Remote Access Policy

1.0 Overview
This remote access policy defines standards for connecting to the organizational network and security standards for computers that are allowed to connect to the organizational network.

This remote access policy specifies how remote users can connect to the main organizational network and the requirements for each of their systems before they are allowed to connect. This will specify:

  1. The anti-virus program remote users must use and how often it must be updated.
  2. What personal firewalls they are required to run.
  3. Other protection against spyware or other malware.

The remote access policy defines the methods users can use to connect remotely such as dial up or VPN. It will specify how the dial up will work such as whether the system will call the remote user back, and the authentication method. If using VPN, the VPN protocols used will be defined. Methods to deal with attacks should be considered in the design of the VPN system.

2.0 Purpose
This remote access policy is designed to prevent damage to the organizational network or computer systems and to prevent compromise or loss of data.

3.0 Approval
Any remote access using either dial-in, VPN, or any other remote access to the organizational network must be reviewed and approved by the appropriate supervisor. All employees by default will have account settings set to deny remote access. Only upon approval will the account settings be changed to allow remote access.

4.0 Remote Computer Requirements

  1. The anti-virus product called ______________ is required to be operating on the computer at all times in real time protection mode.
    1. The anti-virus product shall be operated in real time on the computer. The product shall be configured for real time protection.
    2. The anti-virus library definitions shall be updated at least once per day.
    3. Anti-virus scans shall be done a minimum of once per week.
    No one should be able to stop anti-virus definition updates and anti-virus scans except for domain administrators.
  2. The computer must be protected by a firewall at all times when it is connected to the internet. Acceptable products include ________________. Several popular choices include Zone Alarm, the Windows XP firewall, and Norton Personal firewall.

5.0 Remote Connection Requirements
The remote user shall use either dial-In or virtual private networking (VPN). Dial-In is typically used when the user in in a local calling area. VPN is typically used when the user would need to dial a long distance number to connect with a dial-in connection. VPN uses a local connection to an internet service provider (ISP) and creates a tunnel through the local ISP connection to the organizational network. This section specifies the requirements for Dial-In and VPN connections.

5.1 Dial-In Requirements

  1. Number check - The dial in settings shall be set to perform one or the other of:
    1. Verify Caller ID to a specific number - Use this option if caller ID is available
    2. Always Call back to a specific number - If the user must connect from a location other than their designated location such as their home, they should use VPN.
  2. Client Check - A requirement that must be set for Dial-In clients is that a firewall must be installed and operational. If the Dial-In client does not meet the criteria, either the connection is not allowed or the client can only access a limited area where they can get the software needed to meet the requirement.
  3. Authentication - For authentication of the user, the dial in connection shall use one of:
    1. MS-CHAP version 2
    2. EAP-RADIUS
    3. EAP-TLS
    4. EAP-MD5-Challenge
  4. Connection Encryption - This requirement will depend on the data you expect the remote user to be transmitting over the dial-in connection. Typically this should be encrypted especially if the user works for the Finance or Personnel department. The connection shall use one of the following encryption mechanisms:
    1. Microsoft Point to Point Encryption (MPPE)
    2. IPSec

5.2 VPN Requirements

  1. Client Check - A requirement that must be set for VPN clients is that a firewall must be installed and operational. Also Anti-virus software must be installed and operational. If the VPN client does not meet the criteria, either the connection is not allowed or the client can only access a limited area where they can get the software needed to meet the requirement.
  2. The connection choices are PPTP, L2TP, IPSec, and SSL. The connection shall use IPSec which encrypts the data sent through the connection.
  3. Authentication - For authentication of the user, the dial in connection shall use Internet Key Exchange (IKE) with digital certificates. The other choice is Internet Key Exchange (IKE) with a preshared key.