6

Our network admin has requested that a single remote employee purchase a separate modem in their house for "work" traffic. I question if this is a legitimate security practice of any kind especially because other employees access company resources from home all the time using their shared home ISP.

The one difference between this user and others is that they have a Cisco IP phone. However, with encryption enabled, I don't see how having a separate modem enhances security, except the network won't have other devices on it assuming the user is compliant. However the Cisco phone uses VPN which I think takes care of isolating the traffic.

Is asking a user to have two separate modems, one for leisure and one for work, a legitimate security request that enhances security, or does this not really improve security at all?

J K
  • 221
  • 1
  • 4

4 Answers4

3

I think there are many factors that could make it a legitimate request:

  • other people in the home who might need network segregation
  • load balancing
  • old equipment (getting a newer modem)
  • VPN configurations

I, myself, have made the same request to a certain remote employee to ensure separation of use within that employee's home. Sometimes it's simply to ensure that the work traffic is not competing with heavy home traffic.

Edit

Public networks are public networks, whether they are the Internet or a home network. If your company has controls in place to securely traverse the Internet, then they should have the same controls on a home network, all things being equal. But, at home, not all things are equal. Home users have physical access to endpoints. That can change the risk model, depending on the situation.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • That sounds like a quality of service issue, not a security issue. But possibly I need to clarify, he is asking the end user to have an entirely different internet connection for "security" reasons. As someone who has some basic understanding of VPN security and encryption, I don't see how this is anymore secure but perhaps I'm missing something? – J K Sep 17 '14 at 00:12
  • "I, myself, have made the same request to a certain remote employee *to ensure separation* of use within that employee's home." How does this ensure separation? What prevents another user in the home from using this same separate connection? What prevents the user from connecting other devices to this same separate connection? Unless you're also deploying a corporate owned and controlled router at the end point, you haven't really ensured anything except that the employee now has a higher monthly internet bill. – k1DBLITZ Sep 18 '14 at 13:38
1

Just to clarify, when you say modem - do you mean just that? Or do you mean router or modem/router?

Without a deeper understanding of the infrastructure on the employers end, I honestly don't see how having a separate modem will increase security. It's more important that split tunneling is disabled on the VPN client.

Most modern home class routers allow one to create separate network segments or DMZs.

Asking a homer user to have an entirely separate internet connection for "security reasons" is asinine. What prevents anyone besides the employee from plugging into this internet connection? What prevents the employee from using this separate internet connection for leisure activities?

Unless the employer is also deploying a corporate owned and controlled router in the employee's home on this separate internet connection, they haven't really separated anything. All they've done is put an unnecessary financial burden on the employee.

k1DBLITZ
  • 3,933
  • 14
  • 20
0

There is legitimate security value in this configuration, if implemented properly. Whether that value exceeds the cost and complexity would have to be determined on a case by case basis.

The security value is this: If work devices (work PC, phone) are on a physically separate network, the devices themselves cannot be attacked by other devices in the home that may be infected and behaving maliciously. It's not necessarily the traffic that is being protected (that's taken care of by a VPN, as you mentioned) but the devices that are generating the traffic. If you can own the computer or phone, then you have the data before it's encrypted, and potentially even the ability to pivot into the corporate network.

This is similar to not allowing people to bring personally owned devices into work and attach them to the network, but at home for a remote employee it has a bit more value in that you generally won't have visibility into their home network...There's likely no IDS running there, and there are certainly no alerts coming into the NoC if their laptop is being attacked by their download-happy teenager's gaming box. The easiest way to ensure this can't happen is to put the work devices on a physically separate network stack.

Xander
  • 35,525
  • 27
  • 113
  • 141
  • Regarding attacks by other devices on the network, the laptop's firewall protects against that. And in case of a compromised router, many VPNs force all traffic to go through the VPN, so the router cannot tamper with it. – paj28 Sep 18 '14 at 07:49
  • @paj28 Endpoint firewalls aren't perfect, and devices like phones won't have that protection at all. – Xander Sep 18 '14 at 11:57
0

In concept it is a worthy proposal, but it takes some thought and effort to become effective. If the IT Staff demands this the company must also pay for it, otherwise the user will get the cheapest line and modem/router available and cheap often means insecure in some way. It is inviting a weakest-link situation.

Just a separate connection without controlling, monitoring and securing the CPE ( the (dsl?) modem ) and user device(s) makes little sense. The CPE should also support pre-boot and link-layer authentication of some sort. By illustration, i've scanned a off-the-shelve soho wifi-router and found it permits not so advanced DNS attacks. Great for hijacking connections.

Encryption is by no means a guarantee for security. If offers privacy and uniqueness ( non-repudiation ), that's it. If at one end of the connection a device is compromised encryption can even be a threat, since it can prevent in-flight detection of the threat.

Good EndPoint protection goes a long way and is essential to someone working from home, more than having them use a dedicated connection. That's my take on this of course.

Saint Crusty
  • 87
  • 4