The fundamentals of secure remote computing include making sure your users aren't being attacked or spreading viruses and that they have secure connections to the corporate LAN. First, all your laptop users need personal firewalls, which will repel some common attacks. Personal firewalls also can "hide" a PC by not letting it respond to connections or pings, by blocking ports and protocols, by performing host-based intrusion detection, and by designating which applications may access the Internet. Keep in mind that you want a centrally managed firewall; end users should not make any decisions on security--you dictate the policy, they follow it (for more on personal firewalls, see our Buyer's Guide).
We have found that firewalls with application control are better at blocking Trojans than are firewalls that block only ports. That's because Trojans can operate by making outbound connections on common ports. Firewalls alone, however, won't protect against viruses. For this, you need antivirus software, preferably a package that checks often for new signature definitions.
|
Glossary
SECTOR SLACK: Say a volume uses a cluster size of 64K, and a user stores several files, each 40K. When Windows 2000 allocates space it gives each file its own cluster, with the space left over being--you guessed it--sector slack.
|
The next step in securing software is to verify that the laptop user is legit. There are a few options here. One is to force the user to enter a login password upon start-up or after an idle period, in either the OS log-in screen or on BIOS boot. If passwords don't give you a secure feeling, biometric authentication, such as retinal scans, fingerprint or voice analysis, is a possibility. Keep in mind, however, that many biometric devices plug into serial or USB ports and are one more thing for a laptop user to lug around, lose or break. Acer, MicronPC and other vendors offer laptops with fingerprint scanners built in (see InformationWeek's "Fingerprints and Notebooks: Hand in Hand").
Voice analysis seems like a nice option, as many laptops have a microphone port, but can be problematic. In noisy environments, for example, the computer might not pick up the sound, and laryngitis or a bad cold might lead to a frantic helpdesk call.
As for connecting to the corporate network, two words: Use encryption. First, determine what needs to be encrypted. If all your users will do is access Web-based programs, you can get away with HTTPS. You can also encrypt e-mail by using SSL over IMAP or POP3, which makes sending and receiving e-mail over the Internet more secure by encrypting the entire session, from host to e-mail server (for a secure appliance e-mail solution see "In the M2000, Mirapoint Makes a Mighty Message Server"). There are two major forms of e-mail encryption, S/MIME and IMAP/POP3 over SSL, and they serve two different needs. S/MIME encrypts or signs the message, but not the session. IMAP/POP3 over SSL secures the login and session, but on the next hop the data can be transmitted in plain text. IMAP over SSL is very simple and requires no user intervention, but not all client software supports it. If you want all your traffic to be encrypted, or if some of your programs do not support encryption, a VPN is the way to go. Virtual private networks let remote users access internal resources without making these resources publicly accessible. (For more on VPNs, see "Add Some FiberLink to Your VPN Diet.")
Tech layoffs intensify perception of a toxic workplace, 45% of respondents in a new study said. Leaders know how to address the problem -- are they doing enough?
Facing a sagging economy, many enterprises are downsizing their operations. This leaves IT leaders with the task of shrinking their departments without sacrificing performance or security.
Have you given much thought to critical thinking? It’s a talent that can make you a stronger, more effective leader
