My company uses a Cisco Systems' Cisco VPN 3000 Series Concentrator. I've found out that employees who know the Cisco group password are installing the VPN client at home and logging on to our network from their home machines. I use Windows NT authentication, and disabling remote access in the employees' user accounts doesn't prevent this type of access. My primary concern is security; I wouldn't consider this behavior a problem if I could enforce firewall usage on these employees' home systems. How can I safeguard our network in this situation?
You can use the Cisco VPN 3000 Series Concentrator to enforce firewall usage on the users' home machines. The Cisco Authentication Group Configuration menu's Client FW section contains several options for doing so. The easiest option to enable is a push policy for the Cisco VPN client's integrated firewall (you can use this option with the Cisco VPN Client 3.5 or later). Other options let you use canned client-firewall policies from Zone Labs or Internet Security Systems (ISS) or let you create a custom enforcement policy.
You might also consider using the concentrator's internal authentication, rather than Windows' native authentication. Internal authentication gives you more granular control of user-connection properties in the Cisco concentrator than Windows' authentication does. However, when an employee leaves the company, you must remember to delete that user account from the concentrator.
You also might want to implement a product such as RSA Security's RSA SecurID. Doing so won't help you enforce firewall usage, but it will create strong security for VPN authentication. RSA SecureID uses a string of numbers on a digital key; the string changes every 60 seconds. User authentication depends on this series of numbers plus additional alphabetical or alpha-numeric values that are unique to each user. This method of authentication is very difficult to spoof.
You can further enhance security on the Cisco VPN 3000 Series Concentrator by disabling split tunneling for security groups and by creating custom filter rules. Trade-offs usually exist between ease of use, performance, and security. You need to create a remote-access policy that takes all these factors into consideration.