[iwar] [fc:Corporate.networks,.security,.and.VPNs]

From: Fred Cohen (fc@all.net)
Date: 2001-10-18 22:07:46
Next message: Fred Cohen: "[iwar] [fc:What.is.LIDS.(Linux.Intrusion.Deteciton.System)]"
Previous message: Fred Cohen: "[iwar] [fc:Secure.Web.site.holds.Arizona.law.enforcement.information]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200110190507.f9J57k802809@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Thu, 18 Oct 2001 22:07:46 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Corporate.networks,.security,.and.VPNs]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit

Corporate networks, security, and VPNs

By Jim S. Tiller, Elisabeth Nelson, TechRepublic, Inc., 10/18/2001
<a href="http://www.techrepublic.com/printerfriendly.jhtml;jsessionid=IQLTJZCWSGKPQCTEAAKSFFI?id=r00620011002ern01.htm">http://www.techrepublic.com/printerfriendly.jhtml;jsessionid=IQLTJZCWSGKPQCTEAAKSFFI?id=r00620011002ern01.htm>

Virtual private network (VPN) technology is the final catalyst for
allowing remote users to gain access to corporate resources by utilizing
the Internet.  This was a natural progression; the Internet is
everywhere.  Like the phone system, the higher bandwidth connections are
becoming the norm, and VPN technology is securing the transmission with
encryption techniques and authentication. 

Much of VPN's success has been attributed to the advent and availability
of broadband technologies, because high-speed access was great for
browsing and getting bigger things off the Internet faster, but that was
about all.  Almost overnight, the bandwidth typically associated with
personal access (such as 32K or even 56K modems) to the Internet was
increased 100 times.  The greater access speeds attained by moving away
from the public phone system and modems to dedicated broadband
connectivity were quickly followed by a rash of excitement; however, at
the same time, many wanted the service to access corporate resources. 
As the excitement wore off from the huge leap in access speeds, many
turned their eyes on ways to use this for remote access.  It is at this
point that VPN technology took off and absorbed the technical community. 

Remote client software Remote client software was the first on the
scene.  A product package included a device that was connected to the
Internet at the corporate site and the client software that was loaded
on the roaming system, resulting in remote access to corporate resources
over the Internet.  A great deal of time and money was invested in
remote access solutions, and that continues today.  In concert with
remote client-based access, the rush to VPNs was joined by DSL and cable
modem replacements that provided the VPN termination, once again
relieving the client system from the responsibility of the
communication.  VPNs are now a wildfire being pushed across the
technical landscape by a gale-force wind of broadband access. 

Once unbridled access to the corporate network was available, it was not
uncommon for remote sites or users to copy or open data normally
maintained under the protection of elaborate firewalls and other
protection suites provided at the corporate site.  For many
implementations, VPNs are used to run applications that would normally
not be available on remote systems or require expensive resources and
support to provide to employees at remote offices.  In short, VPNs are
being used for nearly everything that is typically available to a system
residing on the internal network.  This is to be expected, considering
that vendors are selling the technology to do just that-operate as if on
the internal network.  Some solutions even incorporate Microsoft's
Windows Internet Naming Service (WINS) and NetBIOS capabilities into
their products to allow domain browsing for systems and resources as if
at the corporate site. 

In essence, VPNs are being implemented as the panacea to integrate
remote activities into internal operations as seamlessly as possible. 
The end product is data and applications being run from systems well
outside the confines of a controlled environment. 

Encapsulation Fundamentally, the service afforded by a VPN is quite
simple: Protect the information in transit, period.  In doing so,
various communications perks can be realized.  A good example is
tunneling.  To accommodate protected communications as seamlessly as
possible, the original data stream is encapsulated and then transmitted. 
The encapsulation procedure simplifies the protection process and
transmittal of the datagram.  The advantage that arises is that the
systems in the VPN communicate as if there were no intermediary.  An
example is a remote system that creates a datagram that would operate
normally on the internal network; instead, it is encapsulated and
forwarded over the Internet to a system at the corporate office that
de-encapsulates (and decrypts if necessary) the original datagram and
releases it onto the internal network.  The applications and end systems
involved are typically never the wiser. 

The goal for some VPN implementations is to provide communications for
remote users over the Internet that emulate intranet services as closely
as possible.  Many VPN solutions are critiqued based on the capabilities
to allow services to the client systems that are usually only available
internally.  With the adoption of broadband Internet access, there is
less stress on pure utilitarian aspects normally seen with dial-up
solutions where various limitations are assumed because of the limited
bandwidth.  To allow for the expanded communication requirements, many
VPN solutions integrate into the environment in a manner that remains
transparent not only to the user but to the applications that utilized
the connection.  Therefore, the protection realized by the VPN is
extended only to the actual transport of data-exactly its purpose. 

For the most part, prior to encapsulation or encryption, anything goes,
and the VPN simply protects the transmission.  The connection is
protected, but that does not equate to the communication being
protected.  To detail further, systems on internal networks are
considered a community with common goals that are protected from the
Internet by firewalls and other protection measures.  Within the trusted
community, data flows openly between systems, applications, and users; a
VPN simply augments the process and protects it during transmission over
the Internet.  The process is seamless and transparent, and it
accommodates the traffic and application needs.  The result is that data
is being shared and utilized by shadowy internal representations of the
remote systems. 

Access points Having internal services wholly available to systems
residing on internal networks is expected.  The internal network is
typically a controlled, protected, and monitored environment with
security policies and procedures in place.  As services and data are
accessed internally, the exposure, or threat to that communication, is
somewhat known and accepted at some level.  Most organizations are aware
of security threats on internal networks but have assumed a level of
risk directly proportionate to the value or impact of loss if they were
to be attacked.  Much of this is attributed to simple population
control; they assume greater risk to internal resources because there
are fewer people internally than on the Internet, interaction is usually
required (hence a network), and each system can be monitored if desired. 
Basically, while some statistics tell us that internal networks are a
growing source of attacks to corporate data, organizations feel
confident that they can control what lies within their walls. 

Even organizations that do not have security policies and may consider
themselves vulnerable will always assume that there is room to grow and
implement security measures as they see fit.  Nevertheless, the Internet
represents a much greater threat in the eyes of many organizations, and
this may be a reality for some organizations; each is different.  The
fundamental point is that the Internet is an unknown and will always be
a threat, whereas certain measures can be taken-or the risk can be
accepted-more readily on an internal network.  In any case, internal
networks are used to share information and collaborate to support or
grow a business, and it is that open interaction people want from home
over the Internet. 

VPN technology is a total contradiction of the assumed posture and reach
of control.  The internal network, where applications, services, and
data reside, is considered safe by virtue of firewalls, procedures, and
processes overseen by administrators focused on maintaining security in
some form or another.  However, the nature of VPN negates the basic
postulation of corporate security and the understood security attitude. 
Attackers that may have been thwarted by hardened corporate firewalls
may find remote VPN clients much easier targets that may provide the
same results. 

On the whole, administrators are constantly applying security patches,
updating processes, and performing general security maintenance on
critical systems to protect them from vulnerabilities.  Meanwhile, these
vulnerabilities remain on end-user systems, whose users are much less
likely to maintain their system with the same integrity.  In the event
that an advanced user were to introduce a comprehensive protection plan,
many remote systems do not run enterprise-class operating systems and
are inherently insecure.  Microsoft's Windows 95 and 98 platforms are
currently installed on the majority of personal or end-user class
systems and are well known for limited security capabilities and overall
robustness.  Therefore, fundamental flaws weaken any applied security in
the system. 

The collision of the attributes that contribute to a common VPN
implementation results in the cancellation of applied security
infrastructure at the corporate site.  Nearly every aspect of the
Internet facing protection is invalidated the minute a user connects to
corporate with a VPN.  A single point of protection applies only if the
protected network does not interact with the volatile environment being
evaded. 

TechRepublic and Auerbach Publications This article first appeared in
the August 2001 issue of the Auerbach Information Management Service
journal Data Security Management.  It appears here under agreement with
Auerbach Publications.  This excerpt is from the Auerbach report
"Security Of Virtual Private Networks." For information on subscribing
to this journal or to see a list of previously published topics, click
here.  To find out about other Auerbach publications, click here. 

James S.  Tiller, CISSP, CCNA, CCDA, MCSE+1, is the managing principal
of security products at Lucent Technologies in Tampa, FL. 

Copyright © 1999-2001 TechRepublic, Inc. 

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide!
http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:What.is.LIDS.(Linux.Intrusion.Deteciton.System)]"
Previous message: Fred Cohen: "[iwar] [fc:Secure.Web.site.holds.Arizona.law.enforcement.information]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:56 PST