[SASAG] Creating Laptop Policies for an organization

Kurt Buff kurt.buff at gmail.com
Fri Mar 21 13:16:35 PDT 2008

Currently, we have AV (McAfee, bletch!) on all laptops, and ZoneAlarm
(I'm getting to the bletch! stage with this as well, more on that
momentarily), and for those few who reside in other states and only
come into the office a couple of times a year we do a tuneup before
they connect to the corporate network. I'm working towards getting rid
of McAfee in favor of either NOD32 or Kaspersky, and will be looking
at alternatives to ZoneAlarm as well. The reason I don't like
ZoneAlarm is that it will frequently pop up a windows asking the user
to update to a new version - and while I like the idea, it wipew out
the carefully crafted settings we put together for the machines, and
then the users have to be hand-held while re-importing those settings.
What's worse is that those settings are not easy to import, really.
It's a hack.

For both local staff with laptops and remote users, we have set up
mobile IPSec clients that works with our (soon-to-be-replaced)
firewall, but that gives them real presence on our network, and isn't
very controllable, so I feel pretty naked, especially since the local
users' laptops don't get any more inspection than local desktops do.

This is, of course, not ideal.

I have a cunning plan...

I'm implementing SSL-Explorer (community edition - may go to
enterprise edition if necessary), and put all wireless access outside
the firewall, in a DMZ. That's where they will live - and if necessary
I'll put the network jacks there, too.

What SSL-Explorer will give us is the ability to publish applications
via a web page and Java, tunneling over SSL. It only requires a
reasonably current web browser and a JRE on the client, so I can
support home users, as well road warriors, by exposing web sites,
TS/RDP sessions and Windows file shares, and perhaps other apps, in a
secure manner.

What makes this doable for *us* is that we have Exchange 2003 - and
RPC/HTTPS. This allows folks with Outlook 2003 or later to synchronize
with the Exchange server to a local OST file (much different in
function, though similar in structure, to a PST file). For other mail
backends, securing POP3/IMAP4 access is of course a well-known
procedure, but until recently we'd been on Exchange 5.5, with nothing
like the RPC/HTTPS, and the web interface was really
old/creaky/crappy. And, while the Exchange 2003 web client is much
better, it's not the same as a real Outlook session.



On Fri, Mar 21, 2008 at 11:34 AM, Eric Kahklen <eric at kahklen.com> wrote:
> I am wondering what type of solutions people have used for their road
>  warriors who use laptops (Windows XP).  How do you keep them secure?
>  Make sure their "clean" before allowed to be connected to the network?
>  Deal with data synchronization?  I am sure there are many more
>  questions, but I just need a place to start.  Currently all my users use
>  standard workstations and no personal laptops or computers are allowed
>  on the production network.  We are a non-profit so keeping the costs low
>  are important.
>  Thanks!
>  --
>  Eric Kahklen
>  Lynnwood, WA
>  206-595-2934
>  _______________________________________________
>  Members mailing list
>  Members at lists.sasag.org
>  http://lists.sasag.org/mailman/listinfo/members

More information about the Members mailing list