Telework security made easy

New NIST report guides you through the complex world of remote security.

Every so often, a terrific research report crosses my desk. NIST, the National Institute of Standards and Technology, recently released a white paper examining the security risks of telework. The 113-page report, "Security for Telecommuting and Broadband Applications,"  by D. Richard Kuhn, Miles C. Tracey and Sheila E. Frankel, is written in plain English, rife with useful charts and diagrams on how things work, and provides step-by-step instructions where needed.

The report covers everything from how to configure Web browsers, VPNs and firewalls, to controlling system access and the secure use of cordless phones and wireless LANs. The authors take a "cookbook approach," providing definitions of technical terms, handy summaries that drive home key points, checklists for helping network executives manage all the details, and sample telework policies for getting started. Small businesses exploring telework that lack a full-time IT person will find the report most useful, as will middle managers looking to better understand IT's concerns and challenges.

Here are a few NIST recommendations I found particularly keen, especially if you need high security:

  • Use both a software and hardware firewall. The hardware firewall permits other networked PCs to share an Internet connection using Network Address Translation, and a firewall software on each PC will identify any rogue code that attempts to transmit messages from your PC to an external system.
  • Use strong passwords. Create passwords of at least eight digits and characters in length, using a mix of upper and lower case. Think your existing password is original? Common names and words are always used first, and there are dictionaries of 500,000 passwords available to hackers that help them crack your system.
  • Beware plug ins and cookies. Limit browser plug-ins to only the ones you need to do your job. Turn off potentially dangerous options on plug-ins that are not in use. Make sure you're using the most up-to-date browser version, and make sure all cookies, JavaScript code, Java applets and ActiveX controls are disabled. Consider using a proxy server to cloak your identity while online.
  • Software imperatives. Use the most current browser and operating system. Install all the latest patches, disable the operating system's file and print sharing, deploy anti-virus software that checks for viruses, malicious code and spyware, and keep it updated.
  • Don't use public wireless LANs. Connecting to wireless LANs in airports and hotels typically requires you to disable encryption and access control. Any data transmitted will be unencrypted, and your system will be vulnerable to scanning from other clients connected to the LAN. If you must, connect using a VPN, set your firewall levels to the highest setting, restore encryption settings immediately upon logging off the network, and subsequently scan your system for viruses and spyware.
  • Deploy "least privilege" user access.Give teleworkers the minimum network access privileges they need to do their jobs. Even if trusted, giving users unnecessary access could lead them to misuse them accidentally, causing further network problems.
  • Create a DMZ. If possible put teleworkers' resources in a demilitarized zone on the network. The DMZ sits within the company's firewall, but is not part of the main network. Also consider using gateways to restrict access to highest-risk systems.
  • Provide frequent teleworkers with preconfigured PCs. Office-supplied laptops loaded with security and office applications minimize the chance of error in configuring complex applications like VPNs. Also, for added data security, provide a removable hard disk and secure it separately. Who gets a preconfigured system? Workers who need to access the network beyond e-mail, travel often and process sensitive data like personnel records.

Learn more about this topic

National Institute of Standards and Technology

Security research center

The latest news, reviews, how-tos and more.

This story, "Telework security made easy" was originally published by Net.Worker.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT