The ideal remote access policy will keep data secure without interfering with employees' ability to do work. Without knowing much about this particular situation, I'll assume that an SSL VPN will fit your needs, though an IPsec VPN will also work.
Practically speaking, there are a few considerations to keep in mind: Authentication methods, access control, deciding which systems or applications the employees need to access remotely and what types of devices they are permitted to use.
Some sort of strong authentication should be used, such as tokens, smart cards or out-of-band SMS messages. Of the above, SMS messages will probably be the easiest piece to figure out.
When it comes to access control, be prepared for scope creep if the project doesn't already include full network access for all employees; once word gets out that this system is available, everyone will want to use it and everyone will want to be able to access all the internal systems. To handle this, be sure to scope the physical gateway devices to handle a larger load then initially projected.
The toughest question will concern which devices can remotely access the network. Users will want to use their personal computers, cell phones, even Internet kiosks. This is something to discuss with company management in order to come up with a policy they approve of and are willing to enforce. While there is technology to limit users to specific devices, it is important to communicate the company's policies to users and what the consequences are for breaking the rules.
- What are the dangers of Web-based remote access systems? Read this expert response.
- Learn more about the potential risks of giving remote access to a third-party service provider.
This was first published in November 2008