How to Secure your Teleworkers with a VPN
Today’s enterprise is increasingly becoming a distributed workplace made up of branch offices, telecommuters, after-hour workers, contractors, business partners and mobile employees. Demand for remote access to enterprise network resources is being driven by a number of business trends. Employees are demanding flexible work arrangements. Companies are being driven to improve productivity and reduce costs. Business partners want real-time access to critical information.
The rise in teleworking is well documented. A Gartner Group study predicts more than 137 million workers worldwide will be involved in some sort of remote work by 2003. Also accelerating the distributed organization is the rapid adoption of affordable, widely available broadband Internet access. Internet users with broadband access will triple from 7% to 21% to 25 million users by 2003 and VPN expenditures will increase 529% by 2004 (Infonetics Research). Last year a government Labour Force Survey* showed that as much as 6% of the UK working population, equivalent to 1.5 million people, work for their employer or client via a remote link.
Yet security remains an issue. A joint report from the DTI and PricewaterhouseCoopers released earlier this year shows 44% of UK businesses suffered at least one malicious security breach in the past year. Many in the industry fear that the move towards teleworking and the corresponding change of the enterprise network from a closed, protected architecture to an open, Internet-based system leaves a lot of questions unanswered.
For example, how can companies prevent non-secure home networks from compromising their corporate networks? What can be done to protect remote workers against the constant threat of new viruses and worms? What is the best way to expand the telecommuting network without opening new security holes? How can they successfully manage a diversified, constantly changing telecommuting workforce? Finally, and perhaps most important of all, How do companies retain control over a network of widely distributed remote access points?
The common practice against unwanted Internet access has been to fortify the enterprise network’s main entrances against hackers. High-end security solutions are now in place at the main entrances to the enterprise network. But that is not enough. Although the front door may be fortified and monitored, the distributed enterprise faces a growing number of other network entrances from remote offices and workers. These remote sites often lack the enterprise class security and remote access protections found at larger sites. Not only do they place their own data and applications availability at risk, they also provide an unguarded “back door” into the headquarters network. Protecting remote offices and workers connected to the enterprise network requires the same security measures used protect the main entrance. But the high cost and complexity of these security solutions makes it inappropriate to deploy them at these locations.
With the arrival of affordable broadband Internet connections and standards based Virtual Private Networks (VPNs), communications links can be done quickly, cheaply, and safely across the world. VPNs can be used to connect mobile users using dial-up Internet connections, link two LANs together via the Internet, allow remote offices and users to securely access internal TCP/IP applications running on the corporate intranet and enable secure access to the corporate extranet for vendors, partners, and customers.
VPNs are generally perceived to be 100% impervious. However, the vast majority of existing VPN solutions on the market today do not make allowances for the fact that remote workers may themselves be on a small family network. This means the network activities of other family members could inadvertently leave the VPN tunnel open to unwelcome visitors.
To stay safe, SonicWALL recommends businesses should make sure their VPN solutions meet the following criteria:
- Isolate the telecommuter connection – where the teleworker unit is on a shared network at home it should not be possible for the VPN tunnel to be accessible to anyone else on the home network
- Enforce network protection at the telecommuter site – companies should consider giving teleworkers security levels at home that comply with the basic minimum corporate standards thereby enforcing a multi-layered defense mechanism that incorporates firewall, anti-virus, content filtering and authentication
- Scale the telecommuting network infrastructure – the majority of enterprises will require VPN connections with many different users so it is important that the solution should be scalable to allow security measures to be deployed rapidly via a web browser
- Manage telecommuting security policies – any solution must be capable of being managed remotely by the company’s service professionals so that the VPN links remain in full control of the organisation at all times
- Perform stateful inspection – where malicious attacks are detected at the application layer rather than at operating system level
- Comply with standards – IPSec, ICSA certification and PKI