One of the worst mistakes you can make
with perimeter security is to issue policies that
forbid using certain technologies such as IM
or Web conferencing. Users will ignore such
policies, and service providers and developers will find a way around simple firewall
rules designed to block "unauthorized" communications. Don't risk compromising your
role and effectiveness as an IT professional by
hindering rather than facilitating technology
use. As you address security issues, facilitate
adoption of new technology.
VPNs and SSL VPNs
Despite the trend toward providing remote
access at the application level, VPN access
is still very important to mobile and remote
users. VPNs have become confusing with the
advent of so-called Secure Socket Layer (SSL)
VPNs. Let's talk about traditional VPNs, then
I'll define SSL VPNs and discuss their pros
and cons.
Traditionally, using VPNs for remote access
simply meant establishing a connection over
the Internet to the company LAN by using a
tunneling protocol such as PPTP or L2TP. Once
connected, remote users were virtual members
of the internal LAN and could access IP-accessible resources on that LAN as if they were in the
office (although access was much slower due to
the latency of the remote connection).
True PPTP- or IPsec-based VPNs have an
undeserved reputation as hard to administer
and support (the biggest complaint is that
you must install proprietary client software
on all remote users' PCs). I don't understand
why companies have relied so much on third-party VPN solutions rather than on the native
Windows PPTP and L2TP support. Installing
an RRAS server is easy, and Windows has had
a built-in VPN client since Windows NT. Using
PPTP is especially easy. If you want two-factor
authentication using client certificates, you'll
have to use L2TP and deploy client certificates
(but that's true with any type of two-factor
authentication). Using the Connection Manager Administration Kit (CMAK), you can
create a wizard that automatically sets up the VPN connection in the user's Network Connections folder. You can distribute the wizard
as an email attachment, on a CD-ROM, or as a
Web download.
The biggest problem I've encountered with
VPNs is caused by firewalls between the VPN
server and the remote user. Most firewalls must
be explicitly configured to allow PPTP or IPsec
(L2TP rides inside of IPsec) pass-through for
outgoing VPN connections, and not all administrators are willing to do this. These occasional
connectivity problems are one of the reasons to
use SSL VPNs instead.
Not all SSL VPNs are true VPNs—many
are simply a reverse HTTP Secure (HTTPS)
proxy. With a reverse proxy server, you can
take browser-based applications originally
deployed for access by internal LAN users and
make them available to remote users without
changing the internal application server. The
proxy server poses as a secure Web server on
the Internet; after remote users successfully
connect and are authenticated using their
normal Web browsers, the proxy server acts
as middleman between the user and intranet
server. ISA Server has been doing this for
many years, but the term "SSL VPN" has come
into use as new companies have gotten in on
the reverse proxy game. The key advantage
to using a reverse proxy is that you can easily
make internal Web applications available to
remote users without doing any client-side
setup or installation and without modifying the
internal Web application. And you don't run
into the connectivity problems I mentioned
earlier caused by firewalls blocking outgoing
tunneling protocols.
Use a reverse proxy when you need to provide remote access to an internal Web application. Use SSL VPNs when you need remote
network access to the internal network at the
transport level (TCP/UDP). True SSL VPNs
provide tunneling of IP traffic between the
internal LAN and the remote user. OpenVPN
is an open-source, true SSL VPN. For more
information, read "Putting OpenVPN to Work"
(May 2005, InstantDoc ID 45844). Other true
SSL VPNs are available from ISVs such as Aventail and Citrix. SSL VPNs make a lot promises
as to ease of use and administration and lower
cost of ownership, but Windows native VPN
options work well if you use the management capabilities of CMAK, Group Policy,
and Certificate Services. If you must support
non-Windows remote users, SSL VPNs can be
a more compelling option. For an informative
guide to SSL VPN products, see Buyer's Guide:
"SSL VPN Products" (April 2005, InstantDoc ID
45612).
Intrusion Detection
Despite your best efforts to deploy an array of
perimeter security defenses, there's still the risk
that attackers can penetrate your network, so
you'll want to think about intrusion detection
and prevention. Intrusion detection systems
(IDSs) and intrusion prevention systems (IPSs)
use one or more of three basic technologies to
detect intruders: packet examination, policy
configuration, and pattern analysis. Most IDS
and IPS solutions examine packets for known
attack signatures. The effectiveness of this
detection method depends on how many
attack signatures the vendor builds into the
product and how often it's updated. Most systems also let you configure policies that define
expected network traffic patterns, but this method requires a lot of research and work,
and you must maintain the policies as new
applications are brought on line and traffic patterns change. Some systems employ various
algorithms and pattern analysis in an attempt
to automatically detect anomalous traffic.
These systems hold promise for the future, but
right now they suffer from the same limitations
and false positives as do heuristics- and Bayesian analysis–based antispam solutions.
IDS and IPS solutions don't vary as much
in detection features as they do in the ways
they respond when they detect suspicious or
unauthorized traffic. IDS solutions focus on
logging and alerting. IPS solutions attempt to
stop the intrusion by reconfiguring the firewall
in real time or by issuing TCP resets. When IDS
solutions get it wrong (return false positives),
your Inbox fills up and your pager melts down
from too many alerts. When IPS solutions get
it wrong, important business processes are
stopped dead in their tracks. Unless you can
dedicate staff to an IDS or IPS, your resources
might be better spent on direct perimeter security solutions.
Perimeter security used to be a matter
of configuring firewall rules; now, perimeter
security is a multifaceted, multi-layered, and
much more complicated area of security, and
it's much more than the boundary between
the Internet and your intranet. Today, many
applications straddle these two networks
through logical connections that essentially
circumvent your firewall. The first step in
planning perimeter security is to identify all
your connections, both physical and logical, to the outside world. It's important to
remember that perimeter security changes
constantly and additional perimeter connections crop up as new technologies to leverage
the Internet are created. For example, remote-control–based services, such as GotoMyPC,
are quickly gaining momentum. Users can
easily subscribe to and use GotoMyPC for
remote access, but when they do, they open
up a worm hole directly into your network
through their desktops.
As I mentioned earlier, resisting new kinds
of connections to the outside world is futile
and can be dangerous to your company. If
you try to stop technical advances such as IM
and Web conferencing, users will find a way
around you, leaving your systems—and your
job—less secure. Stay vigilant. Plan ahead.
Stay safe.
Register
