Problem solve Get help with specific problems with your technologies, process and projects.

Can home PCs provide a way for viruses and spyware to enter a corporate LAN?

When considering allowing remote access to a corporate LAN, security concerns are paramount, especially when corporate security pros have no control over the home PCs. Learn how to protect the corporate LAN from viruses and spyware.

Our enterprise is considering the use of remote access control software to allow employees to access their corporate PCs from their home PCs. Because home PCs are untrusted and we have no control over them, does this give a route into the corporate LAN for any viruses or spyware that may be on that home computer?
By all means, any unprotected home PC with access to a network represents a potential threat to your security.

Why? Well, unlike desktops inside the company, there is no control over an employee's home PC. There is probably -- or should be -- protection for desktops and workstations in the office: antivirus software, host-based firewalls, antispyware protection and more, depending on the organization's risk profile. A home PC might not have the same controls that meet the company's internal IT security standards.

To make matters worse, if the employees are using VPN software on their home PCs to access the network, ironically, they're creating a secure connection for malware to access the network. The malware is just as protected from malicious access as is the legitimate data being sent over the wire.

The protection of the network from insecure home PCs is a whole field in itself called network access control (NAC) and endpoint security, which is beyond the scope of this brief discussion. Suffice it to say that NAC involves software controls on endpoints, monitoring systems on networks and blocking insecure devices from networks, like home PCs. NAC involves both software and hardware controls and is more of a process than a single product that does it all.

Ideally, a NAC system should not only scan and check for any devices trying to connect to the network, but it should also check them to make sure they have the adequate security controls to meet IT security standards. For example, if the device doesn't have updated antivirus software or the latest operating system patches, an endpoint security solution would either block the device from the network or download the patches and updates before allowing access.

Home PCs are only one endpoint security headache for security administrators. Many employees nowadays work remotely with laptops, BlackBerrys and other PDAs, all of which need to be secured and given proper access controls before being allowed to connect to the network. Just add home PCs to the list of devices that would need to be secured in an endpoint security program.

The best idea, if practical for your company, is only to allow access to the network with company-provided equipment. Such equipment should have a standard build, uniform throughout the enterprise, and should have company-mandated controls meeting specific IT security standards. Again, if practical and within budget, it's better to avoid use of home computers for business use and instead issue remote employees laptops. Anything less may mean gambling with the security of the entire organization.

More information:

This was last published in September 2008

Dig Deeper on Security Awareness Training and Internal Threats-Information

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.