A telecommuting setup presents several challenges: secure communications, physical security and environmental concerns. All employees working from home need a secure connection to the corporate network. Workers linking back to the corporate network either via e-mail or by uploading work become an extension of the LAN. As such, the danger of spreading Trojans, viruses or other malicious code rises.

Unfortunately, many telecommuters, especially those working from home, don't consider the threat of security problems that serious. Some users even take it upon themselves to disable desktop firewalls. That's why it's essential to educate your home-based telecommuters about proper security measures. Let them know that disabling a virus scanner or firewall is reason for termination, if your company has such a policy (and it should). This sounds extreme, but it's also likely to drive the point home. Fortunately, products are available to help you keep track of whether a managed firewall, virus scanner or VPN policy file is in place each time the user connects back to the corporate network.

A personal firewall will help limit open ports and Internet programs, as well as warn administrators if a machine is a target for attack. A firewall can be centrally managed or nonmanageable. But nonmanaged firewalls have a drawback: You won't be able to verify that the user is running it. Assume that, given the opportunity, the user will turn off the firewall or set its safety parameters too low. Go with a managed firewall solution if you can afford it.

A managed firewall will let you dictate the policy file. And most managed firewalls prevent users from disabling them--or at least make it harder. Internet Security Systems' BlackICE Agent, for example, includes an install option for which there is no user interface. If you purchase a firewall that supports application control, don't let users decide which applications should get network access. A user may accidentally give access to a well-disguised Trojan or use telnet instead of SSH (Secure Shell).

With a centrally managed firewall, you can push out new policy files and firewall software without user intervention. Furthermore, you can see the logs and reports to spot trends and potential problems. (For more on firewalls, see "Defending Your Turf From Within", August 21, 2000.)

Keep in Touch

Communication with your home users is vital, and e-mail may not be fast enough. One of the biggest advantages of telecommuting is flexibility. But that flexibility means trade-offs. Telecommuters may not always be available when someone at the corporate headquarters needs them. Particularly in the case of remote IT workers, any slowdown or problem will need fixing quickly.

For example, if your multimillion-dollar Web server is sucking mud, the remote administrator has to be notified of the problem immediately--it can't wait until he or she happens to read e-mail. Pagers and instant-messaging tools can help. But again, security must be maintained. Pagers should be treated like clear-text e-mail: Never send passwords or confidential information to a pager.

All paged messages in a provider's coverage zone are broadcast to all pager units. For about $100, anyone can set up a police scanner and capture broadcasts, just as some people would put a network analyzer on a hub.

Take care when deciding on an instant-messaging product for LAN users and home users. Remember the golden rule of dealing with telecommuting: All traffic between the home and LAN should be encrypted. Therefore, all instant messages should be tunneled through a VPN connection. The instant-message server (the machine responsible for routing messages and telling who is online) must be on your LAN as well.



For example, with AOL Instant Messenger (AIM), some information (like logon events and password authentication) is sent to the AIM servers in Virginia. Your user has a VPN connection, but some traffic is still going across the Internet. Products such as Jabber let you set up a server internally so you don't have to rely on a third-party system.

Telephone lines and conversations also are insecure. Sensitive topics should not be discussed over the phone. Implement an acceptable telephone policy. Corded phones are generally more secure than cordless but aren't as convenient. And cordless-phone technology has advanced over the past few years. You could eavesdrop on the original cordless phones (operating around 43 MHz) using just a cheap radio scanner. These days, it's nearly impossible to intercept transmissions on spread-spectrum phones, which hop around frequencies on the 900-MHz or 2.4-GHz channels. Some reports indicate that 2.4-GHz phones and 802.11b wireless networks don't play nicely. Both transmit at the 2.4-GHz range and sometimes cause interference.

Requiring home-based telecommuters to maintain a second phone line for business purposes makes more sense. This second line will separate business and personal calls. It'll also keep family members from answering business calls. Of course, landlines can be tapped if someone is dedicated enough to sit outside a user's house with a lineman's handset. Regular telephone lines should be treated like clear-text transmissions.