security question - how to secure laptops for when they are out of the office?

M

Mizugori

[H]ard|Gawd
Joined
Mar 25, 2004
Messages
1,240
while on the network in my office, a sonicwall acts as their firewall. also they have antivirus installed and it is updated daily. however, when the users occasionally bring their laptop home or travel, they are of course not behind the sonicwall anymore and not connected to the server. the antivirus basically is fine IMHO, it just wont be getting updates pushed from the server, but how can i deal with the lack of a firewall? I am hesitant to install a software firewall because won't it cause a million headaches while they are on the network (and thus behing 2 firewalls)? how can i secure them?

thanks!
 
We use Trend Micro AV on all of our computers desktop and mobile. When the users are here in the office we rely on our proxy server for the firewall and when they are on the road the Trend AV takes over for viruses, spyware, malware. Our Trend clients are also configured to check in with our central update server and if it cannot get to the server to go directly to the internet for updates.
 
For my managed antivirus.....I create a special configuration for the laptop users..."road warriors".

Knowing that they can have their laptops away from the central office for periods of time....I build a configuration file for their antivirus, which sets it to pull the updates from the antivirus brands main public servers. This way...for hours or day or weeks or a year or whatever..if the laptop doesn't come into the office...it is still up to date.

I often open/forward the management ports...and in that config file for the road warriors..the antivirus client looks at the WAN IP address/dns name:custom port...to report into the central AV management server. This way if they're away for a long time..I can still check on the status of their antivirus in the management console.

The same approach above is also viable for them getting their updates..instead of the public update servers, I set the clients to update from WAN IP address/dns name:custom port.
 
i appreciate all of the input but my greater concern is about the lack of a firewall... any thoughts on that part?
 
If you're enforcing the sonicwall client (which uses mcafee) You can turn on and install the firewall portion of Mcafee total business protection. In the configuration you can set it so that only the sonicwall admin can change the firewall settings.
 
I guess what I was getting at was that our Trend Client/Server Edition is a firewall. When they are in the office they I guess you could say have 2 firewalls and it works just great. When they are on the road the Trend acts not only as an AV but a firewall as well...

Trend Micro
 
Mizugori said:
i appreciate all of the input but my greater concern is about the lack of a firewall... any thoughts on that part?
Click to expand...

For users that take them home to do work...I make sure they're behind a NAT router. No plugging company laptops directly into broadband modems and allowing them to obtain public IP addresses.

For other uses like being a guest on cafes or other offices or hotel networks, etc...not a concern, as they VPN into the office, or connect via RWW/RDP, so their actual traffic into the company network is secured.

There are no shares from the laptops, the local admin password is not blank, naturally nor are domain passwords, standard Windows firewall settings, Microsoft updates are maintained...and that's comfy enough for me.

I will often do a bit more maintenance on other malware tools..such as updating and reimmunizing Spybot.
 
sigh...

If you are licensed to used the sonicwall antivirus enforced client, which it sounds like you are. You can also make use of the desktop firewall that is included. All you need to do is to go into the sonicwall security center. From there you can create a policy that should automatically install the firewall. It also has options on how to configure it. With the enforced client installed the system DOES NOT NEED TO BE CONNECTED TO THE SONICWALL for it to be active.
 
Mizugori said:
Originally Posted by k1pp3r
soooooo you have a sonic wall. . . . . . .

Quote:
Originally Posted by mizugori
however, when the users occasionally bring their laptop home or travel, they are of course not behind the sonicwall anymore

...
Click to expand...

Yeah, but your still using sonicwall
 
k1pp3r said:
Yeah, but your still using sonicwall
Click to expand...

I don't get your point... if I have a laptop, and while in my office I am accessing the internet via a switch which gets the internet from the sonicwall, I'm protected. If I take that laptop home and use the internet, I'm not longer behind the sonicwall... I never said the users were using a VPN or anything to go back into the office.

Keiichi said:
sigh...

If you are licensed to used the sonicwall antivirus enforced client, which it sounds like you are. You can also make use of the desktop firewall that is included. All you need to do is to go into the sonicwall security center. From there you can create a policy that should automatically install the firewall. It also has options on how to configure it. With the enforced client installed the system DOES NOT NEED TO BE CONNECTED TO THE SONICWALL for it to be active.
Click to expand...

that is interesting, I was not aware of the feature. I'll look into it
 
Personally I think it's a good idea to have a software firewall running on all pc's on a network including those behind a firewall. You never know when a rogue laptop will get plugged into your network.
I have windows firewall enabled on all machines. It ain't the greatest but it prevents incoming crap from hitting the pc. I suggest enabling it on one or 2 laptops at a time and deal with any port issues that you may come across. Soon enough you'll know what you need to do on all machines. On our network simply enabling file and printer sharing exception works for most.
 
Mizugori said:
I don't get your point... if I have a laptop, and while in my office I am accessing the internet via a switch which gets the internet from the sonicwall, I'm protected. If I take that laptop home and use the internet, I'm not longer behind the sonicwall... I never said the users were using a VPN or anything to go back into the office.
Click to expand...

I get the point, i'm just being an arse cause your using a sonicwall
 
Could run Vista if it's an option, which recognizes the Domain network and enforces whatever firewall policy is on the domain (i.e. firewall off) and recognizes public networks and re-enables it.
 
Really, I think you aren't addressing one of the key issues here. Laptop theft. Its not as uncommon as you may think. You really need to look into some proper precautions rather than worrying about av definitions that might be a day old. Check out TrueCrypt and other software like it and consider deploying it if you deal with any remotely sensitive information.
 
GlobalFear said:
Really, I think you aren't addressing one of the key issues here. Laptop theft. Its not as uncommon as you may think. You really need to look into some proper precautions rather than worrying about av definitions that might be a day old. Check out TrueCrypt and other software like it and consider deploying it if you deal with any remotely sensitive information.
Click to expand...

If you deal with that, it should NOT be on the laptop, but on a file server with a secure VPN connection to it.
 
Yeah but you can't stop users from storing things locally. Everything at my work that is not in the data center, is encrypted with Safeboot. However, I am in no way recommending Safeboot - we hate it.
 
k1pp3r said:
If you deal with that, it should NOT be on the laptop, but on a file server with a secure VPN connection to it.
Click to expand...

Sure, it should be, assuming that the proper infastructure is available. However, since hes dealing with Sonicwall and worrying about av updates when not connected to the lan, it isn't a huge leap to think that there is no vpn or central file repository in place. Disk Encryption is the best low-user impact, low-cost solution in this case.
 
GlobalFear said:
Sure, it should be, assuming that the proper infastructure is available. However, since hes dealing with Sonicwall and worrying about av updates when not connected to the lan, it isn't a huge leap to think that there is no vpn or central file repository in place. Disk Encryption is the best low-user impact, low-cost solution in this case.
Click to expand...

yeah, sonicwalls vpn client is really bad, but just thought i would put that at there as HOW it should be done
 
You must log in or register to reply here.
Back
Top