Republished with permission from WatchGuard Technologies, Inc.

  WatchGuard LiveSecurity

Extending the Perimeter: Protecting the Telecommuter and the Road Warrior (Part 1)

Fredrick M. Avolio
Avolio Consulting

The term “network security perimeter” is often used to describe the security fortifications of a private network sitting behind a firewall. We draw diagrams of the Internet and private networks, with a firewall in between. In those drawings, we might even show a heavy line encircling our private network. Sometimes   we even make the firewall look like an impassable brick wall. This diagram represents the security perimeter established by our firewall. It is our fortress, our ever shield. It is also a dream.

No one has a true, unbroken, security perimeter, (and a good thing, too). An unbroken security perimeter gives (nearly) perfect security, but provides almost no services. Whereas we do want some services from our Internet connection--E-mail, Web access--perhaps more, or less, but something. If we didn't want these services, we wouldn't have gone to the trouble of connecting to the Internet in the first place. 

Every service allowed through our Firebox represents a hole, albeit a carefully watched and controlled hole, from the Internet in to our internal systems or from our internal systems out to the Internet. There are other “holes” in our perimeter defenses as well. Those holes are the subject of this editorial. They are the holes created to give access to the mobile systems of our telecommuters and travelers.

The Challenge
When we allow people to connect in to our network from their home or hotel room, when we allow them to connect from (Heaven forbid!) a conference, we allow them to take our internal network and extend the perimeter. Home desktop computers and travelers’ laptop computers are part of our network and must be considered to be within our network security perimeter, even when disconnected, or powered off. (None of this is a new discovery – see “A Network Perimeter with Secure External Access,” proceedings of the ISOC NDSS Symposium, 1996.

So, if it is not new now, why is it important now? It has become commonplace for officers of corporations, software developers, and middle managers to travel with a laptop computer and connect from wherever they are in the world to the Internet and to their corporate networks. It is becoming commonplace for people to read their personal as well as corporate e-mail from hotels, home, and kiosks at airports and exhibit halls. As the population of mobile and telecommuter users grows, so does the risk that connection via these methods will result in an attack or network compromise. 

Threats and Risks
Let’s take a few moments to postulate some threats to the inside network from allowing these connections. And then we'll look at suggested solutions.

1.   Computer virus infection (possibly leading to the infection of customers): Anti-virus software on the office system and firewall-based malicious code scanning doesn't protect our users at home or on the road; they are away from the administrative support of the IT staff and are outside the protective boundary of the firewall. 

2.   Loss or destruction of corporate information: Computers at home usually have no system support staff or network-based back-up facility silently saving files in the early morning hours.

3.   Theft of corporate property: When a computer is at home or carried in a briefcase, it does not benefit from the guard at the door or the photo badge system of your corporate physical security perimeter. This can  lead to theft of information or breach of the security perimeter.

4.   Theft of corporate information: Inside an organization, sensitive corporate data usually flows across wires within the confines of the corporate building. Workers connecting from home or hotel using the Internet send data across that “danger zone” making it vulnerable to “packet sniffing".

5.   Password pilfering leading to network break-in: Just as sensitive corporate data can be copied over a network connection, so can usernames and passwords. If a valid username and password combination used to access sensitive corporate network services and data is captured anyone else can use that same pairing. Anyone can then gain authenticated and authorized access to the same information, and can often do it in such a way as to not be recognizable as an intrusion. As my colleague Rik Farrow has said in his recent article on Social Engineering, “The easiest way to break into a computer is to use a valid user ID and password”

There are technology-based “fixes” for all of these concerns, most of which you already know about. Antivirus software can work on home computers and laptops just as well as on corporate desktop computers. Backup and encryption software also can be used on home and laptop computers. In a previous column I mentioned disk and data encryption solutions. As I said then, all of my personal data — anything that did not come off of a vendor install CD or floppy — is stored in an encrypted directory. E-mail and other transmitted data can and should be sent over a virtual private network using products like WatchGuard Mobile User VPN, from home or hotel to corporate gateway. Should users have to connect over an unencrypted connection, one-time password techniques available in both software and hardware versions.  These technologies can be used to insure that the user logging in is really who they say they are.

Finally, “personal firewalls” and vulnerability scanners are available. Personal firewalls such as the WatchGuard Telecommuter (perfect for a permanent connection at home such as DSL or Cable Modem) or its software-based cousins (more portable but less versatile and not as effective) “harden” computers by putting filters on network services and enforcing control of sharing on file systems. Vulnerability scanners check for known problems and insecure system set-ups (or set-ups that are against the corporate security policy). These technologies can provide a considerable degree of assurance in the safety of otherwise vulnerable systems.

Physical security may be more complicated to implement: One can install burglar alarms on homes (and should if the corporate data is sensitive enough). One can even put proximity alarms and anti-theft cables on otherwise portable computers.

Unfortunately, the precautions above can have a negative effect it there aren't security policy-based acceptable use guides dictating what must and must not be done. In the next column I will discuss and recommend some acceptable use guidelines for the telecommuter and road warrior .