Security and home PC access

[discgolfer]

I am attempting to find out what other's are doing for employees who have home PC's and access the corporate work environment. Currently, we have VPN access and supply virus checking software for free. But this doesn't stop a compromised computer from bypassing our firewall. We are considering buying firewall appliances for employees (who have a business need to access the network). Many already use a software firewall to help protect themselves. What I would like to know is what others are doing and what a best "business practice" would be for this common situation that most of us face? The goal is to protect the home PC before it accesses the corporate environment and its security measures.

 

[chiph]

Please read my reply in thread83-185710.

Depending on the number of remote workers you have, it might be more cost effective to buy one firewall and set up a DMZ, rather than buying 200 personal firewall devices.

Chip H.

 

[discgolfer]

Thanks for your input.

We do use DMZ's and the thinking behind this is the 'defense in depth' concept. I think if a home PC has been compromised and passwords etc. have been gathered, a DMZ would not be effective against a person with root authority. Any comments, corrections to my thinking, or additional thoughts are appreciated.

 

[FilthPig]

An extremely security minded company might look into RSA SecurID tokens. It's a token that the user keeps with them, it fits on a keyring, and has an authentication number on an LCD screen that changes every 60 seconds. A user must have a valid Username/password, as well as this number in order to gain access to the system. It's compatable with many different network infrastructure types. You can get more information at

http://www.rsasecurity.com/products/securid/tokens.html

It's the best I've seen/used. Marc Creviere

 

[daveyoh]

I have a cable/DSL router running NAT. On my work station(s) I run either ZoneAlarm (for ease of setup/use) or Norton's Personal Firewall (for the ability to set rules). I can also set rules on my router, but for endusers this is too much. I would suggest at least a hardware firewall, like NetGear and a software firewall. I have noticed by going to GRC.com and others there is little to no difference with/without the software firewall running for incoming trafic. I am hidden all the same. I use software firewalls to alert me of out going traffic. All of this just keeps me safe while on the internet, I use a VPN extranet client to connect to my work's network.

Hope this helps and remember...if your company plans to be up on technology...then why be stuck connecting at 56k?

 

[GoldenEternity]

Checkpoint VPN-1 comes with some nifty centralized management that will allow you to push rules onto clients and only allow connections from systems with up to date a/v and with specific firewall rules (It also can come with firewall-1 as part of the client software).

Didn't look to be too expensive (relatively speaking, of course... its too expensive for me right now).