Политика управления удаленным доступом к ИС
Политика определяет стандарты для подключения Вашей компании в сети с любого хоста. Эти стандарты минимизируют потенциальный риск для ВАШЕЙ КОМПАНИИ от убытков, которые могут возникнуть в результате несанкционированного использования ваших ресурсов. Убытки включают в себя утрату конфиденциальной или важной для компании информации и интеллектуальной собственности, нанесение ущерба репутации, повреждение критических внутренних систем ВАШЕЙ КОМПАНИИ и т.д.
2. Сфера применения
Данная политика распространяется на ВАШУ КОМПАНИЮ, сотрудников, подрядчиков, поставщиков и агентов, подключающихся к сети ВАШЕЙ КОМПАНИИ как с компьютеров находящихся в вашей сети так и с их собственных компьютеров. Данная политика распространяется на соединения удаленного доступа к ресурсам вашей компании, включая чтение и отправку электронной почты и просмотра интранет ресурсов.
Эта политика включает (но не ограничивается)удаленный доступ реализуемый при помощи, Dialup модемов, Frame Relay, ISDN, DSL, VPN, SSH, беспроводных точек доступа, кабельных модемов и т.д.
3. Rogue Modems and Wireless Access Points
The best firewall on the market won't protect you if you maintain scores of unprotected modems and wireless access points open to the outside world within the confines of your office. With what they believe to be the best of intentions, workers will sometimes hook up unauthorized modems to their workstations to avoid your officially sanctioned dial-in mechanism and make it easier for them to access their desktop data. IT employees who should be familiar with the dangers of such configurations will often plant a modem (with a publicly accessible incoming phone line attached) on a server to allow for access by an outside vendor. Whatever the cause of these unauthorized access mechanisms, it is imperative that organizations carefully control the extent to which modems are used to allow for remote access to your systems. All external access to networks, systems and data should be done through a centrally administered, tested and sanctioned remote access solution. Policy should exist that prohibits the establishment of any unauthorized inroads to your systems and any discovered mechanisms of this sort should be removed immediately.
1. It is the responsibility of YOUR COMPANY employees, contractors, vendors, and agents with remote access privileges to YOUR COMPANY’s corporate network to ensure that their remote access connection is given the same consideration as their on-site connection to YOUR COMPANY.
2. General access to the Internet for recreational use by immediate household members through the YOUR COMPANY network on personal computers is permitted for employees who have flat-rate services. You are responsible to ensure that family members do not violate any YOUR COMPANY policies, perform illegal activities, or use the access for outside business interests. You bears responsibility for the consequences should the access be misused.
3. Please review the following policies for details of protecting information when accessing the corporate network remotely, and acceptable use of YOUR COMPANY’s network: :a. Encryption Policy; :b. Virtual Private Network (VPN) Policy; :c. Wireless Communications Policy; :d. Acceptable Use Policy.
4. For additional information regarding YOUR COMPANY’s remote access connection options, including how to order or disconnect service, cost comparisons, troubleshooting, etc., refer to the Remote Access Services Website.
1. YOUR COMPANY strictly controls secure remote access to YOUR COMPANY networks. YOUR COMPANY enforces control via one-time password authentication or public/private keys with strong passphrases. For information on creating a strong passphrase see the Password Policy.
2. Never provide a login or email password to anyone, not even family members.
3. You must ensure that your YOUR COMPANY-owned or personal computer or workstation, which is remotely connected to YOUR COMPANY’s corporate network, is not connected to any other network at the same time, with the exception of personal networks that are under your complete control.
4. Do not use non-YOUR COMPANY email accounts (e.g., Hotmail, Yahoo, AOL), or other external resources to conduct YOUR COMPANY business. This will help ensure that official business is never confused with personal business.
5. Routers for dedicated ISDN lines configured for access to the YOUR COMPANY network must meet minimum authentication requirements of CHAP.
6. Reconfiguring your home equipment for the purpose of split-tunneling or dual homing is not permitted at any time.
7. Frame Relay links must meet minimum authentication requirements of DLCI standards.
8. Non-standard hardware configurations must be approved by Remote Access Services, and YOUR COMPANY must approve security configurations for access to hardware.
9. All hosts remotely connected to YOUR COMPANY internal networks, including PCs, must use the most up-to-date anti-virus software (place URL to corporate software site here). Third-party connections must comply with requirements stated in the Third Party Agreement.
10. Any personal equipment that you use to connect to YOUR COMPANY’s networks must meet the requirements of YOUR COMPANY-owned remote access equipment.
11. Organizations or individuals who wish to implement non-standard remote access solutions to the YOUR COMPANY production network must obtain prior approval from Remote Access Services and YOUR COMPANY.
Any employee violating this policy may be subject to disciplinary action, up to and including termination of employment.
Cable Modem - Cable companies provide Internet access in their service areas over cable TV coaxial cable. A cable modem accepts this coaxial cable and can receive data from the Internet at over 1.5 Mbps.
CHAP - Challenge Handshake Authentication Protocol is an authentication method that uses a one-way hashing function.
DLCI - Data Link Connection Identifier is a unique number assigned to a Permanent Virtual Circuit (PVC) endpoint in a Frame Relay network.
Dialup Modem - A peripheral device that connects computers to each other for sending communications via the telephone lines. The modem modulates digital data into analog signals for transmission, and then demodulates the signals back into digital format to be read by the receiving computer.
Dual Homing - Having concurrent connectivity to more than one network from a computer or network device. Examples include:
- Being logged into the corporate network via a local Ethernet connection, and dialing into AOL or another Internet service provider (ISP).
- Being on a YOUR COMPANY-provided remote access home network, and connecting to another network, such as a spouse’s remote access.
- Configuring an ISDN router to dial into YOUR COMPANY and an ISP, depending on packet destination.
Frame Relay - A method of communication offered by telephone companies that features a flat-rate billing structure and a variety of transmission speeds.
ISDN - Integrated Services Digital Network service comes in two types. Basic Rate Interface (BRI) is used for home office/remote access. Primary Rate Interface (PRI) is more often used for corporate Internet connectivity.
Remote Access - Any access to a private network through a non-private network, device, or medium. Split-tunneling Simultaneous direct access to another network (such as the Internet, or a home network) from a remote device (PC, PDA, WAP phone, etc.) while remotely connected to a corporate network via a VPN tunnel.
VPN - Virtual private networking enables secure private network via a public network such as the Internet using “tunneling” technology.