WiFi access from Company laptops

[A-AvantGarde]

I'm trying to drag my company into the 21st Century and allow some of our users to connect to their home wireless connections and possible use wireless hotspots etc. This could be upto 750 laptop users.

Does anyone work for a reasonably large company that allows them to do this, what restrictions (if any) to they place on you.

My thoughts, we don't supply home broadband connections nor do we intend to. We intend to offer this as a service 'as is' i.e. our IT Service desk wouldn't technically support home wireless setups. We would offer a user guide and some security advice and guidance on recommended broadband providers / routers and security to use etc. I know there was some publicity on the press & watchdog about spoofing HotSpots etc just want to understand whether people handle this via education (e.g. in the way you would educate people to watch out for Social Engineering type attacks) or if they handle it with additional security measures or indeed do what we currently do and don't allow it at all!

I've also come across some software which makes managing connections simpler, such as iPass and Vodafone Secure Remote Access.

If it makes any difference, we use a Cisco VPN with two factor authentication, although not all laptop users have this (although they can't VPN without this).

Keen to hear how others deal with this...

 

[rees_A]

I use checkpoint with secureremote for mobile users. Seems to work well and is obviously secure... We also use truecrypt to encrypt mobile users data to prevent data theft if a laptop is lost/stolen....


I would also make sure all laptops are covered with good a/v software that is managed centrally to ensure it's updated regularly

 

[Sp!ke]

Look up iPass

iPass: enterprise mobility management, 3G mobile broadband, 100,000 Wi-Fi hotspots

Allows you to seamlessly connect to the web and onto corporate LAN via VPN through hotspots, hotels etc


I think Vodafone also has something similar now.

They both bind seamlessly with Cisco VPN. Ipass works well although I hear they are in trouble.

 

[A-AvantGarde]

Look up iPass

iPass: enterprise mobility management, 3G mobile broadband, 100,000 Wi-Fi hotspots

Allows you to seamlessly connect to the web and onto corporate LAN via VPON through hotspots, hotels etc


I think Vodafone also has something similar now.

Thanks, yep I've come across iPass and Voda have VSRA. Funnily IIRC a couple of years back they were offering an OEM of iPass, they seam to have fallen out of bed with them and created VSRA instead.

 

[flango]

We use Ipass and Cisco systems VPN but have just switched to T Online corporate access due to the problems with iPass Sp!ke mentioned we are also going to switch to Nortel contivity client for VPN as it offers better security than Cisco. But have to say in all the time I have been using Cisco and iPass never had a problem its worked great.

 

[davidjpowell]

I am a one man band, but do have a laptop supplied by a Building Society for when I do their work. It's a pain in the neck.

As for wireless - they do not allow it. I have had to use a Ethernet over Power soloution to get conectivity. They also use a VPN with a one time code thingy!

 

[Deker]

I would go VPN only but if not make sure that if you have a centrally managed anti-virus solution that you allow workstaions to get updates from the web othwise when it comes back in to work anything could be on it (Mcaffe used to have it disabled by default).

We don't allow it but that's to do with DWP and code of connection restrictions.

 

[Rory]

If it makes any difference, we use a Cisco VPN with two factor authentication, although not all laptop users have this (although they can't VPN without this).

Are you thinking that people will VPN in through a wireless hotspot or a home wireless router?

In my last biggish corporate job we had *loads* of problems with users who couldn't get in through their home router. We only supported the BT ADSL modem connection with an ethernet connection to the laptop. That was maybe 7 years ago now, though.

 

[A-AvantGarde]

Are you thinking that people will VPN in through a wireless hotspot or a home wireless router?

In my last biggish corporate job we had *loads* of problems with users who couldn't get in through their home router. We only supported the BT ADSL modem connection with an ethernet connection to the laptop. That was maybe 7 years ago now, though.

Ideally yes, however I know what you refer to. Many home broadband solutions prevented Corporate VPN connections from working. Don't believe it's so bad now in that many Broadband providers now support / allow it.

 

[Mr E]

Ideally yes, however I know what you refer to. Many home broadband solutions prevented Corporate VPN connections from working. Don't believe it's so bad now in that many Broadband providers now support / allow it.

We moved from corporate-supplied broadband (BT) to self-supplied this year and there is still some issue with VPN support from some providers. I went with TalkTalk and found I couldn't connect with the router they provided but was fine with the one I was running previously.

I've just had a third one arrive (Huawei) that they reckon will work, but I'll wait to the hols to try it.

 

[Rory]

The problem was in the routers. I forget what now, but something to do with the way they handled (or didn't) NAT.

Even now I have a Cisco VPN client on my laptop to connect to a supplier's intranet and that works fine when hard wired to my router but won't work over wireless. May be some simple reason - I haven't looked.

 

[BTB 500]

We have VPN access on company-supplied laptops, globally. The fallback is a Citrix remote desktop (with user-linked fob for authentication) that can be run from any PC with web access. I personally use the latter on my own PC at home, rather than lugging the laptop around.

 

[A-AvantGarde]

The fallback is a Citrix remote desktop (with user-linked fob for authentication) that can be run from any PC with web access. I personally use the latter on my own PC at home, rather than lugging the laptop around.

We or rather I use this a lot too. Had it at a previous company and where I am now (about 4 of us in IT) are using Citrix Access Gateway. I love Citrix, and most of the time I connect this way too. Have had some interesting discussions with a number of people regarding the correct way to licence this - depending upon which applications (especially if they're from a software house in Redmond) you run in your Citrix environment is an 'interesting' area with 'many shades of grey'

 

[timskemp]

Remote access isn't the massive risk many people see it as. Two factor authentication is a good help here, and also passwords should be issued not chosen. My preference is for a remote "walled garden" terminal desktop, so users get access to essential remote applications rather than the entire network (most data loss is from user error rather than malicious attack) accessed via an SSL VPN (so reducing the problems with user's routers blocking traditional VPN tunnels and setting up VPN clients). This also stops users copying files to and from their PCs.

For laptops - you can't beat a private APN and built in 3g...

 

[robpow]

We allow company laptops to connect over either iPass hotspots or any Wifi the user can access. The key here is to treat all networks as public, untrusted networks and then VPN tunnel into the company network. Things like NAC can help ensuring the laptops are fully up to date with antivirus before they are allowed onto the internal network. Remote access using any brower on PC, Mac or Linux is allowed via a remote control solution that can either give you a set of basic apps over terminal services or remote desktop back to your own desk PC using one-time code devices.

Good luck!
Matt