Network Computingwww.networkcomputing.com

	Print Full Article Print This Page Download the PDF E-Mail This URL

In a traditional office setting, a cubicle can be behind eight inches of concrete walls, with cameras and smartly dressed security guards taking careful note of anyone entering the building. And if a stranger sits down in a cubicle and starts using a PC, someone is likely to notice pretty quickly. At home, this isn't the case. Unfortunately, that stranger may be the offspring of your telecommuting employee. That kid may be using IRC, Gnutella or some other file-sharing program to download virus-infected files. Or perhaps the telecommuter unwinds at night by installing beta copies of the latest 3-D shooter game. A bug may appear, then it can get ugly fast. Here's a simple rule for IT to enforce with home-based telecommuters: Keep business computer and personal computer separate.

No personal programs, e-mail, Web browsing or game playing should be done on the home-office computer. In addition, the computer should be password-protected and not just be using the lame Windows screensaver. One solution is to require a password on start-up through the BIOS (this is possible on many x86, Sun Microsystems and some Apple Macintosh systems). Require a time-out lock period, so the user can't remain logged on for hours.

Telecommuters will eventually send data back to the corporate LAN. That data must be clean and virus-free. A virus scanner is an absolute must. If you have a virus scanner on the desktops at work, there's no reason not to extend that to home users. Let's say a home user's personal machine is infected with a virus. That virus can migrate onto a floppy disk, and the user can put that floppy in the work-machine drive. The old-fashioned method of spreading viruses via floppy disks still works just as well today.

Disinfecting a home computer is difficult if it doesn't have any virus detection/protection. You have to go on-site, or your home user must bring the computer in, and that can translate into a lot of downtime. This is especially problematic for nasty viruses that cause the computer to stop booting. Set the virus scanner to autoupdate signatures as often as possible. These downloads are small, less than a megabyte, and should take almost no time even on dial-up connections.

A VPN connection is required for remote access. The desktop machine should be loaded with VPN client software, and all policy files centrally managed from the corporate LAN. You can hide multiple business machines behind one IP address by buying a SOHO (small office/home office) router, like those made by Linksys or Nexland. You don't need a SOHO router if you have only one computer, though some would argue that it does provide an additional security check.

Not all SOHO routers support IPsec traffic. If your VPN solution can encapsulate IPsec in UDP (User Datagram Protocol), that would be worthwhile. It'll save some headaches in dealing with IPsec and NAPT (Network Address Port Translation). (See "Why Can't IPsec and NAT Just Get Along?", November 27, 2000.)

A user may want his or her personal machine to serve Web pages or to play online multiplayer games. These actions require port forwarding and open ports to the Internet. But because a personal machine is unlikely to have the latest patches, as soon as a user's home machine running Microsoft Internet Information Server (IIS) gets hit with Code Red (or other virus of the month), all machines on the LAN are at risk--including the business machines if they share the same Internet connection.

You could require the user to purchase a separate broadband connection for personal use. The business Internet connection is to be used for business only. If that option is not available for the user (the phone company allows only one DSL connection per house, for example), there is still hope. Have the user purchase two IP addresses: one for business, the other personal. Put the business machines behind a NAT box. The personal machines in this scenario should be considered part of the Internet, and tell users not to share data between these two devices or ever let the two LANs meet. This won't make you popular among telecommuting employees, but that's all right. That's the price you pay for network security.

These days just about every employee telecommutes at one time or another. Even employees checking their e-mail from home can be considered telecommuters. The biggest obstacle is user education. You can't audit people's homes, so you have to make them aware of the dangers. But there's no question that the increased hassle of secure telecommuting is worth the effort and money put into supporting home users. Today's labor market demands it.