Problem solve Get help with specific problems with your technologies, process and projects.

How to set up a remote access security policy

Interested in setting up a remote access security policy for users? Learn to use IPsec vs. SSL VPN and appropriate systems, applications and authentication methods.

Management is considering hiring employees that will work remotely. What's your advice for devising a remote access security policy for a small company?

The ideal remote access policy will keep data secure without interfering with employees' ability to do work. Without...

knowing much about this particular situation, I'll assume that an SSL VPN will fit your needs, though an IPsec VPN will also work.

Practically speaking, there are a few considerations to keep in mind: Authentication methods, access control, deciding which systems or applications the employees need to access remotely and what types of devices they are permitted to use.

Some sort of strong authentication should be used, such as tokens, smart cards or out-of-band SMS messages. Of the above, SMS messages will probably be the easiest piece to figure out.

When it comes to access control, be prepared for scope creep if the project doesn't already include full network access for all employees; once word gets out that this system is available, everyone will want to use it and everyone will want to be able to access all the internal systems. To handle this, be sure to scope the physical gateway devices to handle a larger load then initially projected.

The toughest question will concern which devices can remotely access the network. Users will want to use their personal computers, cell phones, even Internet kiosks. This is something to discuss with company management in order to come up with a policy they approve of and are willing to enforce. While there is technology to limit users to specific devices, it is important to communicate the company's policies to users and what the consequences are for breaking the rules.

More information:

This was last published in November 2008

Dig Deeper on Information security policies, procedures and guidelines