ID/Authentication

	Log In

Search Options

ID/Authentication

Introduction

New Computer-Based Threats

VPN: Dangerous Access

Solutions: Quarantine or Isolate

Rich Data Access Alternatives

Introduction

A problem facing the network owner is how to securely provide access for mobile and remote workers to rich data over the Internet. In this sense, "Rich Data" means a high level of network connectivity or functionally similar to that experienced by a PC on the corporate network. The remote worker may need to use a number of internal resources and a variety of protocols, such as the ability to map a network drive, establish a terminal emulation session with a mainframe, print documents on networked printers, and upload a file to an FTP (file transfer protocol) server. These are functions easily accomplished, even simultaneously, by a PC on the office network, but can be challenging to provide to remote Internet users in a secure manner.

Traditional identification and authentication methods have focused on "clearing" the user account that is attempting to log in by means of a user ID and a password. In high-security environments, a simple doctrine known as "something you have + something you know" is implemented through Digital Certificates, Smartcards, or biometric devices, including fingerprint and eye-scanners, in conjunction with a password or PIN.

These measures attempt to compare the presumed identity of the user against a list of users authorized access, and the successful outcome of the comparison process is authentication of the user. Broad selections of advanced, proven technologies are available in the IT industry when building user authentication solutions, even for the most challenging of deployment and operational scenarios.

New Computer-Based Threats

Dramatic and recent changes in the nature of the threat to business computing posed by Internet hacking and criminal activity—and by electronic pathogens, such as virus, worms, Trojans, and "mal-ware"—created an immediate requirement to also "clear" or authenticate a computer that is connecting to the network for access to rich data.

At one time, a remote access infrastructure that provided the highest possible security at the user authentication level, as well as the strongest possible encryption of the data stream, might have been considered satisfactory. Today, this solution does nothing to shield the office network from the threats posed by remote PCs that may not comply with corporate policies regarding updating of PC operating systems, as well as the presence and up-to-date status of antivirus and/or anti-mal-ware scanners.

These mobile or remote PCs may well host an electronic pathogen or hostile application, of which the PC user is completely unaware. The remote user logon attempt is validated, and the remote PC, along with all the authorized and unauthorized software installed on it, are admitted onto the private corporate network alongside the authenticated user.

As a result, uninvited stowaways, including electronic pathogens and hostile applications, can seriously impact the conduct of business on the network for all corporate users. The same threat is present when workers with mobile computers return to the office and connect to the corporate network, following a connection to a home network or other business network that allowed the hostile application to be installed without the PC user's knowledge.

VPN: Dangerous Access

A Virtual Private Network (VPN) provides the simplest, most common method of enabling remote access to rich data. The VPN easily connects the remote user directly to the office network, providing all the features of working in the office, and is only limited by the bandwidth of the remote connection. For some information workers, any functionality less than that of the office PC means they can't do their complete job in the most efficient way for the organization.

Despite the efforts made within organizations to ensure that computers used internally comply with network policies regarding updating and antivirus, those used from employees' homes or on the road for remote access can still present significant risk to the network. This risk was most recently expressed by the Nachi (or Welchia) worm, which used a known vulnerability in some Windows operating systems to propagate. Due to the nature of how this worm flooded the network with ICMP (ping) traffic, even perfectly updated and protected networks could still be rendered partially or completely useless due to the presence of even one infected computer in the enterprise.

Another recent example was a case of "mal-ware" that involved the popular downloadable utility, "Pop Up Killer." Normally a fairly benign and even useful utility, one download site for the utility was hijacked. A malicious version of "Pop Up Killer" was uploaded by a hacker containing code that exploited the user's PC by sending a large amount of traffic out to the Internet. If this malicious traffic were tracked back to the corporate user's network, it could make the user's employer liable for damages or even criminal penalties, and could cause that organization's Internet TCP/IP address(es) to be "blacklisted," delaying e-mail delivery and causing business interruption.

Solutions: Quarantine or Isolate

It is obvious that allowing uncontrolled and/or unrestricted access to the office network via a VPN carries significant risks. For some information workers, however, a VPN represents the only way to get business done efficiently. For the small business, risk reduction depends on user education, and awareness of the threats and risks. The small network owner must manually administer some method of scanning and updating computers before they are attached to the network either in the office or remotely via a VPN.

For the larger network that requires an automated, scalable solution, two avenues to mitigate the risks involve:

1. temporary quarantine of computers while they are checked for conformance with company policy; and/or

2. permanent isolation of computers from the office network, permitting access only on limited protocols and/or to limited destinations.

The quarantine solution examines remote users' computers to make sure they are patched, running current antivirus, and, in other key ways, conform to the same standards of updating applied to business computers on the office network. For example, the Network Access Quarantine Control feature of Microsoft Windows Server 2003 delays normal remote access to a private network until the configuration of the remote access computer has been examined and validated by an administrator-provided script. This can include validating that the Personal Firewall Service of Microsoft Windows XP is enabled on the network adapter connected to the Internet.

Another method to protect the office network from mobile and remote computers that are presumed to be non-compliant with company policies is to use isolation via Virtual LANs (VLANs). VLANs are a feature of managed network switches. By assigning specific network ports to specific Ethernet wall jacks and/or wireless access points, "islands" of network ports in one VLAN are isolated from other ports that are not members of the same VLAN. Advanced "Layer 3" switches can route only specific traffic between VLANs, such as allowing only Web browsing (HTTP traffic) to isolated Web gateways and block all other traffic. This technique permits network communication at only the minimum necessary level, and reduces or contains what the damage hostile applications can do to the corporate network.

Isolation is a vendor-neutral solution that leverages the hardware features of high-end managed switches. Careful planning is required as improper implementation of VLANs can be very disruptive to the business.

A combination of the isolation and quarantine techniques can be used efficiently in the following scenario. Mobile, remote, and even wireless users attach to an "isolation" VLAN, where they can perform only the minimum necessary functions. Those users that also require access to rich data can optionally activate their Microsoft VPN client, which works with the Internet Authentication Service on a Windows 2003 server to deliver the Network Access Quarantine Control feature. As part of the quarantine control process, the computer can be examined for compliance with company policies, and even be brought into compliance by actually installing missing updates and checking and enforcing security-related settings. Once the PC is compliant with company policy, it clears quarantine, is reassigned a new TCP/IP address, and is permitted a rich data connection to the corporate network.

Rich Data Access Alternatives

Organizations can reduce the vulnerabilities inherent in conventional VPN connectivity by providing users with rich data access via other technologies. If an organization can centralize all its human-machine interface into a small number of Web-based applications, those applications can be securely published via SSL (Secure HTTP). In this case, only TCP/IP port 443 needs to be opened to the Internet, and hardening and managing the security of the Web services may be sufficient to protect the corporate network. Another distinct and valid alternative to providing VPN access is to enable a Remote Desktop solution using the Terminal Services features of the Microsoft Windows Server family.

Examples of technologies that can reduce or eliminate the need for VPN connections, while providing the rich data experience of the office network, include the Microsoft Outlook Web Access in Exchange Server 2003. This provides a nearly identical experience to the full Outlook 2003 desktop application, even over the Internet in a Web browser. Also available is Windows SharePoint Services, a collection of services for Windows Server 2003 to create team-oriented Web sites to share information and foster collaboration with other users on documents. You also can use Windows SharePoint Services as a development platform for creating collaboration and information-sharing applications that use only HTTP ports 80 for unsecured and/or port 443 for secure (SSL) operation.