Firewall Wizards: Re: VPN between PC and VPN server

[Chad Schieken <Chad.Schieken () ins com>]

Bill,

Does your organization allow individual users to control connections to the 
Internet? Your note seems to suggest that or at least that they implement 
generally good security practices on their own.

I do agree that running firewall software on the home machines and insisting 
they follow some security guidelines is a good idea, however you have very 
little authority to do so.

If the hardware is owned by the employee this is much like dictating which 
safety devices they use in their car on the drive to work. Also the computer 
sitting at home will, hopefully, be accesable to any children (it's not a 
firearm or munition no matter what the Commerce dept says). Those children 
will also probably cause some havoc on this machine in an attempt to run the 
new quake server or other such purpose.

That havoc is no doubt likely to weaken the security stance of the machine.

While expensive, the option of providing the computer at home (normally done 
via laptop) is a decision many companies have already made. If the company 
owns the hardware they can dictate exactly what the configuration, and level 
of access (user/admin) the users will have. Also they will be to "lock" a 
secure configuration onto the machine.







> The other alternative to filtering at the office end is to insist on apersonal
> firewall like ConSeal (http://www.signal9.com) or Sygate on the home machine.
> These filter out connections to the home machine so they are less likely to be
> hacked. As well, home machines used as VPN ends should be treated as internal
> machines and subject to the same security constraints as office machines (Good
> passwords, virus scans, up to date OS versions etc.)