On Fri, 24 Oct 1997 Dick_Wall @
> An economical alternative seems to be to allow these telecommuters to
> access the corporate network via their local ISPs or cable providers.
> Assuming we use a secure mechanism to authenticate the user, and encrypt
> the data, what other risks do I face?
> The thought that worries me .. is that although I might have a secure
> path between the telecommmuter's computer and the corporate LAN, I have
> no way to ensure the security between the telecommuter's computer, and
> the rest of the ISP community. There seems to be the very real
> possibility for a third party, to access the telecommuter's system, and
> from there, pass though the secure connection into the corporation.
With both dial-up and cable or wireless modems in-house, you're really
leaving the burden of security up to the user. It would be fairly
trivial for me to open a clear path into a corporate network with VPN
access. VPNs only really work for securing data. If the home user has
any program running in-the-clear data streams at the same time, there's a
fairly serious attack vector into the network laying there. More so if
the worker's progeny is sitting on a home network with clear access and a
penchant for mischief. Masquerading from the home machine routed to and
from the misconfigured, or malicious machine upstairs in and out of your
network over an encrypted channel? It would concern me for sure.
Also, there are ownership issues which may turn into legal liabilities
if the company doesn't own the hardware, software, and services to run
the machine. Our lawgeeks weren't too concerned with that issue for
direct dial, but I think when we get there, it'll come down to the AUP
> Are people "really" allowing corporate access via VPN connections
> across an ISP's network? If so, do they generally allow all corporate
> access or do they typically restrict it to email access?
> What is the real world, safely doing?
Fighting the issues bit-by-bit (pun intended). Personally, I'm against
non-direct dial access, and I like *that* restricted. Especially from
Internet access back out.
Paul D. Robertson "My statements in this message are personal opinions
net which may have no basis whatsoever in fact."