Essential Computer Security

Network and security administrators sometimes evoke images of the Little Dutch Boy from Hans Brinker who stuck his finger in the dike to plug a leak, except for network and security administrators every time they plug one leak a new one springs up. They implement file attachment filters and antivirus scanning on the corporate email servers only to have users access web-based email like Hotmail and sidestep the security. Every time administrators think they have the network locked down some other method of entry pops up- instant messaging, wireless devices, USB hard drives, etc..

Some of these things can be eliminated through firewall or content filtering rules to deny users access to sites that pose a potential security risk. Other things are harder to control except through strict policies and procedures specifically prohibiting certain actions or technologies from the company network and then monitoring and policing to enforce compliance.

Many companies have already addressed the issue of wireless device security. Initially many companies and individuals jumped onto the wireless networking bandwagon for the convenience of being able to wander un-tethered by network cables or being able to deploy more workstations without having to run network wiring through the walls and ceiling. However, many of those wireless networks used no security whatsoever and the ones that did used WEP encryption which proved to be barely better than having no security. This is still a serious problem for many wireless networks, but wireless security has improved drastically.

Douglas Schweitzer, author of Incident Response and columnist for Processor.com, says “There’s no denying that wireless networks can help to increase worker productivity and often produces a considerable ROI for organizations with large, mobile workforces. However, it is important to note that there are significant risks involved from any unprotected wireless network. To mitigate these risks, organizations interested in deploying wireless networks should consider a defense-in-depth (layered approach) to security that involves both procedural and physical components such as policies and intrusion detection/prevention. Used in conjunction with firewall and anti-virus, network security administrators can successfully lock down their wireless networks.”

So, now we come to the administrator with all 10 fingers already occupied plugging different holes in the dike: malware, spam, denial-of-service attacks, USB devices, web-based email, etc. and thinking that the network is relatively secure and along comes remote access.

Whether it’s a business partner that needs remote access to the company network in order to facilitate work or company employees or executives that need to access the company network from their home computers in order to remain productive during “off” hours, remote access can create a number of security risks for your otherwise secure network.

“The problem we’re discussing here is really transitive trust. The idea is that if you trust A and A trusts B, you implicitly are trusting B whether you should or not. So if you trust the executive but the executive’s home network is insecure, you’re trusting an insecure network” according to Marcus Ranum, Senior Scientist at risk management company Trusecure Corporation and author of Myth of Homeland Security

.

Ranum goes on to say “In the commercial world, transitive trust is largely ignored because worrying about it removes all the commercial value of a network. After all, you can’t DO E-commerce unless you’re willing to do it with semi-trusted or un-trusted (or “of unknown trust”) systems and networks. That’s one reason you have things like a worm getting loose in one company’s network and spreading to another company through their business-to-business connection. Or employees coming in with a laptop and infecting everyone with a worm.”

If you trust another entity, be it a remote site of your own company, a business partner or supplier network or an employee’s home computer you are potentially creating a secret passage or back door into your network that you have little or no control over and can’t guarantee the security of.

On the topic of employees using insecure systems to access the corporate network Dan Appleman, author of Always Use Protection and co-founder of APress Publishing, states “the corporate offices are usually secured physically – most companies don’t let strangers walk in the door and sit down on network machines. With remote access, it’s not uncommon for users to configure their computer to remember the logon information for the corporate network, meaning that anyone with access to the machine can get in. If the machine is stolen, the thief has full access – and theft is generally easier out of the home than a corporate office. And when you start discussing laptops… well, that’s where theft vulnerability really takes off. And if your kid is using your machine and is just a bit curious…”

Appleman added “Even if the executive’s machine is kept secure, it may be vulnerable to attacks by way of other systems on the home network – the teen who downloaded a Trojan hidden in a game hack, for example.”

It seems that it is hard enough to just keep your own network protected from both external threats and from your own users knowing just enough to be dangerous and constantly finding new ways to circumvent the security that has been implemented. It is beyond the resources of virtually any network security administrator to also try to protect or even just keep tabs on any home users’ networks or business partner networks that connect to the company network remotely.

One solution is to implement a virtual private network (VPN). Whether you choose an IPSec or SSL based VPN solution, a VPN will ensure a degree of security for your remote users who are accessing the network. It may not protect you in situations where the remote computer is already compromised with a Trojan or worm, but it is more secure than simply allowing external computers to connect to your network remotely.

There are emerging tools and applications that can be used to determine whether devices trying to connect with the network have an acceptable level of protection. Products like the Cisco Security Agent or Trend Micro’s Network VirusWall device can be used to make sure that end-user devices have updated antivirus software and the appropriate patches installed and either redirect or block access from devices that are insecure. However, implementing solutions such as this can be costly and adds another technology to the task list of the administrator.

Remote access and interacting with networks of questionable security is a business necessity in many cases that can’t be avoided. Marcus Ranum concluded with “it’s something to be worrying about. But it may be the case that the cost of worrying about it is literally too high to be worth it.”

The bottom line when it comes to remote access seems to be due diligence combined with education and policy. First, before allowing another network or a user to connect to your network you should do enough investigation and ask the right questions to feel comfortable that they have security software such as antivirus installed and that it is updated and that the network or computer system has the necessary patches and updates installed.

Dan Appleman agrees that education and policy are key for secure remote access. “The problem of remote access to the corporate network, like most security problems, is one of awareness and overall security practice.”

Allowing other networks and individuals to connect to your network is virtually unavoidable. Just make sure you exercise the appropriate level of caution and pay close attention to that back door. If all of your fingers are already in use its time to stick a toe in the remote access “leak in the dike.”

Tags: Perimeter Security // 1 Comment »