Return-Path: <sentto-279987-3134-1003468078-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 18 Oct 2001 22:09:12 -0700 (PDT) Received: (qmail 16978 invoked by uid 510); 19 Oct 2001 05:07:35 -0000 Received: from n7.groups.yahoo.com (216.115.96.57) by 204.181.12.215 with SMTP; 19 Oct 2001 05:07:35 -0000 X-eGroups-Return: sentto-279987-3134-1003468078-fc=all.net@returns.onelist.com Received: from [10.1.1.223] by n7.groups.yahoo.com with NNFMP; 19 Oct 2001 05:07:58 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 19 Oct 2001 05:07:58 -0000 Received: (qmail 60778 invoked from network); 19 Oct 2001 05:07:57 -0000 Received: from unknown (10.1.10.27) by 10.1.1.223 with QMQP; 19 Oct 2001 05:07:57 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta2 with SMTP; 19 Oct 2001 05:07:57 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id f9J57k802809 for iwar@onelist.com; Thu, 18 Oct 2001 22:07:46 -0700 Message-Id: <200110190507.f9J57k802809@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 18 Oct 2001 22:07:46 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Corporate.networks,.security,.and.VPNs] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Corporate networks, security, and VPNs By Jim S. Tiller, Elisabeth Nelson, TechRepublic, Inc., 10/18/2001 <a href="http://www.techrepublic.com/printerfriendly.jhtml;jsessionid=IQLTJZCWSGKPQCTEAAKSFFI?id=r00620011002ern01.htm">http://www.techrepublic.com/printerfriendly.jhtml;jsessionid=IQLTJZCWSGKPQCTEAAKSFFI?id=r00620011002ern01.htm> Virtual private network (VPN) technology is the final catalyst for allowing remote users to gain access to corporate resources by utilizing the Internet. This was a natural progression; the Internet is everywhere. Like the phone system, the higher bandwidth connections are becoming the norm, and VPN technology is securing the transmission with encryption techniques and authentication. Much of VPN's success has been attributed to the advent and availability of broadband technologies, because high-speed access was great for browsing and getting bigger things off the Internet faster, but that was about all. Almost overnight, the bandwidth typically associated with personal access (such as 32K or even 56K modems) to the Internet was increased 100 times. The greater access speeds attained by moving away from the public phone system and modems to dedicated broadband connectivity were quickly followed by a rash of excitement; however, at the same time, many wanted the service to access corporate resources. As the excitement wore off from the huge leap in access speeds, many turned their eyes on ways to use this for remote access. It is at this point that VPN technology took off and absorbed the technical community. Remote client software Remote client software was the first on the scene. A product package included a device that was connected to the Internet at the corporate site and the client software that was loaded on the roaming system, resulting in remote access to corporate resources over the Internet. A great deal of time and money was invested in remote access solutions, and that continues today. In concert with remote client-based access, the rush to VPNs was joined by DSL and cable modem replacements that provided the VPN termination, once again relieving the client system from the responsibility of the communication. VPNs are now a wildfire being pushed across the technical landscape by a gale-force wind of broadband access. Once unbridled access to the corporate network was available, it was not uncommon for remote sites or users to copy or open data normally maintained under the protection of elaborate firewalls and other protection suites provided at the corporate site. For many implementations, VPNs are used to run applications that would normally not be available on remote systems or require expensive resources and support to provide to employees at remote offices. In short, VPNs are being used for nearly everything that is typically available to a system residing on the internal network. This is to be expected, considering that vendors are selling the technology to do just that-operate as if on the internal network. Some solutions even incorporate Microsoft's Windows Internet Naming Service (WINS) and NetBIOS capabilities into their products to allow domain browsing for systems and resources as if at the corporate site. In essence, VPNs are being implemented as the panacea to integrate remote activities into internal operations as seamlessly as possible. The end product is data and applications being run from systems well outside the confines of a controlled environment. Encapsulation Fundamentally, the service afforded by a VPN is quite simple: Protect the information in transit, period. In doing so, various communications perks can be realized. A good example is tunneling. To accommodate protected communications as seamlessly as possible, the original data stream is encapsulated and then transmitted. The encapsulation procedure simplifies the protection process and transmittal of the datagram. The advantage that arises is that the systems in the VPN communicate as if there were no intermediary. An example is a remote system that creates a datagram that would operate normally on the internal network; instead, it is encapsulated and forwarded over the Internet to a system at the corporate office that de-encapsulates (and decrypts if necessary) the original datagram and releases it onto the internal network. The applications and end systems involved are typically never the wiser. The goal for some VPN implementations is to provide communications for remote users over the Internet that emulate intranet services as closely as possible. Many VPN solutions are critiqued based on the capabilities to allow services to the client systems that are usually only available internally. With the adoption of broadband Internet access, there is less stress on pure utilitarian aspects normally seen with dial-up solutions where various limitations are assumed because of the limited bandwidth. To allow for the expanded communication requirements, many VPN solutions integrate into the environment in a manner that remains transparent not only to the user but to the applications that utilized the connection. Therefore, the protection realized by the VPN is extended only to the actual transport of data-exactly its purpose. For the most part, prior to encapsulation or encryption, anything goes, and the VPN simply protects the transmission. The connection is protected, but that does not equate to the communication being protected. To detail further, systems on internal networks are considered a community with common goals that are protected from the Internet by firewalls and other protection measures. Within the trusted community, data flows openly between systems, applications, and users; a VPN simply augments the process and protects it during transmission over the Internet. The process is seamless and transparent, and it accommodates the traffic and application needs. The result is that data is being shared and utilized by shadowy internal representations of the remote systems. Access points Having internal services wholly available to systems residing on internal networks is expected. The internal network is typically a controlled, protected, and monitored environment with security policies and procedures in place. As services and data are accessed internally, the exposure, or threat to that communication, is somewhat known and accepted at some level. Most organizations are aware of security threats on internal networks but have assumed a level of risk directly proportionate to the value or impact of loss if they were to be attacked. Much of this is attributed to simple population control; they assume greater risk to internal resources because there are fewer people internally than on the Internet, interaction is usually required (hence a network), and each system can be monitored if desired. Basically, while some statistics tell us that internal networks are a growing source of attacks to corporate data, organizations feel confident that they can control what lies within their walls. Even organizations that do not have security policies and may consider themselves vulnerable will always assume that there is room to grow and implement security measures as they see fit. Nevertheless, the Internet represents a much greater threat in the eyes of many organizations, and this may be a reality for some organizations; each is different. The fundamental point is that the Internet is an unknown and will always be a threat, whereas certain measures can be taken-or the risk can be accepted-more readily on an internal network. In any case, internal networks are used to share information and collaborate to support or grow a business, and it is that open interaction people want from home over the Internet. VPN technology is a total contradiction of the assumed posture and reach of control. The internal network, where applications, services, and data reside, is considered safe by virtue of firewalls, procedures, and processes overseen by administrators focused on maintaining security in some form or another. However, the nature of VPN negates the basic postulation of corporate security and the understood security attitude. Attackers that may have been thwarted by hardened corporate firewalls may find remote VPN clients much easier targets that may provide the same results. On the whole, administrators are constantly applying security patches, updating processes, and performing general security maintenance on critical systems to protect them from vulnerabilities. Meanwhile, these vulnerabilities remain on end-user systems, whose users are much less likely to maintain their system with the same integrity. In the event that an advanced user were to introduce a comprehensive protection plan, many remote systems do not run enterprise-class operating systems and are inherently insecure. Microsoft's Windows 95 and 98 platforms are currently installed on the majority of personal or end-user class systems and are well known for limited security capabilities and overall robustness. Therefore, fundamental flaws weaken any applied security in the system. The collision of the attributes that contribute to a common VPN implementation results in the cancellation of applied security infrastructure at the corporate site. Nearly every aspect of the Internet facing protection is invalidated the minute a user connects to corporate with a VPN. A single point of protection applies only if the protected network does not interact with the volatile environment being evaded. TechRepublic and Auerbach Publications This article first appeared in the August 2001 issue of the Auerbach Information Management Service journal Data Security Management. It appears here under agreement with Auerbach Publications. This excerpt is from the Auerbach report "Security Of Virtual Private Networks." For information on subscribing to this journal or to see a list of previously published topics, click here. To find out about other Auerbach publications, click here. James S. Tiller, CISSP, CCNA, CCDA, MCSE+1, is the managing principal of security products at Lucent Technologies in Tampa, FL. Copyright © 1999-2001 TechRepublic, Inc. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide! http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:56 PST