Chapter 7: Securing Remote and Home Users

Overview Just as a web browser can connect from a home computer to any web server on the planet, so can any network-enabled computer connect to any other type of server over the Internet. This means that home users can technically connect from their home computers directly to servers at work, just as if they were there except slower. In the security-naïve early days of the Internet, many users did just this. Since the Internet is simply a big network, there are no inherent restrictions on any type of use. Users from home could technically have direct access to files on a file server, could print to a network printer at the office, and could connect a database client directly to a database server. But the requirement that the companys information technology assets be secured against hackers also secures them against remote home users. The firewalls that drop hackers connection attempts will also drop remote users attempts to connect to the network. By establishing a VPN, you can both secure the transmission and enforce strong authentication, thus ensuring that remote home users will have access while hackers will not. But VPNs are just the beginning of the real security problem. The Remote Security Problem There are two major problems with allowing legitimate remote users to access your network: • Hackers can easily exploit home computers and use those computers VPN connections to penetrate your network. • Thieves can steal laptops containing VPN software and keys and use them to connect to your network. The next two sections explain these problems in detail. Virtual Private Security Holes Many companies use VPNs to allow authorized users to securely transit firewalls-the practice has become increasingly common in the last two years due to the convenience and efficiency it allows. But this seriously undermines your network security policy. The problem is that hackers can quite easily exploit home computers that have not themselves been secured. And if that home computer has a VPN connection to your network, hackers can relay through the home computer and through the firewall via the virtual private tunnel. Most businesses do not attempt to enforce any sort of security requirements for remote home users, because they dont own the equipment and they cant really prevent users from circumventing security measures on their own computers. This means that, in effect, every remote VPN connection you allow into your network is a potential vector for hackers to exploit. Laptops Laptops are an extraordinary convenience, especially for users who travel extensively. But they suffer from two very serious security problems. Firstly, laptops are the Typhoid Marys of the computer world. They connect to networks all over the place, within your organization, the organizations of your business partners, Internet cafes, hotels, and home networks. Any viruses in these locations can easily jump to laptops, hibernate there, and then infect your network when the laptop is again attached to it. My company has a client whose network was infected by the Nimda worm because a third-party consultant brought his infected laptop to their company and attached it to the network. Secondly, an amazing number of laptops are stolen every year. We all know that airports, hotels, taxis, and rental cars are obvious places from which a laptop may be stolen, but according to the FBI, 75 of all computer theft is perpetrated by employees or contractors of the business that experiences the loss. In 2000, nearly 400,000 laptops were stolen in the United States. Generally, 1 out of every 14 laptops will be stolen within 12 months of purchase, and 65 of companies that use laptops have reported that at least one of their laptops has been stolen. The FBI reports that 57 of corporate crimes of all sorts are eventually traced back to a stolen laptop that contained proprietary secrets or provided both the means and the information necessary to remotely penetrate the corporate network. Between the time that I wrote this chapter and reviewed it, a client of mine had four laptops, a projector, and a flat panel stolen by employees of its cleaning company. While losing the hardware is an expensive inconvenience, losing the data can often be devastating. Loss of work done is bad enough, but the loss of proprietary secrets can potentially ruin a company. But worse than all of that is losing control of security keys and VPN software when a laptop is stolen that could allow the thief to directly access your network. Many people never consider that one-click convenience to attach to the VPN using stored keys means that their laptop is essentially a portal into the network for anyone. Keep in mind that passwords in Windows 2000 and NTFS file system permissions are really just user-grade security efforts that any Windows administrator or competent hacker could easily defeat. Protecting Remote Machines Protecting remote machines from exploitation is actually pretty easy, but it requires diligence and constant monitoring. Diligence because you must protect every remote computer that you allow to connect to your machine. Just one unprotected machine connecting to your network allows a potential vector in, and with the contemporary threat of automated Internet worms, its likely that every computer that can be exploited will be exploited-its just a matter of time.