A five-point strategy for secure remote access

Managing secure remote access is a tough job. Because remote systems may directly connect to the Internet rather than through the corporate firewall, they pose an increased risk to your network environment. Virus and spyware protection, and a general VPN network policy isn't enough to keep these systems – and the network they connect to -- safe. Here are five best practices for providing secure remote access.

1. Software controls policy

Create a policy that defines the exact security software controls that must exist on systems with remote access. For example, you may need to spell out that antivirus, anti-spyware and desktop firewalls must be installed and configured in a specific manner with the latest signatures, along with which vendors are acceptable. The best practice is to distribute the policy along with the connection setup or similar instructions for end users. Often a zero-tolerance policy is best for endpoint security. End users should meet a set of guidelines before connecting to the network. No AV, antispyware and desktop firewall? No remote access allowed. The policy should also spell out what ports and services may be exposed on the system.

2. Endpoint security management

Choose a vendor that offers comprehensive endpoint security management and policy enforcement as part of their VPN or remote access solution. It is best to mandate that all remote users use the enterprise sponsored VPN client. That's the only way you are going to get true policy compliance and assurance of endpoint security posture. Your chosen remote access solution should be able to refuse connections for endpoint systems that do not meet the policy compliance checks. Ideally, the solution should tell end users which items are out of compliance so they can remediate the situation prior to attempting to reconnect. This cuts down on help desk calls.

3. Enforce corporate policy compliance

Inform end users that corporate security policy extends to their remote desktop when connected to the enterprise network. For example, no file sharing and other disallowed use while connected to the corporate network.

For more information Unmanaged remote access can serve as an attack vector. Get more tips and advice in our endpoint security resource center.

4. Reporting features

Reporting on end user compliance is critical. Most of the solutions mentioned above offer reporting capabilities to keep admins updated on the status of the connecting endpoints. Depending on the number of users you have to manage, it may be wise to set up alarms that e-mail admins when a machine that is significantly out of compliance tries to connect. In some cases administrative intervention may be warranted -- especially when other access methods to the network may exist.

5. Periodically review policy and reports

Every couple of months, review policies and reports to identify trends and patterns in access violations. This is important to ensure that the policy and technical controls are addressing your remote access security needs. If you find trends in access violations, add or modify policies accordingly.

About the author
George Wrenn, CISSP, ISSEP, is a technical editor for our sister publication Information Security magazine and a security director at a financial services firm. He's also a graduate fellow at the Massachusetts Institute of Technology.

This tip originally appeared on SearchSecurity.com.

Please let others know how useful it is via the rating scale below. Do you have a useful Notes/Domino tip or code to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.

Rate this Tip To rate tips, you must be a member of SearchDomino.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT QuickTips Top 10 Lotus Notes/Domino administration tips of 2008 Workaround formats bulleted/numbered lists in Lotus Notes documents Resource reservations don't work after R7 upgrade Notes/Domino 6 version of 'Discover Folder' Create print preview button, save paper when printing in iNotes Five popular administrator tips Resource reservations cleanup Pre-recertify ID's Controlling user recertification requests Increase Fault Recovery Notification capabilities Mobile Devices Lotus makes mobile partnerships and Notes Traveler top priorities Lotus Notes/Domino and mobile device management An introduction to iNotes for Lotus Notes/Domino 8.5 Approve Lotus Notes documents using a BlackBerry mobile device SaaS and collaboration set the stage at Lotusphere Collaboration on the run with Lotus Notes and Domino Solving your Lotus Notes Domino and BlackBerry problems Install Lotus Traveler for Windows Mobile device synchronization Exploring Lotus Notes Domino 8.0.1 and beyond Configuring Lotus Sametime on a Blackberry mobile device Lotus Notes Domino Administration Top 10 Lotus Notes/Domino administration tips of 2008 How to convert Lotus Notes documents to .PDF files A Domino Domain Monitoring primer Getting up to speed on Notes/Domino administration Daylight Saving Time 2007 -- seven helpful tips for Lotus Notes administrators Our experts' favorite freeware tools for Lotus Notes and Domino Separating a Lotus Notes network into two Notes Named Networks IBM will add social networking tools for business Lotusphere 2007 refocuses on users Top 10 Notes/Domino administration tips of 2006 RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.