Use the same or the fewest possible ISP for all VPN endpoints.
Chapter 7: Securing Remote and Home Users
Overview Just as a web browser can connect from a home computer to any web server on the planet, so can any network-enabled computer connect to any other type of server over the Internet. This means that home users can technically connect from their home computers directly to servers at work, just as if they were there except slower. In the security-naïve early days of the Internet, many users did just this. Since the Internet is simply a big network, there are no inherent restrictions on any type of use. Users from home could technically have direct access to files on a file server, could print to a network printer at the office, and could connect a database client directly to a database server. But the requirement that the companys information technology assets be secured against hackers also secures them against remote home users. The firewalls that drop hackers connection attempts will also drop remote users attempts to connect to the network. By establishing a VPN, you can both secure the transmission and enforce strong authentication, thus ensuring that remote home users will have access while hackers will not. But VPNs are just the beginning of the real security problem. The Remote Security Problem There are two major problems with allowing legitimate remote users to access your network: • Hackers can easily exploit home computers and use those computers VPN connections to penetrate your network. • Thieves can steal laptops containing VPN software and keys and use them to connect to your network. The next two sections explain these problems in detail. Virtual Private Security Holes Many companies use VPNs to allow authorized users to securely transit firewalls-the practice has become increasingly common in the last two years due to the convenience and efficiency it allows. But this seriously undermines your network security policy. The problem is that hackers can quite easily exploit home computers that have not themselves been secured. And if that home computer has a VPN connection to your network, hackers can relay through the home computer and through the firewall via the virtual private tunnel. Most businesses do not attempt to enforce any sort of security requirements for remote home users, because they dontParts
» The process of determining the identity of a user is called authentication.
» Using unpredictable sequence numbers secures sessions against hijacking.
» Biometric authentication includes the use of fingerprints, speech patterns, facial features,
» Connecting to executable content like ActiveX or Java controls that can exploit the
» Why doesnt a digital signature mean that an ActiveX control is secure?
» A security policy describes security rules for your computer systems and defends against
» The first step in establishing a security policy is to establish functional requirements,
» Automated security policies avoid the weakness of having to be enforced by humans.
» Users should not be required to change passwords often; rather, they should select
» Why is it important that every firewall on your network have the same security
» The most important border security measure is to control every crossing.
» Your effective border security is the lowest common denominator amongst the policies
» Theres no way to address computers directly since the public address connection has to use
» What common sense measure can you take to ensure the reliability and speed of a
» What encryption algorithm is specified for L2TP?
» The three fundamental methods implemented by VPNs are encapsulation, authentication,
» IKE enables cryptographic key exchange with encryption and authentication protocol
» Use the same or the fewest possible ISP for all VPN endpoints.
» The most common VPN protocol is IPSec with IKE.
» Are VPNs always the most secure way to provide remote access to secure
» VPN connections are potentially dangerous because the VPN endpoint could be exploited,
» Laptops are easy to steal and may contain all the information necessary to connect to the
» Laptops the most likely source of virus infection in a protected network because they are
» Using NAT devices or light firewall devices is the best way to protect home computers
» Encrypting documents stored on the laptop reduce the risk posed by lost information when
» Storing data on removable flash media in encrypted form that is not stored with the laptop
» No. Opening a single secure protocol to direct access is usually more secure than allowing
» Where do viruses come from? 2. Can data contain a virus?
» Do all viruses cause problems? 4. What is a worm?
» If you run NT kernel-based operating systems, do you still need anti-virus
» Where is anti-virus software typically installed?
» Hackers write viruses. Virus Protection
» No. Pure data can be corrupted by a virus, but only executable code can contain a virus.
» No. Only applications that allow you to write macros and which contain a scripting host
» Microsoft Outlook and Outlook Express are susceptible to e-mail viruses.
» Yes. NT kernel-based operating systems are only immune to executable viruses when run
» Why is RAID-0 not appropriate as a form of fault tolerance?
» What are the two common types of clustering?
» The hard disk is the most difficult component to replace in a computer.
» Deployment testing is the easiest way to avoid software bugs and compatibility problems.
» Strong border security, permissions security, and offline backup are the best ways to
» Tape backups are the most common form of fault tolerance.
» An incremental backup contains all the files changed since the last incremental backup,
» RAID-1 and RAID-0 are combined in RAID-10.
» Since you have to leave 1 disk for parity information, the storage available would be 5-1
» Yes. Share security works on FAT file system shares.
» What is the primary security mechanism in Unix? 6. Which component stores permissions?
» Which two commands are typically used to modify ownership and permissions on
» ATT essentially lost control of its development of Unix when they gave it away to
» File system permissions are the primary security mechanism in Unix.
» File inodes store permissions in Unix.
» The GID of the wheel or superuser group is 0.
» Read, Write, and Execute are the basic permissions that can be set in an inode.
» Nothing. Daemons are standard executables that run using SetUID permissions.
» What do IPChains and IPTables provide? 11. What functionality does FWTK provide?
» PAM provides a standardized method for services to authenticate users against a wide
» Yes, Samba passwords are encrypted by default in Windows, and encryption can be
» TCP Wrappers provides protection by replacing the service executable with a service that
» IPChains and IPTables provide TCPIP packet filtering.
» FWTK provides protocol level filtering and a proxy service.
» How do you configure Apache?
» What is taint? Web Server Security
» Microsoft Internet Information Services and Apache serve over 90 percent of the public
» The bugs in the operating system or web server software are the most threatening security
» Closed source and open source operating systems are about equally secure.
» Websites should only be deployed on dedicated web servers, because general purpose
» SSL encrypts web data flowing between the browser and the server.
» You can secure intranet servers by placing them inside a VPN and not making them
» The universal encrypted authentication mechanism is using SSL to secure basic
» Illegal spammers use open relays, relays that will relay mail from any host rather than just
» To close an open relay, require some form of authentication from those who want to send
Show more