Security Begins at Home (With Telecommuters)

Joanie Wexler   Today’s Top Stories    or  Other Networking and Internet Stories  

Leveraging Capabilities in your Existing Cisco Network for Optimized Performance and Troubleshooting What is NetFlow and How Does NetFlow Tracker Help? See Your Traffic Performance Using Capabilities Already Inside Your Cisco Network A New Name on the Enterprise Networks Short List: Juniper The Results are In! Integration Solutions and Interoperability at Organizations Today True Zero Day Protection: The Only Defense Against Evolving Security Threats Computerworld Executive Briefing: Automating Network Management Sign up to receive Security Resource Alerts

January 19, 2004 (Computerworld) -- Like it or not, your corporate network will soon be everywhere -- maybe even in some employees' kitchens or guest bedrooms. It might also reach into airports, hotels and McDonald's. Some users might even access the network from their local commuter trains.
Accompanying all this extended access, though, are heightened security risks. How do you mitigate them?
First, IT and executive decision-makers must define who should have access to what and set rules that govern user network-connection attempts. Then, IT can implement technology to enforce those rules in an automated fashion.
For example, Knowles Electronics LLC, a maker of microphones and receivers for the hearing health industry in Itasca, Ill., has a policy to restrict remote user access to servers hosting applications they actually need.
"We got hit with the Blaster worm when a home user tapped into a machine he didn't really require access to," explains Rich Dase, technology director.
For its international mobile workforce of about 200, Knowles uses services provided by Fiberlink Communications Corp., which installs virtual private network (VPN) encryption software, personal firewalls and antivirus software on user devices and centrally enforces security policies for the company. Knowles sets its own rules dictating the conditions under which users can connect.
"The policy might be that devices on dial-up connections must have a personal firewall configured a certain way and updated within the past three days," says Dase. "If Fiberlink doesn't discover those conditions when a user tries to connect, it rejects the access."
Protect Data in Transit
It's essential to use VPN encryption to protect data on a public network, says Dave Passmore, research director at Burton Group in Midvale, Utah. IPsec and browser-based Secure Sockets Layer (SSL) are the primary encryption technologies for avoiding data theft by eavesdropping, or "sniffing."
"SSL is clientless, so it is coming on strong. It also works great through NAT [Network Address Translation] routers, which, increasingly, employees are using at home," notes Passmore. NAT translates private IP addresses into a single, globally unique IP address for routing across the public Internet. Passmore recommends NAT-enabled routers for telecommuters to mask their home computers' IP addresses from viruses and address-spoofers lurking on the Internet.
LandAmerica Financial Group Inc. in Richmond, Va., uses both SSL and IPsec for its remote workforce. "Using SSL, a home user only needs access to the Internet and a Web browser," explains Matt Matin, a security and systems engineer at LandAmerica. "IPsec requires special client software, but its strength is that it also works with non-Web-based applications."
Avoid Internet Infections
An oft-cited security challenge is the risk that remote devices will pick up viruses and worms from the Internet and then infect the corporate network.
Dase says his company is "trying to be more aggressive" about patching host software with vulnerability fixes as they become available.
Keeping up with patches is a must, but it can be a challenge. So host-based intrusion-prevention software and network intrusion-detection systems can work at corporate sites in the interim to ferret out unusual protocol behaviors and known malicious bit patterns.
In addition, "Truly paranoid people do not allow split tunnels for home users," says Passmore. Split tunneling involves a single home-user connection supporting both an encrypted tunnel for corporate network access and an unencrypted direct link to the public Internet. A more secure alternative is to route all remote-user Internet links through the corporate network.
But it can be costly to backhaul all traffic through the enterprise site. And the corporate firewall will need greater processing capabilities.
Passmore warns companies that allow split tunneling to make sure that the home computer has antivirus software and that it's up to date.
"Remote polling for this purpose is now a major part of the network manager's job," he says.
Get Back to Basics
Enterprise use of effective password protection is crucial -- but woefully scarce, "even though it's been 20 years since the movie War Games," says Lance Hayden, a manager in the Advanced Services for Network Security Practice at Cisco Systems Inc. His group conducts network vulnerability assessments for organizations to help them find and plug security holes.
Hayden is referring to the 1983 movie about a computer hacker who nearly starts a global nuclear war because of a lack of password protection in a military computer system.
Even though people seem to understand the need for password protection, "we continue to see remote access servers with no passwords or poor passwords that are easily guessed," says Hayden.
And user education about the importance of security and the basics of how to use it goes a long way.
Consider the notorious former Morgan Stanley executive who sold his BlackBerry device containing confidential information for $15.50 on eBay last summer. Cluing him in that removing the battery from the device wouldn't erase the data might have prevented the blunder.
In addition, implementing power-on passwords and encrypting any executive's stored confidential data so that it isn't comprehensible to anyone who inherits, steals, finds or -- in this case -- buys the device are good ideas.
Wexler is a freelance writer in California's Silicon Valley. Contact her at joanie@jwexler.com.