VPN to a corporate network from a personal laptop

[mavenmania]

Working with computers since the 90's, it's a shock that this issue is not getting as much as heat as it should be, or if it is, I am not hearing about it.

Corporations have policies that state inappropriate materials are banned and will lead to termination. Now, some companies have weak firewalls which allow this trash to enter the system; Do a Google search for "Network Security" and click the first link without reading it, there is a chance it takes you to a pornographic site, and you click a link on the pornographic site because you don't realize it's such a site because a genius put his blog on network security on the top of the page and you never scrolled to the bottom of the page where the pictures are. But the page is loaded and cached regardless whether you scrolled to the bottom or not, so technically, bye bye to your job for an accidental click.

Now, corporations should allow employees to connect to their VPN's using personal laptops so that employees who actually care about losing their jobs due to these accidents can install personal firewalls on their personal laptops when they connect to the VPN. Employees are not allowed to touch the firewall configs on their corporate laptops because its company property, fine, but they should be allowed to connect to the vpn from any computer where they can control the firewall. Also, what if a person is offended by pictures of lingerie but the company firewall allows it. The person should have the right to configure his personal firewall to block all sites about lingerie otherwise the company becomes guilty of forcing the employee to work under unfair conditions.

So..what kinds of experiences have people had here regarding connecting to their company VPN using a home laptop? Do people agree that this is the only solution to prevent these things from happening..Otherwise, they create a policy which they themselves break by allowing this content through in the first place and fire left and right. And there is no way they would go about modifying firewall rules for different people, people have the right to be offended by some things and not others, and only by allowing them to configure their own firewall on a personal laptop will connecting to the company VPN make this possible.

What do people think?

 

[jimbopalmer]

This seems to be a blog about bad HR and IT policies, rather than a problem I can help with.

I tried to remain child-like, all I acheived was childish.

 

[SweetRevelation]

There is no way in hell I'd willingly let a user connect his personal laptop to my corporate network.

I don't see the sense in that at all. I'm interested in protecting my company's network and I can only do that if all devices on it are under company control.

 

[Noway2]

There is no way in hell I'd willingly let a user connect his personal laptop to my corporate network.

Interesting POV. I almost feel the same way about letting corporate networks touch my private network, which is also used for business operations. It has been my unfortunate experience that most corporate networks are full of blatant security holes, largely consist of out of date Windows boxes that have long been PWN'd, infested with viruses and other forms of parasite-ware, and managed by over paid inept idiots that think they are techno-gods and whose only response to problems is to claim it is an unauthorized feature and promptly try to disable it. I say almost, because I actually have a bit of confidence in the security measures that I have in place that are real security, not the usual corporate security theater, but security that actually works without being worse than the stuff that it supposedly protects against.

Granted, way too many individuals who don't know a USB port from a gopher hole have computers and these are a problem. The idea which your post conveys, that your "corporate network" is somehow inherently superior or more secure, is just plain ignorant.

 

[SweetRevelation]

No network is inherently superior or more secure, however it is the IT person's job to maintain firewalls and patch levels to protect his/her network. How can they accomplish this if they are allowing computers to connect to their network that they do not control?

Furthermore, why would you let a corporate network touch your private network? Toss the corporate laptop into a DMZ if you are worried about it, segment it from the rest of your private network. I have no problems with that, my problem is with the assumption that the solution is to allow non-IT controlled assets to connect to the corporate network.

 

[Noway2]

First, let me apologize for the intensity of my previous response. I was reacting mostly to the "no way in hell I'd willingly let a user" part.

In terms of asset protection, I don't entirely agree with the idea that it must be "under the control of IT" in order to be secure enough to be connected to your system. I think you are confusing, and possibly equating, control with security. I agree that it is the job of the IT department to maintain the security, but I don't agree that maintaining control provides the security, nor do I believe that it needs to be under your control in order to be secure or even to verify or guarantee security.

A skilled, but malicious, person could wreak all sorts of havoc on your system even using assets that your IT dept control. Similarly, an unskilled person could unintentionally wreak the same level of havoc through inadvertent means. Nature, also has a way of introducing variables into a system that cause problems that are typically far worse than even a malicious person can even devise.

Instead of focusing on ownership and control, which I would argue provide a false sense of security, you would be better off to focus on building sufficient understanding of expectations and security requirements along with practices to verify that those that connect to your network have taken proper security precautions.

 

[SweetRevelation]

No worries about the previous response, I guess it's more of a difference in opinion when it comes to security.

I know there are differing schools of thought out there and I know for certain that no solution is complete or unbreakable or unexploitable. I've just always been of a mind to place as much as possible under control of IT/Security and disallow assets not explicitly patched and managed via IT from accessing the network, I know that's not universal, just the way I prefer them.