Posted Sep 12, 2004 05:16 pm CDT
“We wanted to allow remote access to internal documents from home machines, laptops, kiosks and machines all over the world,” says Richard Hurlburt, director of technology with the McLane Law Firm in Manchester, N.H. “But we were concerned that we didn’t know what shape those machines would be in.”
The problem is that when workers log on to a firm’s network from a remote location like home, a coffee shop or hotel, spyware and viruses that have invaded those remote computers can sneak into a firm’s systems. Hurlburt’s fear was split tunneling, which allows remote users to use the Net at the same time they access their company’s network and which hackers have exploited.
The solution may be an SSL-based virtual private network, which allows remote access while hopefully keeping out hackers. SSL is the standard type of security that banks use to protect online transactions. A virtual private network is the software used to make sure that only authorized people can log on to a network.
Until recently, virtual private networks typically used a technology called IP Sec, but that is slowly losing ground to SSL-based systems. IP Sec, however, is still preferred for connecting large offices to one another.
“IP Sec is hard to install and maintain,” says Carl Mirsky, senior security network engineer with Microtek, a Milwaukee-based technology-consulting firm. “It’s just too complex for the average user, and even many IT staffs, to maintain.”
One feature of SSL virtual private networks is the capability to check out a computer trying to log into the network. If it finds a computer is insecure or has been infected with a virus, that computer can be automatically shut out or given only limited access to the network.
The system can define who has access depending on who they are, where they are and what type of computers or devices they are logging in from. Those logging in from an insecure location might be given access to a limited number of applications, such as only their e-mail account. However, though such features can protect a network, they can add to the complexity of a system.
According to the 2003 ABA Legal Technology Survey, 68 percent of respondents already have some sort of remote-access software. Yet, only 53 percent reported using security software to block hackers.
“More and more hackers are going to figure out that instead of going after individuals or corporations, they can target law firms’ client information,” says Ben Sherwood, a personal security adviser in Milwaukee. Sherwood recommends law firms take three precautions when setting up remote access:
• Have a virtual private network with strong authentication policies and complex passwords.
• Have minimal security measures like firewall software, anti-virus software and automatic system updates for all remote systems.
• Set limits or authorization policies based on the integrity and security of the access points being used.
“The airport Internet café might be fine for checking e-mail but should never be used to access sensitive client information,” he says.
Remote access can be a great benefit from a practical as well as a morale standpoint. Hurlburt, who eventually chose an SSL-based system made by Netilla, says about 100 employees now use the remote-access system. “The important thing is that our lawyers can work after hours and still have a life.”