Security decisions for home-worker setups

Last time, we discussed some options for getting your arms around the mammoth task of remote-access security management. Client devices can pick up infections on the Internet when offline, then infect the corporate network. Or they can fall prey to other malicious activity.

There are a few considerations for securing users who work from home, either full time or part time. Full-time teleworkers, theoretically, should be easier to manage and control by requiring a standard software image on their client laptops. On the other hand, this is becoming an increasingly gray area, as work and home lives blend and others in employees’ families share a home network and, possibly, a PC. There are many complexities here; we’ll look at just one this time.

Consider, for example, the issue of whether or not to allow “split tunneling” for home workers. Split tunneling refers to supporting, across a single physical access link, both an encrypted VPN tunnel for connecting to the corporate network and a direct, unencrypted connection to the public Internet. This is a policy decision you need to make for teleworkers.

It is more secure to route all teleworker public Internet connections through the corporate network. This way, centralized devices like firewalls and intrusion detection systems can make sure everything about the connection is A-OK.

The tradeoff is that it costs extra to backhaul all remote users’ traffic through the enterprise site to get back out to the public Internet. For example, you might need to beef up the processing capabilities on the data center firewall.  And end user performance might take a hit with the extra “stop” along the way.

What you decide about split tunneling boils down to the proper balance of usability for end users, cost, and degree of security that’s right for your organization. As is typical in networking, there is no cookie-cutter approach for all enterprises.