How to Rethink Remote Access Management

By H. Peter Felgentreff  |  Posted 2010-04-06

How to Rethink Remote Access Management

Companies define their current IT policies on the existing infrastructure, which is disjointed from the company's IT goals. Recently, companies have been implementing Bring Your Own PC (BYOPC) policies, which grant employees complete freedom to use whatever PC or mobile device they wish to use for work-in or out of the office, notebook or netbook, etc. However, technology is restricting practices and not allowing the fullest potential to be met.

A universal system that is independent from specific types of devices, operating systems and VPN gateways can empower companies to explore options such as BYOPC. Such a system will enable employees to use all standard operating systems such as Windows 7, Windows Vista (32/64 bit), Linux, Macintosh, Symbian and Windows Mobile, while having full and secure access to the network. Employees are more productive and less frustrated because they know how to use their own device.

Educating employees

Most employees-except those who work in IT-are usually not the most technical people in the world. When they think of connecting to the network via a VPN, they cringe because traditional VPNs usually take several steps to establish a connection. Employees need to access the network quickly and efficiently. What is needed is a one-click solution-without the hassle of having to log on, connect, etc.

A one-click solution will shorten the amount of time it takes to train an employee. Companies can cut down their IT training because the network security portion is easy. A trouble-free solution will also increase productivity in the office and make employees satisfied because they are eliminating an annoyance.

Not only is connecting to the network easier with a one-click solution, but a one-click solution also makes the user interface simple to understand. This is important because employees need to understand their connection and real-time information, and not waste time trying to grasp it. Implementing a VPN client with an easy UI will reduce IT questions and help desk requests.

Central Administration

Central administration

Managing a network is a complicated task for administrators; networks are comprehensive and require a lot of attention and maintenance. As the workforce becomes more dependent on mobile devices such as PDAs, laptops and netbooks, the need for remote access becomes even greater.

However, managing all of the devices and users can be overwhelming. One way to ease this job is to run the administration and configuration through a centralized framework.

Under a central management system, one administrator can easily manage the network and the users who access it. Data is seamlessly imported from existing directory services such as Microsoft Active Directory or LDAP and applied to an individual's network address. This cuts time and cost down for companies, and eases mass rollouts, certificate administration and software distribution.

It also relieves the setup and maintenance of new employees. Changes with personnel and staff are resolved in real time and the work load on the network administration is lessened. It also provides the company with cost-saving opportunities.

Hybrid Secure Sockets Layer/IP Security

Hybrid Secure Sockets Layer/IP Security

Arguments for both VPN clients, Secure Sockets Layer (SSL) and IP Security, have been an ongoing debate for quite some time now. There is a clear argument for both uses under different situations; however, one is not more advantageous than the other. Regardless of a user's access, an enterprise solution should support both SSL and IPSec-each is used for particular reasons. It is necessary to consider a user's network access around mobility, productivity and policy needs rather than limit these with a biased technology choice.

Under certain scenarios, IPSec is better suited, especially for those who are permanent employees and would like the option to work one-to-one while away from the office. SSL is better suited to external users such as customers and suppliers who need only sporadic network access. Traditional IPSec can be difficult because of established policies such as firewall settings and they are "thick clients." However, while "clientless," SSL only allows for simple tasks such as e-mail.

Companies need to rethink their networks with this hybrid model in mind and support both IPSec and SSL-not one or the other. A hybrid of SSL and IPSec VPN tunneling provides employees with secure external communication in each remote access environment-with and without VPN client software. Employees can either be fully integrated in a centrally-managed IPSec VPN or through a "clientless" company Internet connection.

Network Access Control

Using conventional technologies such as firewalls or intrusion detection is no longer enough to control threats. This is especially true as employees continue to adopt mobility trends. Network Access Control (NAC) features monitor and regulate every single remote access to the company network by identifying each device and checking conformity with the company's security policy.

Security guidelines and parameters are established according to the company's remote access policy. Unknown or suspicious devices (such as devices with expired antivirus software or an unrecognized PDA) are quarantined if they are deemed non-complaint and excluded from the network.

This is an important buffer for organizations-especially for those who have regulatory and compliance rules to which they have to adhere. Without NAC, employees whose devices are non-compliant will access the network and infect it. As the number of remote access users increase, this issue may spiral and cause a bigger problem. NAC features make certain that remote access clients comply with the company's security policy.

For example, they make sure that operating systems are acceptable, required patches are installed, most recent antivirus engines are installed, and the most recent signature is available. Without NAC, a device could damage an entire network, costing the company additional money and time. Consider this feature when you reconsider your remote access policies.

H. Peter Felgentreff is President and CEO of NCP engineering, Inc. Peter has more than 20 years of experience in the enterprise security and software industries. Prior to joining NCP, Peter drove worldwide sales as vice president for Kerio Technologies. He has held similar leadership positions with many prominent security companies including ShieldIP, Zone Labs and Aladdin Knowledge Systems, Inc. He can be reached at

Rocket Fuel