If you are a network or IT administrator of a company and you provide remote access to your internal infrastructure, then you must consider this as one of your biggest security threats and give extreme consideration on how to protect your network. Remote Access is sometimes mandatory and can be used for a variety of reasons. Maybe you are outsourcing some of your business to an external partner, maybe you require external technical support, or you may have employees on the road or tele-workers that require access to internal data and resources in your company. In any case, you must take measures to protect your data and network, but still keep the operation of your remote access service as functional as possible. Some of the most important guidelines to follow in order to protect your remote access service are the following:
Communicate with everyone that the remote access service shall be treated with the same consideration as the on-site connection.
Try to use IPSEC-VPN for your remote access method, using the highest encryption AES.
Install an Authentication Server (RADIUS server) in order to better manage the password credentials of the remote access users.
Enforce a strong password policy for remote access, with at least 10 characters including alphanumeric and special characters.
Try to use OTP (One Time Passwords) where possible.
Terminate all remote access to a centralized infrastructure (Firewall, VPN concentrator, router with IPSEC etc) in order to have better control and monitoring.
Limit the access of the remote users to only what is required. For example limit the access to only the internal mail server and prohibit access to other internal resources.
For employees that take their laptop to work from home, the employee is responsible to prohibit other family members from using the remote access connection or even the business laptop for any reason.
Disable ‘Split Tunnelling’ on the VPN access. Split Tunnelling is when the remote user can freely browse the internet while connected to the corporate office. The threat with this is that if you catch a virus while browsing, this can spread out to the corporate network through the remote access tunnel.
The laptop used for remote access must have antivirus and antispyware with the latest updates installed.
Limit the remote access hours to only what is necessary. Do not have remote access enabled 24 hours.
security policy, remote access, security guidelines, ipsec, vpn