Computerworld - My company is moving ahead with an acquisition I mentioned back in August, and last week I completed my initial assessment of the security issues that will arise in integrating the two networks. Brace yourself — it’s not pretty.
I visited our acquisition target’s main offices in Connecticut and New Mexico. I brought along a contractor to conduct much of the assessment work while I met with the management team to learn about the company’s business processes, intellectual property issues, policies and so on.
We could just install Multiprotocol Label Switching (MPLS) to connect these offices and their 600 employees to my company’s network, but that would essentially grant them access to a majority of our internal infrastructure. As the security manager, I can’t allow that until I can vouch for the integrity of the acquired company’s network and the efficacy of its policies. Most likely, we will want to bring the new company’s policies in line with ours, since this year we suffered only one major virus outbreak, the result of an employee connecting a personal laptop to our domain.
In assessing the issues we faced, I focused on several key areas. The first was malicious code. I need to ensure that we don’t introduce anything like viruses, spyware or Trojan horses into our network. To determine if this company has any malicious code running free, I had the consultant conduct some scans. Right off, he found indications of spyware — network traffic symptomatic of desktops “calling home” to transmit keystroke capture files or other collected data. Nessus, a freely available port scanner, detected indications of malicious code listening in on nonstandard ports.
Next, we focused on questionable external connections. We had to make sure that this company didn’t allow third-party access to its network and that the firewall, routers, VPN and wireless access points wouldn’t allow unauthorized access. This time, we ran into a couple of problems. One was the configuration of wireless APs. The company was using WEP with a shared key, but it hadn’t changed the key in years, and the AP terminated on the internal network.
My company’s standard is to use WPA with the Temporal Key Integrity Protocol, and we terminate the access points on a virtual LAN so that the only device that can be reached is a VPN gateway. This forces all employees to use a VPN to get into our network from the access point. I’m not touting this as the most secure means of providing wireless access, but it’s a lot more secure than a shared WEP key that hasn’t been changed in years.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
