computer. The company has a right to protect its electronic assets. Fortunately, there are ways to soften this harsh reality.

One approach you could take is to sweeten the pot with free 24-7 high-speed Internet access for the family. Because cable modems average but an additional $10 more than midlevel cable service, adding free cable TV will go a long way in the area of employee relations. It may seem contrary to teleworker efficiency to provide them with TV service. But if you don't provide it, nearly all employees will get cable on their own, anyway. The savvy company will foot the bill.

While you're securing a teleworker's workstation, place appropriate restrictions on their access to corporate files. Few teleworkers should ever have access to all corporate databases. Limiting their access will also limit access to anyone who breaches the teleworker's security system.

Firewalls - building the barrier
Firewalls are a must, regardless of the type of Internet access. If you're running a distributed firewall, ensure its policies are similar to those used by your corporate users, and that it can receive policy updates through the VPN. The only differences in policies should be those required for remote access. Limit VPN to the teleworker's profile. Ensure the accounts created by your teleworker for friends and family do not have VPN access.

Distributed firewalls are one of the more intriguing offerings. These software firewalls reside on every workstation and laptop, and synchronize with the policies dictated by the corporation's main firewall when connected directly to the LAN or via the Internet through a VPN.

Check Point Software's offerings are beginning to mature, and the company offers one of the most comprehensive sets of security solutions for corporate environments. When integrated, its Firewall-1, VPN-1, and VPN-1 Secure Remote provide a comprehensive, centrally-managed security solution. The VPN works with the firewall. If it detects evidence of tampering in the firewall's rule set, it refuses the VPN session.

Another outstanding offering is Sygate's Enterprise Network, which won a Blue Ribbon Award in our review of personal firewalls last year. While it doesn't have quite the feature set of Check Point's product line, it's a secure, low-cost, centrally-managed system ideally suited for smaller firms with mobile workers and teleworkers.

If your teleworkers connect via cable modem or DSL, spend the extra $150 for a good cable modem/DSL firewall such as LinkSys's BEFSR41.

Their latest firmware allows IP Security passthrough, and the unit's four ports also let other family members use it. NetGear's FR314 ups the ante by providing stateful packet inspection in addition to network address translation, along with Internet access filtering to ease parental worry by blocking content unsuitable for kids, as does SOHOware's BroadGuard.

If they're one of the few connecting via ISDN, satellite or wireless, you may be able to use this type of device, depending on the connection setup. If you choose to offer this benefit to your teleworker, protect their machine from family members with a distributed firewall or a good stand-alone software firewall such as ZoneAlarm or Symantec's Desktop Firewall.

VPNs - securing the data stream
Securing remote workers isn't easy - dedicated lines such as T-1 and frame relay are too expensive, and dial-up is too slow. Broadband is fast, but it's not secure.

While some cable modem companies still use hubs for their customers, others, such as Cox Communications, use router-based connections to eliminate IP broadcasts and stop network browsing. Still, any Web site you surf knows your IP address, and that's all a hacker needs.

On the Internet, you never know who's listening. Anyone with the right equipment and physical access somewhere along the datastream can eavesdrop. You should take the same care to protect your teleworker's datastream that you take to secure your Web site's electronic transactions.

Unless you encrypt your teleworker's data using a VPN, that data, including e-mail, is open to eavesdroppers. If all your teleworker does is write "how-to" articles, a VPN may be overkill. If they e-mail confidential information, consider using an e-mail encryption system, such as Pretty Good Privacy. But if they regularly access a corporate database, a VPN is mandatory.

The question is "which VPN?" There are too many vendors and variables to list here. However, Network World's hardware VPNs are two great places to start. You may even have VPN capabilities built into your current corporate router.

Unless you're running the latest distributed firewall technology, encrypting everything on your LAN, and using VPNs for all external connections, you're a target for hackers - especially if your corporation has branch offices, mobile warriors and teleworkers. Taking the appropriate steps to secure your network beyond the edge requires some careful planning, but is well worth the effort.

Besides, you'll sleep better at night - and so will your boss.

Next article: Teleworker support - Who to call when things go wrong, and how to prevent most problems from happening in the first place.

Related links

Janss is the president of Jansys Information Systems, a consulting firm specializing in IS technologies for small busi-nesses. He can be reached at bizcom@jansys.com.