We already have a couple of people working from home, accessing some internal servers via VPN. They're all using company provided laptops or PCs which we have complete control over. Now we're faced with more people wanting to do home office but using their own machines. They need access to at least our internal IM and fileserver.
Giving them VPN access to our internal network from their own machines seems to pose a potential security risk. I'm mostly concerned about giving them access to our samba fileserver. What has been suggested is to simply rely on an on-access virus scanner protecting the fileserver, but I'm not completely convinced this is sufficient.
Is there some kind of access-proxy or something like that which we could put into an DMZ and only allow outside access to that server, do some kind of scanning/filtering and have them access our internal servers from there? Preferably opensource/linux based as we're mostly using CentOS/RHEL for our servers and would like to keep it that way (opensource shouldn't imply we're not willing to pay for it, just need some ideas or products which we could look at).
I'd be loathe to give VPN clients in such a scenario unfettered layer 3 (and up) access to my network. Aside from whatever application-layer tools you're going to use I'd be very draconian, at layer 3, about what the remote VPN clients can "talk to".
If you're worried about protocol-level attacks against your file server you might think about exposing the file server via a WebDAV over SSL gateway. WebDAV is arguable a more "auditable" protocol than SMB and most versions of Windows and many Linux distros handle accessing files via WebDAV very well.
In terms of the classic "confidentiality, availability, integrity" attacks against your file server by these VPN clients I think you're going to have trouble finding a "magic bullet" solution. Assuming these machines are "owned" by third parties (malware, etc), you have to assume that keyloggers could be present (thus implying the need for one-time-password functionality in a trusted device). Anything the user will have rights to access (modify, etc) will be available to the malware on these machines as well.
Given how little I'd trust personally-owned computers I'd lobby hard for giving the VPN users access to compute resources hosted on trusted computers via a "thin client" protocol-- X Windows, RDP, PCoIP, etc, and require them to use a hardware token for one-time-password sign-on. It's still not perfect (since data could be injected into or pulled out of the thin client protocol stream by a malicious third party) but it keeps direct access to the data away from the remote client computers.
Something like a Juniper SSL VPN comes with a Windows component called Windows Secure Access Manager that isn't quite a proxy or firewall, but it lets you specify applications (and MD5 hashes to ensure it really is the app) and source destinations and ports.
That may be an option for the IM stuff.
File shares is a tricky one as even using that sort of component you still have drive or UNC access in Windows, least I don't know of a way to restrict it to read-only at the VPN level.
Depending how much access they need, one option would be to use the web file access component of the VPN, that way they have access to the files but using a web interface, no SMB access.
Also with a commercial VPN you get host checkers so you can mandate that machines must have AV and it must be up to date, and if it isn't, come back and try again when you meet the rules.
We have numerous folks connecting remotely from their own PCs. We use Winfrasoft enterprise edition (http://www.winfrasoft.com/vpnq.htm) which checks the client for requisite security patches, anti-virus software current, connection sharing disabled, etc.