Intelligent Enterprise

Phil Alexander

The era of the mobile employee has enabled those who travel extensively for work to be much more productive. Salespeople, executives and other professionals who have to hit the road can now stay connected to company networks. Between hotel-based broadband access, wifi hot spots and mobile broadband cards, it's not uncommon to see people working on the go. While very convenient, this kind of flexibility does carry numerous security concerns. Issues to consider when remotely connecting to your company's network include the protection of data in transit as well as ensuring the safety of laptops and other devices.

Protecting Data in Transit

There are three ways for the mobile employee to remotely connect to their company's network. They include modems, a company-managed virtual private network (VPN) or third-party VPNs. Everyone knows that modems are not only insecure, they are also very slow. Due to these weaknesses, and with the advent of the VPN, modems are rarely used today by security-minded companies. VPNs not only encrypt data while in transit, they can be configured with strong, two-factor authentication. A common authentication method with many VPN solutions is to require the mobile worker to enter a password as well as a PIN from a physical token known as an ID Fob. Breaking the security would require the would-be hacker to not only uncover the user's account name and password but steal the ID Fob as well — protection that's not likely to be broken.

The most secure architecture for a VPN solution keeps the VPN server within your company's DMZ. This enables the server to accept encrypted VPN transmissions. The VPN tunnel terminates at the server, allowing decrypted traffic to proceed into the internal network. The benefit of this approach is that the company's intrusion detection system (IDS) can inspect the transmission. A common misconception with encryption is that it always adds to security, but like any tool, it can actually introduce vulnerabilities if misused (See "Encryption: Not the End-All Fix for Data Privacy"). For instance, IDS systems can't inspect data that is encrypted because they'll only see cipher-text, so make certain your architecture doesn't diminish the value of intrusion detection by encrypting in the wrong spot.

If maintaining an internal VPN solution is not in your company's business model, another option is third-party VPN services. If you are considering this alternative, you'll have to consider a few security issues. Will the data that your employees transmit reside on your VPN provider's network? If so, how will they secure it? Will your data potentially be exposed to employees of the VPN provider? How secure is their network? Would a compromise of their network put your company at risk?