Remote users are those who originate connections to site system from elsewhere on the Internet. These connections could come from any location on the Internet, from dial-in lines, or from authorized users on travel or working from home. Regardless, all such connections should use the advanced authentication service of the firewall to access systems at the site. Policy should reflect that remote users may not access systems through unauthorized modems placed behind the firewall. There must be no exceptions to this policy, as it may take only one captured password or one uncontrolled modem line to enable a backdoor around the firewall.
Such a policy has its drawbacks: increased user training for using advanced authentication measures, increased expense if remote users must be supplied with authentication tokens or smartcards, and increased overhead in administering remote access. But, it does not make sense to install a firewall and at the same time not control remote access.