Firewalls are predicated on the notion that trustworthy people are inside your network and untrustworthy people are outside your network. Despite the obvious untruth of this — the CEO goes home with her laptop and is treated as untrustworthy; an employee opens a trojan and has his box r00ted by a script-kiddie in Belarus, and is still treated as trustworthy — we persist in using them, and then get surprised when they fail.
Take this example: employees who work remotely can penetrate the firewall through VPN tunnels. But these employees are on home-networks that might be connected to cablemodems (and hence to all the other users in the neighborhood), or have other security failures at home that can act as a back-door into the network.
And since the firewall means that everyone inside the network is trustworthy, the inward-facing servers and machines often have crap passwords and out-of-date security and use unencrypted protocols, sending passwords and data in the clear. As soon as the intruder gets inside the network, it's fox in the henhouse time. Rather than securing each machine with its own perimter and fall-back defense, the best practice is often to build a high, tight fence around the network and point all your security outside it.
Is it any wonder, then, that teleworkers are now being identified as security risks?
"It doesn't matter how much money businesses invest in securing their corporate network if employees are accessing the network from home with insecure systems.
"It's like securing the front of your house with the latest alarm but leaving your back door open."
(Actually, I'd say it's more like putting bars on the window of the bank but not buying a safe to keep your money in)
