We have concerns about our staff using wireless hotspots to connect to our LAN. We use a VPN to connect to our network and they can then transfer data using a proprietary application. What little web browsing they do is directed to our proxy server and hence requires the VPN to be established first.
So my question is this: How do we best secure the laptop from the time they start it to the time they make the VPN connection?
They could be connected to an open, unsecured network for many minutes before starting the VPN.
Our concern is not so much sniffing of data (as data will only be sent over the VPN), but that someone could connect to the laptop and compromise it prior to the VPN connection.
Personal firewalls are an option, but they need to be effective without input from the user (and preferably centrally managed).
I'd be interested to know how others have approached this problem and what solutions they have found.
Update:
An implied part of this question that I didn't really ask is: Do you consider Windows firewall to be robust enough, with suitable policies, to block inbound access, or do you turn to third party solutions?
Securing a laptop for staff members and to connect via hotspots is very difficult task involving security at various levels and can be very costly in terms of the solutions.
If the data is of that importance in your network which is obvious you can try these things or implementations.
You just have to configure a firewall on each laptop in order to block all network traffic (output as well as input), except the packet needed to mount and run the VPN connection.
On Windows, the firewall settings can be easily managed by setting GPO in Active Directory.
I think to be more specific, you would only allow the primary wireless interface accept packets from "home" (your VPN server address pool), and deny all other incoming traffic. Then you would configure the firewall to allow all traffic to be allowed over the VPN device. It sounds like you already have the proper filtering covered at the VPN level.
As said before - windows firewall managed by AD will do. Also, You would like to have local admin account password set to something strong. In my company we implemented a domain-wide utility that centraly manages local administrator passwords. And you also want to have all the security updates on them as well.
If you are only concerned about incoming compromises until the VPN is connected, force the Windows Firewall to enabled, blocking all incoming traffic without exception. This will not prevent outbound traffic that initiates an inbound reply, but it will lock down any outside-initiated traffic until the VPN is connected, which seems to be your stated concern. Some of the other answers here take it one or more steps further if you need it.
It's the usual compromise between convenience and security - you can never have both unfortunately.
I know this is not the answer you're after - but I think the most important thing here is to educate the users, and perhaps limit/restict who gets to use a laptop, and who doesn't.
I assume you already are locking down the laptop OS/software as much as possible, but obviously that doesn't mean it's secure (just that it's a little more secure).
Take a look at a feature in Windows 2008 called Network Access Protection (NAP) It lets you set policies about the state of machines you will allow onto your VPN before they're given full access to your network. For example you can make sure the client computers AV is up-to-date or they're patched correctly. There is a whole bunch of policies you can setup for this. It also has the ability to quarantine the client so you can get these things fixed automatically before allowing them onto the network.
This doesn't exactly answer your question, as the computers are already on the VPN, but i think this is probably the best approach. i.e. connect them to an isolated network, ensure they pass the checks, then give them full-access.
Some VPN clients are capable of enforcing such a policy. The Check Point VPN client added this feature around 2000/2001.