IPkey.com
information security
monitoring & management
Information Security Bulletin
April 2003
Feature Story:
Virtual Private Networks (VPNs) -
What you need
to know...
I mistakenly thought that this would be a short, easy article to write, but when I thought out all the issues that we consider during VPN design, it went on and on... So here goes.
Many of you already know that VPNs offer secure remote access to private networks connected to the Internet. Cost effective links from local Internet Service Providers (ISPs) make this possible. In the past, remote access consisted of modems on dial-up phone lines for individuals, or dedicated leased connections for linking offices. These methods was often slow and expensive.
Today, most offices now have high speed persistent (always connected) Internet connections, and many of us have inexpensive DSL and Cable access at home. So it's quite simple to setup a connection between two computers (or networks) that have Internet access. However, the big question is how to stop the hundreds of millions of other Internet users from also connecting to your private data. The answer is the Virtual Private Network. A VPN, once authenticated and established, creates a highly secure 'tunnel' between you and your destination through the Internet . This is essentially invisible to the rest of the Internet. You (and your staff) can access the remote network, and they can (probably) access your network.
The way this works is that your VPN software or appliance looks at your network traffic and checks if any of it is destined for the remote network. If so, it encrypts (scrambles) it so that no one can read the contents and sends it across the Internet through the secure 'tunnel'. All other traffic is typically passed straight out to the Internet.
This works so well that everyone is implementing VPNs to connect branch offices, telecommuters, remote notebook and PDA users, business partners and support organizations such as IPkey.com. In fact, the very popularity of VPNs has caused some major security headaches. Let me explain.
When a remote user connects to your secure, trusted network using a VPN, it's as if they were physically using your office network. While this is good for ease of access, it also means that any vulnerability of their PC or network is now a vulnerability of your network. For example, if an employee works from home using VPN software on her computer, there is nothing to stop her computer from being compromised over the cable modem. Also, every IT professional knows that most home computers are a mess, and loaded with parasites (adware and spyware) which pose a significant security risk. A hacker can easily use the home PC to attack your secure, trusted network. ->
Welcome
to the
Information Security Bulletin. This is your source for the latest
practical information you can use to protect your organization's critical
information and
network services.
Marcus Clarke
ISB Editor
email me your opinions!
ISB Hot Tip:
Why is my VPN so slow?
Remote Windows users often have trouble reaching servers and browsing the
network through a VPN connection. The VPN tunnel is commonly configured NOT
to pass browser traffic (NetBIOS) by default because it degrades
performance. Windows 2000 and XP clients can use DNS (which is
passed). Win98 and NT can use WINS servers. I like to use the
LMHOSTS file to manually identify servers because it always works. If
you have a fast connection, you can enable NetBIOS broadcasts, but you may
still have problems and slowdowns.
-> Finally, avoid using commonly used default private IP address ranges such as 192.168.0.x and 10.0.0.x. Support organizations (and possibly business partners) VPN to your system based on your IP addresses. Network addresses like 10.219.63.x are unlikely to cause a conflict.
ISB Takeaway: Marcus' 4 Rules of VPNs
VPN
Rule
#1
No computer can be
connected by VPN that is not protected with both an Internet firewall
and
Anti-Virus software with current definitions.
The simplest and most secure way
to ensure this is to use a combined firewall and VPN device such as the
Sonicwall security appliances. A dial-up modem user can use software firewalls such as Black Ice and Zone Alarm
which work fine with occasional (non-persistent) Internet connections. Also,
Any PC connected to your internal network by VPN can have the same access as
a local PC, and should be protected by current AV software and a parasite
scanner such as Ad-Aware.
VPN
Rule #2
Implement VPNs using
individual Security Associations (SA) for each remote access location.
While inter-office VPNs are unlikely to be compromised, it's common for
notebooks with VPN software to be lost or stolen. Also, when a telecommuter
leaves your organization, Security Associations as well as passwords must be
immediately disabled. If a VPN SA is shared among multiple users, this
can be a real headache.
VPN
Rule #3
When
non-authorized PCs share a home network, isolate them from the VPN.
If a telecommuter has
other computers at home, make sure that they connect outside the VPN device
or firewall, or create a rule that excludes them. The teenage son
should not be browsing the company net. Sonicwall has a product
that make this easy with two separate networks (work and home), with no VPN
access on the latter. Be especially cautious is there is a Wireless
LAN.
VPN
Rule #4
No remote access will deployed until an individual written usage policy
agreement is signed. This
Addendum to your existing Computer and Internet Use Policy should cover
Authorized Use, Responsible Use, Privacy and Appropriate Action for
non-compliance.
A Final Thought: VPNs are becoming the foundation of a new
era of computer support. VPN allows a support organization such as
IPkey.com to continually monitor, diagnose and support your network
over the Internet. New capabilities in Windows 2000 Server (Terminal
Services) and XP (Remote Desktop) greatly facilitate server and desktop
support. This will considerably reduce down time and the expense of
on-site visits by costly support personnel, helping your bottom line.
-> This is a very common occurrence when VPNs have been deployed by someone who doesn't understand the effect of 'perimeter' security issues. At IPkey, we suggest several strategies to address this.
1. you can give each remote user a securely configured company PC or notebook. Use Windows 2000 or XP with a limited user account which will not allow parasites or other unauthorized software to be loaded.
2. If this is not feasible, you can provide an managed security device such as the Sonicwall which can enforce virus protection and block hostile code. This means that the home user cannot access the VPN unless their PC is 'sanitized'.
3. At the main office, use a firewall/VPN device that allows VPN tunnels to follow 'rules' that restrict access to specific resources and protocols.
I normally recommend a combination of strategy 1 and 3, 2 and 3, or both. I also like using PKI Certificates for VPN Authentication & Encryption for remote users. PKI offers management and security benefits in larger, complex VPN environments. ->
The ISB is a monthly email newsletter
published by IPkey.com, your source for
affordable information security monitoring and
management.
IPkey.com is part of Meridian Group, a New Mexico based corporation serving
the IT need of it's clients for 14 years. We encourage you to forward ISB to your
co-workers, colleagues and friends. To subscribe or unsubscribe to the
ISB newsletter, email us at isb@ipkey.com.
Past issues of this newsletter are available at IPkey.com
ISB Archive
Call or email me with your questions and comments. As always we are here to assist you with your Information Security needs.
Next Month:
The Myth of
Wireless Security
All contents copyright (C) 2003 Meridian Group Inc.