In many cases, laptop users need remote access to information stored in the company data center. (We'll discuss safe methods of access in a future section.) Even though laptops are expected to run the same client-based protective software as desktops, their operation outside a general network perimeter make them more vulnerable to attack.
There are several security considerations when designing remote access. However we'll focus on only two here: preventing network infection by a compromised laptop and preventing a compromised laptop from leaking sensitive information.
I've helped with or directed several enterprise malware attack recovery efforts. In about one half of these instances, laptops were the source of a worm or other malware that spread across the network. Anti-malware, host-based IPS, and other client defenses are not enough to protect against the barrage of nasties encountered when accessing the Web from a coffee shop, hotel, or even a home network. The best way to protect laptops in these situations is use of a personal firewall.
Personal firewalls usually come with anti-malware and Internet defense suites, like Symantec's Norton Internet Security 2008 or McAfee's Total Protection Service (SaaS). When properly configured, they not only prevent unwanted connections and other behavior coming from the outside. They also stop malware already on a laptop from spreading to the network the next time the user connects. Finally, a personal firewall can stop a laptop from connecting with a remote server, controlled by cybercriminals, for the purpose of controlling the laptop or retrieving data.
Personal firewalls can be an optional for systems which never leave the safety of the company's network control framework. But they are a requirement for traveling laptops.