Securing Remote Users

Don't Let VPN Users Give Hackers a Path Into Your Network

Mishawaka, IN. Today, more companies than ever are finding it desirable to let employees access the corporate network from outside the office. Sales staff in remote locations, traveling executives, part-time home workers, etc., all need to access company information. Virtual Private Networks (VPNs) allow these users to access the company network using public infrastructure (i.e., the Internet). VPNs eliminate the need for costly and inflexible dedicated lines, and provide a high level of security for the connection. As more homes are able to obtain broadband Internet service via cable or DSL, VPNs have become a powerful and low-cost tool to spread access to corporate data.

Despite the apparent security of VPN connections, there's a significant potential risk factor: the user's own computer. If a user's machine becomes compromised by a hacker, the VPN itself does nothing to protect the corporate network. Instead, the VPN link can serve as a trusted pipeline for the hacker to access company servers and data.

How could a hacker gain access to the user's computer? Viruses and Trojan horse programs that leave open doors to the user's machine are a major possibility - these spread easily by e-mail and file sharing. In addition, the very broadband connections that make working from home so attractive are themselves risk factors. For example, cable-connected users usually have a continuous connection to the Internet with a static or rarely-changing IP address. This makes them vulnerable to many types of exploits, including scans for unsecured ports, calls to dormant Trojan horse programs, etc.

Perhaps the newest risk factor is the growth in home networking. It is increasingly common to find multiple PCs in a home. These PCs may share an Internet connection, a printer, user files, etc. The implication of this development is that now there may be multiple points of attack in the user environment, and that the user may have local network and sharing settings that increase the vulnerability of the PC used to access the VPN.

Fortunately for harried IT managers, the news isn't all bad. Firewall products are becoming widely available and fairly inexpensive. One rapidly growing product category is the home router - these cost well under $200, provide a built-in firewall and the security of "natural address translation" (NAT) . The NAT feature assigns each PC its own IP address which can't be accessed from outside. In addition to the security features, these home routers often provide network hub and/or wireless access point capability to allow easy connection of multiple computers. The wireless features usually permit encryption to make it difficult for potential intruders to access the network from outside the home (e.g., from a car in the driveway).

Software solutions abound as well. Zone Labs, Network Ice, and McAfee all offer both personal firewalls and other security products. These personal firewalls don't generally integrate with the VPN for administration purposes, but can offer a measure of protection with little maintenance.

Companies interested in the highest level of VPN security can install integrated VPN clients/firewalls. This approach is a bit more expensive than using the built-in Windows VPN features, but allows more manageability. Compared to the costs of an intrusion, though, the cost of these (typically $100 per client or less) is fairly trivial.

Check Point Software offers a product called VPN-1 Secure Client, a VPN client/firewall combination. Cisco also has a relatively new VPN Client 3.5 that incorporates a firewall. In conjunction with other Cisco hardware and software, Cisco's "Centralized Protection Policy" can be imposed on the remote PC before the connection is established.

There's little doubt that remote users are one of the weakest links in corporate network security. Fortunately, inexpensive solutions exist to make these remote links resistant to intrusion.

Useful Resources:

Check Point Software

Cisco VPN Client - Documentation

.

 IT Indiana - Home

- - - - - - - - - - - - - - - - - - - - - - - - - - - -