I think a properly secured (i.e. no access to local drives) Terminal
Server is the way to go with this if they are wanting this ability.

Adam

-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com]
On Behalf Of Christopher Kelley
Sent: Wednesday, May 09, 2007 8:58 AM
To: ***@tmo.blackberry.net; ***@fcglv.com;
***@securityfocus.com; security-***@securityfocus.com
Subject: Re: Home laptops on a corporate network

Keep in mind the original question.... We are talking about PERSONAL
laptops here. Doing all of these things to non-company assets is
unfeasable. Not to mention, you would be liable if a patch rendered the
system (or any part of
it) unuseable, or if the employee was no longer able to install things
to the system, or whatever. This could be reduced by an agressive
AUP/EULA, but in the end the risk is most definately NOT worth the
reward.

You need to think about all the things that this laptop would encounter,
and how you would safeguard the EPHI that is on the system. It is just
not possible with a non-company asset.

Heck, it is hard enough with a _company_ owned asset.

Trust me on this, your client and your client's IT people will be very
thankful in the long run if you squash this right now.


From: ***@tmo.blackberry.net
Reply-To: ***@tmo.blackberry.net
To: "Petter Bruland" <***@fcglv.com>, ***@securityfocus.com,

***@hotmail.com, security-***@securityfocus.com
Subject: Re: Home laptops on a corporate network
Date: Tue, 8 May 2007 23:42:17 +0000
MIME-Version: 1.0
Received: from smtp05.bis.na.blackberry.com ([216.9.248.52]) by
bay0-mc5-f2.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Tue,
8
May 2007 16:42:24 -0700
X-Message-Info:
oG9qAjD2BNG0yVlB517PPNHCtMVimjpzoMreuYyIO2oP8zkmi6D3iEQ4Sb8YSCTqzgGU4Vnn
Nk4=
References: <***@securityfocus.com>
<***@fpgm01.fpglv.ads>
Sensitivity: Normal
Return-Path: ***@tmo.blackberry.net
X-OriginalArrivalTime: 08 May 2007 23:42:24.0079 (UTC)
FILETIME=[872F3DF0:01C791CA]

One of the advantages of using SMS for patch management is you can force
a
patch scan and push as soon as they connect to the network (vpn, dial
up, or
regular). SMS is a pain to configure for patch management, but it's
worth
it.

Geoff
Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: "Petter Bruland" <***@fcglv.com>
Date: Tue, 8 May 2007 10:51:40
To:<***@hotmail.com>, <security-***@securityfocus.com>
Subject: RE: Home laptops on a corporate network

Totally agree, not recommended.

Earlier we had some posts about patch management, and from what I
gathered, you could get some control by using PatchLink. Although, that
does not protect you 100%, you could place the VPN users on their own
VLAN where you can restrict the amount of access to internal
servers/services.

I've seen a different "solution" (not sure how much of a solution that
is) where the firewall is a high end Sonicwall, like the 4060 etc, and
the VPN clients were terminated to their own LAN segment. Then the
Sonicwall would use it's Security Services (Content filter, gateway AV,
Client AV enforcement, anti-spy ware, intrusion prevention) to filter
traffic between the VPN users and the rest of the network.

Also I'm not too familiar with the restrictions of HIPAA and SOX, so the
above might not event be "allowed" according to HIPAA/SOX.

I think this is a very common scenario, so any feedback (NOT FLAMING) is
appreciated.

-Petter

-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com]
On Behalf Of ***@hotmail.com
Sent: Tuesday, May 08, 2007 10:12 AM
To: security-***@securityfocus.com
Subject: Re: Home laptops on a corporate network

I'd recommend NOT doing this. Especially if you are trying comply with
HIPAA. Keep in mind that you will have little to no management
capability over these personal laptops, which means you have no ability
to verify patch level and AV update on these machines that may have EPHI
on them. Not to mention the fact that these employees are probably
taking them home and plugging them into their home networks, where they
(or their kids) are running bearshare, gnutella, grokster, bitorrent,
and surfing to unfiltered web sites. Not only does this mean that they
are potentially exposing critical data in this manner, it also means
they are bringing potentially infested computers into the soft chewy
center of your network.


Whenever you have an employee with a laptop, you create a liability to
your network, allowing them to use personal laptops presents an even
bigger liability. IMHO, this level of risk is unacceptable, especially
from a HIPAA compliance standpoint.

_________________________________________________________________
Like the way Microsoft Office Outlook works? You'll love Windows Live
Hotmail.
http://imagine-windowslive.com/hotmail/?locale=en-us&ocid=TXT_TAGHM_migr
ation_HM_mini_outlook_0507

Can't your boss afford a bunch of old p2's? Its not like he needs to run out and grab all new p4's for temps. Get a bunch of p2 throw w2k on them (I'm sure the licenses are cheap now). Problem solved.

Geoff

Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: "Adam Rosen" <***@buffdata.com>
Date: Wed, 9 May 2007 12:55:44
To:<security-***@securityfocus.com>
Subject: RE: Home laptops on a corporate network

The reason is that the office has a lot of fee-for-service employees,
and they don't want to pay for a lab big enough for these people to come
in and do paperwork, so they want them to be able to use their own
laptops to get their work done.

Adam

-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com]
On Behalf Of Yousef Syed
Sent: Tuesday, May 08, 2007 7:35 PM
To: security-***@securityfocus.com
Subject: Re: Home laptops on a corporate network

Just wondering...
But is it possible to setup a locked-down VMWare image for external
laptop users to use if they really-really need access your corporate
network. (a small subsection of the network inside its own DMZ
specifically designed to share data)


Personally, I can't think of a reason why an external laptop (or USB
drive for that matter) would need access to the internal corporate
network anyway. They can be provided with separate access to get onto
the internet from a segmented system that has no access to the Internal
system.

ys


On 08/05/07, Ansgar -59cobalt- Wiechers <***@planetcobalt.net>
wrote:
> On 2007-05-08 ***@hotmail.com wrote:
> > I'd recommend NOT doing this. Especially if you are trying comply
> > with HIPAA. Keep in mind that you will have little to no management
> > capability over these personal laptops, which means you have no
> > ability to verify patch level and AV update on these machines that
> > may have EPHI on them. Not to mention the fact that these employees
> > are probably taking them home and plugging them into their home
> > networks, where they (or their kids) are running bearshare,
> > gnutella, grokster, bitorrent, and surfing to unfiltered web sites.
> > Not only does this mean that they are potentially exposing critical
> > data in this manner, it also means they are bringing potentially
> > infested computers into the soft chewy center of your network.
> >
> > Whenever you have an employee with a laptop, you create a liability
> > to your network, allowing them to use personal laptops presents an
> > even bigger liability. IMHO, this level of risk is unacceptable,
> > especially from a HIPAA compliance standpoint.
>
> I wholeheartedly second that recommendation. Allowing corporate data
> on private computers (or private computers on a corporate network) is
> a bad, BAD practice. Never EVER do that. You really want to do the
> exact
> opposite: establish a policy that *prohibit* employees from
> transferring corporate data to private computers, and have it signed
> by each employee.
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period prior to patches
> becoming available."
> --Jason Coombs on Bugtraq
>



--
Yousef Syed
"To ask a question is to show ignorance; not to ask a ques

Personally I think you're better off going with a solution such
as Citrix with Secure Gateway. That way the person will only have a
http/ssl connection to the secure gateway server, don't allow mapping of
local drives, force everything to be off the server. The people who
bring their laptops in can be put on a separate VLAN with the only
communication allowed to the corporate network via the Secure Gateway
box.

I've been pushing hard for something like this for people who
want to work from home in my current company. Currently it's just the
Cisco VPN client giving them full access to our global network which
imho is shocking. I think I'm finally making some leeway in to
convincing people to allow me to set this up at least for our office and
I'm expecting to get the go-ahead in the not too distant future.


-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com]
On Behalf Of Petter Bruland
Sent: Thursday, 10 May 2007 6:07 AM
To: Yousef Syed; security-***@securityfocus.com
Subject: RE: Home laptops on a corporate network


Sounds like a good idea, but there are security vulnerabilities with
VMWare. Not sure if any current malware/spy ware/virus takes advantage
of these flaws though.
Also how the OS within the VMWare image is configured has a great deal
to do with how secure it is.

Sounds like it would be hard to maintain these VMs and make sure that
they are *clean*.

One way that sounds easier to configure and maintain, is setting up a
VLAN X where the VPN clients connect, then only allow RDC via port XXXX
to VLAN Y where they can access either a Terminal Server or their office
PC.
And have some nice filtering setup between the VLANs, such as a
Sonicwall, Cisco, Barracuda etc.


A lot of good ideas and questions has been posted here, but nobody has
mentioned anything about two factor authentication or password
management in combination with remote access.

Assuming you have a pretty good setup, where the clients are checked
before entering the network as well as filters to prevents all sorts of
*bad* things from happening. With weak passwords or a poor password
policy, you could have users accessing the network who should not be
there.

Seems that if you're HIPAA/SOC, you should not have remote access :-(


-Petter





-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com]
On Behalf Of Yousef Syed
Sent: Tuesday, May 08, 2007 4:35 PM
To: security-***@securityfocus.com
Subject: Re: Home laptops on a corporate network

Just wondering...
But is it possible to setup a locked-down VMWare image for external
laptop users to use if they really-really need access your corporate
network. (a small subsection of the network inside its own DMZ
specifically designed to share data)


Personally, I can't think of a reason why an external laptop (or USB
drive for that matter) would need access to the internal corporate
network anyway. They can be provided with separate access to get onto
the internet from a segmented system that has no access to the Internal
system.

ys


On 08/05/07, Ansgar -59cobalt- Wiechers <***@planetcobalt.net>
wrote:
> On 2007-05-08 ***@hotmail.com wrote:
> > I'd recommend NOT doing this. Especially if you are trying comply
> > with HIPAA. Keep in mind that you will have little to no management
> > capability over these personal laptops, which means you have no
> > ability to verify patch level and AV update on these machines that
> > may have EPHI on them. Not to mention the fact that these employees
> > are probably taking them home and plugging them into their home
> > networks, where they (or their kids) are running bearshare,
> > gnutella, grokster, bitorrent, and surfing to unfiltered web sites.
> > Not only does this mean that they are potentially exposing critical
> > data in this manner, it also means they are bringing potentially
> > infested computers into the soft chewy center of your network.
> >
> > Whenever you have an employee with a laptop, you create a liability
> > to your network, allowing them to use personal laptops presents an
> > even bigger liability. IMHO, this level of risk is unacceptable,
> > especially from a HIPAA compliance standpoint.
>
> I wholeheartedly second that recommendation. Allowing corporate data
> on private computers (or private computers on a corporate network) is
> a bad, BAD practice. Never EVER do that. You really want to do the
> exact
> opposite: establish a policy that *prohibit* employees from
> transferring corporate data to private computers, and have it signed
> by each employee.
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period prior to patches
> becoming available."
> --Jason Coombs on Bugtraq
>



--
Yousef Syed
"To ask a question is to show ignorance; not to ask a question, means
you remain ignorant" - Japanese Proverb

This would potentially become a problem as the list of required applications grows...for small corporate environements microsoft office may be the only requirement. For R&D operations you need compliers, source control tools, remote management products, test harnesses ....the list goes on..

Thanks
mathew

-----Original Message-----
From: owner-***@y9mail.aus.agilent.com [mailto:owner-***@y9mail.aus.agilent.com] On Behalf Of Johnny Wong
Sent: Thursday, 10 May 2007 1:18 PM
To: security-***@securityfocus.com
Subject: [bugtraq] Re: Home laptops on a corporate network

I have an idea and would like to throw it to the list. Maybe we could
create LiveCDs for these users. And the only way they can access to
the corporate network is through this CD. The CD will be customised
with the VPN client, office apps etc. That way, it is not possible
for information to leak from a more secure state to one which is unknown.

JW

At 07:34 AM 9/05/2007, Yousef Syed wrote:
>Just wondering...
>But is it possible to setup a locked-down VMWare image for external
>laptop users to use if they really-really need access your corporate
>network. (a small subsection of the network inside its own DMZ
>specifically designed to share data)
>
>
>Personally, I can't think of a reason why an external laptop (or USB
>drive for that matter) would need access to the internal corporate
>network anyway. They can be provided with separate access to get onto
>the internet from a segmented system that has no access to the
>Internal system.
>
>ys
>
>
>On 08/05/07, Ansgar -59cobalt- Wiechers <***@planetcobalt.net> wrote:
>>On 2007-05-08 ***@hotmail.com wrote:
>> > I'd recommend NOT doing this. Especially if you are trying comply with
>> > HIPAA. Keep in mind that you will have little to no management
>> > capability over these personal laptops, which means you have no ability
>> > to verify patch level and AV update on these machines that may have EPHI
>> > on them. Not to mention the fact that these employees are probably
>> > taking them home and plugging them into their home networks, where they
>> > (or their kids) are running bearshare, gnutella, grokster, bitorrent,
>> > and surfing to unfiltered web sites. Not only does this mean that they
>> > are potentially exposing critical data in this manner, it also means
>> > they are bringing potentially infested computers into the soft chewy
>> > center of your network.
>> >
>> > Whenever you have an employee with a laptop, you create a liability to
>> > your network, allowing them to use personal laptops presents an even
>> > bigger liability. IMHO, this level of risk is unacceptable, especially
>> > from a HIPAA compliance standpoint.
>>
>>I wholeheartedly second that recommendation. Allowing corporate data on
>>private computers (or private computers on a corporate network) is a
>>bad, BAD practice. Never EVER do that. You really want to do the exact
>>opposite: establish a policy that *prohibit* employees from transferring
>>corporate data to private computers, and have it signed by each
>>employee.
>>
>>Regards
>>Ansgar Wiechers
>>--
>>"All vulnerabilities deserve a public fear period prior to patches
>>becoming available."
>>--Jason Coombs on Bugtraq
>
>
>
>--
>Yousef Syed
>"To ask a question is to show ignorance; not to ask a question, means
>you remain ignorant" - Japanese Proverb

The places I come as a systems consultant don't use the measures you are
talking about here. I of cause tell them that they should but they just
look at me as if I was from the moon or what not. To make matters worse
my boss seems to think that's it a good idea to give all users local
admin rights on their pc's and tells me to do the same. I did try do
tell him that it is more then normal stupid but he wont listen to me. He
is the senior consultant and I'm the junior consultant and as such not
taken to serious even though it seems I to know more about real life
security then he does. The best solution I can offer our clients must be
the G/ON usb key. But it's also very expensive so not to many of our
costumers want it.

-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com]
On Behalf Of Shawn
Sent: 11. maj 2007 20:50
To: marc
Cc: ***@gmail.com; security-***@securityfocus.com;
security-basics-return-***@securityfocus.com
Subject: RE: Home laptops on a corporate network

>> Wouldn't a regular vpn just open for all kinds of badware they have
on
> their home computer? And if you issue a work computer for them it will
> be used as their normal computer and properly be as infected as their
> home computer anyways.

No.


At least not if your company properly manages it's laptops...our user's
privileges are extremely, extremely restricted through group
policy/local
security settings. They can't web browse. They can't install any
software/apps.
They can't modify any system settings. They are not at all used in
the same manner that the user's "normal" computers are. They do not pose

nearly the same risk that the user's "normal" computers do.

Furthermore, users are required to bring their laptops into the office
on
a regular basis for virus scanning/WSUS patching.

Obviously, you can tailor your own company's group policy to suite your
own specific needs.

Again, I don't think comparing company managed equipment to home
equipment
is a fair comparison at all if the company exercises any decent means of

control.


On Fri, 11 May 2007, marc wrote:

> Sorry in advance for anything stupid. I'm still just a wannabe newbie
in
> security :)
>
> Wouldn't a regular vpn just open for all kinds of badware they have on
> their home computer? And if you issue a work computer for them it will
> be used as their normal computer and properly be as infected as their
> home computer anyways. Why not use a product that can be used with
their
> home computer but one that don't have to be installed. I have this usb
> key I have been issued at work from this company.
>
> http://www.giritech.com/
>
> It's mighty fancy. It will allow me to connect to our citrix server
and
> do my work without any risk of our citrix server being infected by any
> thing on my work issued laptop.
>
> Disclaimer: I do have any relations with giritech I'm just a happy
user
> of their product.
>
> And sorry for spelling mistakes, none native English speaker here. :)
>
> -----Original Message-----
> From: ***@securityfocus.com
[mailto:***@securityfocus.com]
> On Behalf Of Shawn
> Sent: 11. maj 2007 19:06
> To: ***@gmail.com
> Cc: security-***@securityfocus.com;
> security-basics-return-***@securityfocus.com
> Subject: RE: Home laptops on a corporate network
>
> I take it assigning the users who need to work from home company
> owned/managed laptops, and then providing VPN access to these laptops,
> is just not an option?
>
> Setting up -somewhat- secure access to the corporate network from a
> staffers home computer just seems like too much trouble and too much
> risk
> for what you gain...it'd just be easier to buy/image/issue laptops.
>
> On Fri, 11 May 2007, ***@gmail.com wrote:
>
>> If this scenario is an absolute must, even in the face of HIPAA (and
> if this were my data, I'd be highly concerned about this company...),
> then I do like having users VPN into an isolated network segment and
> then connect to a Terminal Server to do their work.
>>
>> However, not to throw monkeywrenches in, but this solution still does
> nothing about keyloggers, screenscrapers, or even a full-blown screen
> capture program running to record all this data. Even just one frame
of
> a doc open can be enough to spoil your HIPAA party depending on the
data
> these users have access to. Really, there's nothing you can do about
> this other than disallowing their home systems.
>>
>> You do have to pretend two things:
>> 1) Assume you have the filthiest, most infected, worm-ridden home PC
> ever connecting to your network.
>> 2) Assume one of these workers will be wanting to sell this data or
> maliciously gather and use it.
>>
>> You can take action against 1, but you're not going to be able to
> audit 2 unless you own the devices they are allowed to use.
>>
>
>

Additionally, a corporate asset taken home would likely have a VPN client installed. The gateway can then check (through the client) that the laptop is still running anti-malware tools, that the tools are at the proper revision levels, and can require the client be used for all Internet communication. Failing any of those checks, the gateway would not allow the connection. The gateway will also check periodically that the conditions are still true, and if not, disconnect.

But, yes, to your first point, you would not open up a VPN connection for their personal home computer. In that case, you would want to use terminal services or Citrix.

Kind Regards,
 
Scott Ramsdell
CISSP, CCNA, MCSE
Security Network Engineer


-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com] On Behalf Of Shawn
Sent: Friday, May 11, 2007 1:50 PM
To: marc
Cc: ***@gmail.com; security-***@securityfocus.com; security-basics-return-***@securityfocus.com
Subject: RE: Home laptops on a corporate network

>> Wouldn't a regular vpn just open for all kinds of badware they have on
> their home computer? And if you issue a work computer for them it will
> be used as their normal computer and properly be as infected as their
> home computer anyways.

No.

At least not if your company properly manages it's laptops...our user's
privileges are extremely, extremely restricted through group policy/local
security settings. They can't web browse. They can't install any software/apps.
They can't modify any system settings. They are not at all used in
the same manner that the user's "normal" computers are. They do not pose
nearly the same risk that the user's "normal" computers do.

Furthermore, users are required to bring their laptops into the office on
a regular basis for virus scanning/WSUS patching.

Obviously, you can tailor your own company's group policy to suite your
own specific needs.

Again, I don't think comparing company managed equipment to home equipment
is a fair comparison at all if the company exercises any decent means of
control.


On Fri, 11 May 2007, marc wrote:

> Sorry in advance for anything stupid. I'm still just a wannabe newbie in
> security :)
>
> Wouldn't a regular vpn just open for all kinds of badware they have on
> their home computer? And if you issue a work computer for them it will
> be used as their normal computer and properly be as infected as their
> home computer anyways. Why not use a product that can be used with their
> home computer but one that don't have to be installed. I have this usb
> key I have been issued at work from this company.
>
> http://www.giritech.com/
>
> It's mighty fancy. It will allow me to connect to our citrix server and
> do my work without any risk of our citrix server being infected by any
> thing on my work issued laptop.
>
> Disclaimer: I do have any relations with giritech I'm just a happy user
> of their product.
>
> And sorry for spelling mistakes, none native English speaker here. :)
>
> -----Original Message-----
> From: ***@securityfocus.com [mailto:***@securityfocus.com]
> On Behalf Of Shawn
> Sent: 11. maj 2007 19:06
> To: ***@gmail.com
> Cc: security-***@securityfocus.com;
> security-basics-return-***@securityfocus.com
> Subject: RE: Home laptops on a corporate network
>
> I take it assigning the users who need to work from home company
> owned/managed laptops, and then providing VPN access to these laptops,
> is just not an option?
>
> Setting up -somewhat- secure access to the corporate network from a
> staffers home computer just seems like too much trouble and too much
> risk
> for what you gain...it'd just be easier to buy/image/issue laptops.
>
> On Fri, 11 May 2007, ***@gmail.com wrote:
>
>> If this scenario is an absolute must, even in the face of HIPAA (and
> if this were my data, I'd be highly concerned about this company...),
> then I do like having users VPN into an isolated network segment and
> then connect to a Terminal Server to do their work.
>>
>> However, not to throw monkeywrenches in, but this solution still does
> nothing about keyloggers, screenscrapers, or even a full-blown screen
> capture program running to record all this data. Even just one frame of
> a doc open can be enough to spoil your HIPAA party depending on the data
> these users have access to. Really, there's nothing you can do about
> this other than disallowing their home systems.
>>
>> You do have to pretend two things:
>> 1) Assume you have the filthiest, most infected, worm-ridden home PC
> ever connecting to your network.
>> 2) Assume one of these workers will be wanting to sell this data or
> maliciously gather and use it.
>>
>> You can take action against 1, but you're not going to be able to
> audit 2 unless you own the devices they are allowed to use.
>>
>
>