Teleworking. It's a word that tends to evoke strong reactions. Devotees reel off statistics showing that employees working at home or on the road are more productive, while skeptics point to the management difficulties, HR issues and security problems which teleworking inevitably entails.
And stuck in a rather unenviable place in the middle is the network administrator, whose job it is to keep everyone happy by ensuring that teleworkers can be productive by connecting to corporate systems quickly and easily from anywhere in the world, while maintaining security that is as least as tight as that which exists within the perimeter of the organization.
So here's a piece of advice for you if your job includes catering for teleworkers:
Keep It Simple.
In practice, "keep it simple" means creating a template solution, and ensuring that anyone in your company that needs to work remotely conforms to this template. Don't be flexible. No exceptions. If you want to be able to manage and support teleworkers, and to maintain current security levels, then everyone has to conform to the template.
Of course, being inflexible is not an excuse for failing to meet teleworkers needs. It means ensuring that you understand exactly what those needs are, and planning how best to meet them. And once you have defined a solution, it means supplying it to everyone.
So let's look at what a "keep it simple" teleworking solution might actually look like. First of all, it's necessary to understand that there are basically two types of teleworker: home workers, who connect to the corporate network from a single, fixed place, and mobile teleworkers, who need to connect on the road, from an airport Wi-Fi hotspot, or perhaps from a client's office or a hotel broadband connection.Homeworkers Need Standardization
For the home worker, standardize on one type of broadband connection. DSL is the most sensible choice, as it's available almost anywhere, it's cheap, and there's a wide range of equipment that supports it. Connection to the corporate network should be via an Internet VPN, or over a private MPLS network (a MPLS VPN).
Then select a specific firewall router to be the standard piece of equipment issued to teleworkers and make it a condition that teleworkers can only connect to the corporate network if they use this router - supplied by the IT department. Using a single piece of equipment simplifies support and can reduce costs (though bulk buying).
What should the router be like? Again, keep it simple. Avoid wireless routers – they are harder to manage, and thus less secure. And make sure the firewall can be configured and provisioned centrally – i.e. by you or your colleagues. If you can create a suitable configuration file to meet the requirements of your organization and send it down the wire to new teleworkers routers - or to update existing ones - you'll save yourself hours of frustration and wasted time and avoid needless security breaches. All the teleworker has to do is plug the router in and switch it on: you can make sure the firewall and other security features are turned on and correctly applied.
A dose of realism is helpful too. Most teleworkers have a partner, family, or friends who will want to access the Internet, and most teleworkers will also want to surf in their own time. Since you can't stop private use of the DSL connection (prohibition never works), make it easy to separate VPN access from Internet access, and provide Internet users with firewall protection – preferably with stateful inspection (dynamic packet filtering) and content filtering. After all, what's the point in allowing teleworkers to download confidential corporate documents from the office network onto their home computer over an encrypted VPN, if that and other PCs are connected to the Internet permanently over a DSL link and wide open to hackers without adequate firewall protection?
Routers are now available which can manage two separate network connections concurrently on the same DSL line through different user names and passwords, so the teleworker can access the corporate network over the VPN at the same time as other people in the home access the Internet from another computer plugged in to the router. It's recommended that you use them.
Mobile Workers Need Some Flexibility
What about mobile workers? With mobile workers it's not possible to define the connection hardware so rigidly: Connections have to be made using whatever resources are available. But whatever method is employed, teleworkers need to connect securely using a VPN – either SSL or IPSec. Deciding which is the best choice is beyond the scope of this article, but for many handheld devices it is not possible to install an IPSec client, so SSL will be the only effective option.
The key here is to have security policies, and stick to them. It's now possible to have automated user policy enforcement, which can make life simpler. These policies can allow or disallow connectivity to corporate resources based on where the teleworker is connecting from and the connection method, the time of day, what the teleworker is trying to do and the type of resources the teleworker is attempting to access. Make connection via the VPN to the corporate network impossible unless the anti-virus software is running and up to date, the personal firewall is switched on and correctly configured, and data is suitably encrypted, or corral users who fail these tests to a secure area where they can update their virus software of carry out a limited set of tasks which pose no security risk.
It's not possible to make specific recommendations about equipment and software. Since every organization's needs differ, the scale of their teleworking programs, and the types of teleworkers they employ will be different. But do bear these two things in mind: Many factors, including the risk that employees will unable to go to corporate offices for extended periods due to events like terrorist attacks, are driving the need for teleworking facilities to be available to more and more staff Teleworking projects rapidly become unmanageable and pose security risks if they are rolled out on an ad-hoc basis.
Or put another way, teleworking isn't going to disappear. So work out exactly what teleworkers in your organization need, standardize the equipment you supply them with, apply security policies automatically, and you'll save your organization a lot of time, money and hassle.