Remote Access Domain Policies
The Remote Access domain refers to the technology that controls how end users connect to an organization’s LAN remotely. An example is someone needing to connect to the office network from his or her home or on the road.
Security standards in this domain focus on remote user authentication and secure connections. Creating a remote computing environment that is secure is a challenge. Beyond authentication and connectivity, you need to secure the remote device. Some standards require all remote users to use employer-owned laptops. This allows the organization to control the remote device itself. These types of business choices drive what standards you see in this domain.
Control Standards
The Remote Access domain standards include standards related to VPN connections and multifactor authentication. For example, a virtual private network standard describes the security requirements for establishing an encrypted session. The following are examples of control statements you might find in this standard. They are adapted from the SANS Institute’s “Virtual Private Network Policy” document:
- Employees with VPN privileges must not share their VPN credentials to the organization’s internal networks with unauthorized users.
- VPN use must be controlled using one-time password authentication. This may include a token device or a public/private key system with a strong passphrase.
- VPN users will be automatically disconnected from the organization’s network after 30 minutes of inactivity.
Other Remote Access domain policies include physical and technical standards. Physical standards might outline the policies for working from home. These policies might require users to lock up company documents at home and ban family members from access to company assets. Other technical security standards might include the need for two-factor authentication.
Baseline Standards
The control standards establish the broad requirements. Often in this domain, there are multiple technologies involved in establishing a secure connection with a remote user. Here are a few examples of standards that focus on configuration:
- VPN Gateway Options and Requirements Standard—Outlines the security configuration features for the specific VPN concentrators used by the organization
- VPN Client Software Options and Requirements Standard—Outlines the security configuration features for the specific VPN remote client software
- RADIUS Server Security Requirements Standard—Describes the security configuration of the Remote Authentication Dial In User Service (RADIUS)
NOTE
RADIUS is a networking protocol for centralized authentication, authorization, and accounting (AAA) for computers to connect to and use a network service. RADIUS is often used by Internet service providers (ISPs) and organizations to manage access to networks. There are newer protocols like Terminal Access Controller Access Control System Plus (TACACS+) that might be better choices than RADIUS.
Procedures
Procedures in this domain are useful to remote users and those responsible for supporting that environment. Because you have a diverse set of users remotely accessing your network from anywhere in the world, support procedures need to be clear and concise. One example is a VPN Configuration and Support Guide, which lists the configuration settings and steps to debug a VPN connection.
Guidelines
Guidelines for implementing control standards are useful to network administrators and access administrators who have responsibilities for remote access. These guidelines may outline various remote computing environments, such as working from home and methods of security. Remote Access domain guidelines often reinforce security awareness training.