| |
You think you've got secure remote access..
take another look
 |
Secure access to corporate data is not as simple as it looks? Spyware is one of many threats, and ensuring remote devices are protected is a major issue.
According to AOL and the National Cyber Security Alliance, In October 2004 80% of home PCs were affected. Ask yourself - how many of these are used to access corporate networks? Even 5% is a worry.
|
This article aims at giving you an insight into the world as it affects corporate access to your network from the ever growing home and mobile user, along with the technologies available from a number of key vendors in this space.
But we use a secure VPN so we are
OK - aren't we?
People will be familiar with the small padlock on their browser when they connect. Although the closed-padlock icon in a browser window depicts a secure connection, it does not imply a totally risk-free secure connection. Whenever the padlock is snapped or a security-related message pops up, |
 |
you should be alerted and scrutinize the security of that connection. During the handshake of a secure connection, the server sends a public-key certificate to identify itself. You assume you have a secure connection to the entity identified in the certificate, but that entity may not be who you think it is.
How great is the risk from Spyware?
Did you know that when a PC is infected with Spyware every keystroke, web site and conversation could be recorded by people who have maliciously installed this code on your machine? A form of Spyware called a key logger can record every keystroke and therefore password, bank details etc and pass them to someone who is trying to maliciously cause you harm. Another form is the Dialler which can take advantage of the local modem to dial premium rate numbers at your cost!
A closed/open padlock indicates whether the just-completed transfer was secured or not; it doesn't give any security information about the next connection, which might involve password transfer by clicking on the "sign-in" button. Therefore, whether you enter your password in a secured or an unsecured Web page, that password may go unencrypted. In either case, you should examine the source code of the current Web page to see if the next connection is secured or not.
So how much greater is the risk if I allow users to connect to my corporate network?
There are a number of options to provide access to corporate networks which usually involve remote access (RAS), IPsec or SSL VPNs. The most popular variety growing daily is the use of SSL through its flexibility/clientless features. However, the weaknesses of SSL implementations have been kept hidden.
The fact that it can be spoofed and is open to man-in-the-middle attacks is played down. And the fact that your personal data is exposed the moment it enters the web server (where all the real hacks and thefts take place) is ignored. If you look at all the published cases of stolen information it is always at the server regardless of whether SSL has been used or not.
SSL transactions enter your network through Port 443, a port in the firewall that is required to be open to process HTTPS traffic. However, your firewalls and traditional security software don't monitor Port 443 at all. Firewalls recognize SSL traffic as "safe" but they can't see inside the encrypted traffic. Hackers could use SSL transactions to embed malicious mobile code or invalid certificates in order to implant worms or Trojan horses onto a computer.
The diagram below could depict your network especially if your strategy is to allow users to work from a variety of locations and use a variety of devices.
 |
Up to now organisations have had one of two choices: allow SSL and hope for the best, or block it, disallowing most e-commerce transactions and limiting their employees' productivity.
SSL is a false sense of security as it doesn't provide the protection you think it does, and no protection where you really expected it to.
So why is it time for a change?
Secure Web browsing requires a careful and questioning user. Checking certificate details and controlling the root certificate store definitely helps. Root certificate installations should be avoided. Also, pay particular attention to the address bar. Don't bury your head in the sand by merely trusting a closed-padlock icon.
Reality has intervened. Legislators have become too uncomfortably aware that industry simply hasn't lived up to its responsibilities. The USA in particular has found it necessary to legislate, not just once, but many times. Now in the UK , you have to comply with FSA, Freedom of Information, Sarbannes Oxley (if you are related to US companies) and so on. And the stakes have been raised. Failure can result in a criminal prosecution at board level, not just a slap on the wrist for a minor employee.
Users too are becoming more aware that today's Internet services aren't trustworthy. The tide of scams, SPAM, phishing, email identity theft, machine theft, porn site attacks, are just a few examples of why they are increasingly avoiding Internet trade and becoming seriously defensive.
What can you do?
Clearly stopping users connecting to your networks from outside the normal boundaries of the network is one way but realistically, people do need to access data from a variety of locations so a solution is needed. The buzz word at the moment is the adoption of end to end integrity management for secure access to corporate networks.
Such a management approach must strive to validate the end device as a secure environment to allow communication between the device/user and the corporate network. It should be able to do a number of the following vital integrity checks;
 |
The correct service pack or the latest security patches installed. |
|
The correct antivirus software and signature files installed. |
|
A remote access client computer with routing enabled might pose a security risk, providing an opportunity for a malicious user to access corporate network resources through the client computer, which has an authenticated connection to the private network. |
|
Firewall software installed and active on the Internet interface. |
|
Presence of Spyware and other malicious code detected and appropriate access allowed or denied. |
For example, it would be appropriate to deny any access if the device a user was connecting from contained significant evidence of Spyware and thus presents a clear danger to any transaction made on to the corporate network.
The diagram below depicts a different environment where end devices are validated for presence of malicious code prior to authentication and where checks are made for presence of anti-virus signatures for example.
For this article we focused on perhaps three organisations each with different strategies but with perhaps a similar approach to this problem.
1. How Microsoft tackles the problem
Network Access Quarantine Control delays normal remote access to a private network until the configuration of the remote access computer has been examined and validated by an administrator-provided script. When a remote access computer initiates a connection to a remote access server, the user is authenticated and the remote access computer is assigned an IP address. However, the connection is placed in quarantine mode, with which network access is limited. The administrator-provided script is run on the remote access computer. When the script notifies the remote access server that it has successfully run and the remote access computer complies with current network policies, quarantine mode is removed and the remote access computer is granted normal remote access.
2. How Citrix tackles the problem
I've included Citrix as they are seen as a major player in the world of providing secure access from mobile and home based users. Indeed, many organisations provide access to corporate assets via the Citrix Web Interface/SSL Gateway for people using their home PCs. The theory is that as Citrix is a virtual session then there is no threat from any local malicious code. Well this may have been true but if you are close to the strategies of this company you will have noticed that Citrix are raising the bar in terms of access management through new initiatives to deliver appropriate content to users against a policy for end user devices. For example, accessing a full desktop from home where there is appropriate security protection will be allowed, but the same user accessing their network from an airport terminal may be restricted to read-only access for certain applications. All this will be determined by the organisation's access strategy.
3. How Checkpoint tackles the problem
As a firewall/VPN vendor, Checkpoint have been driving the concept of end-to-end integrity management through their Clientless Security strategy which protects enterprises from threats on PCs entering via Web-based applications and gateways, such as Microsoft Outlook Web Access, SSL VPNs or extranets, without requiring client software installation.
It is the only product that provides the three essential components of clientless security:
1) disabling spyware,
2) ensuring session confidentiality
3) enforcing security policy compliance before remote access is granted.
By doing so, Integrity Clientless Security stops ID and password theft, prevents sensitive and proprietary data loss, restores network bandwidth, and improves IT and user productivity. It disables keystroke loggers, searches for spyware, trojan horses, diallers and other unauthorised code aimed at doing harm to the organisation as a whole or the individual PC.
Ok - so what should my organisation do next?
The easiest way to start addressing this is to take a step back and review your security process. It may be that you do not allow anyone to access the network unless from a corporate device which you ensure is free from Spyware because you control the sweeping of these machines through scripts and updates.
For those of you who don't - then take this advice;
|
Review your security usage policy and consider end-to-end integrity. Review the place for Microsoft, Citrix or Checkpoint in your arsenal of security protection. |
|
Inform users of the threats of Spyware - education is a vital tool in this fight. |
|
Implement scanning tools for remote devices. |
|
Don't assume this doesn't apply to you - it will!! |
If you would like to speak to someone in more detail about how this affects your organisation please contact your account manager who will arrange a site visit to discuss the options moving forward or contact me at paul.russell@servo.co.uk |
|
| |
|
|
|
