Republished with permission from WatchGuard Technologies, Inc.
Extending the Perimeter: Protecting the Telecommuter and the Road Warrior (Part 1)
Fredrick M. Avolio
No one has a true, unbroken, security perimeter, (and a good thing, too). An unbroken security perimeter gives (nearly) perfect security, but provides almost no services. Whereas we do want some services from our Internet connection–E-mail, Web access–perhaps more, or less, but something. If we didn’t want these services, we wouldn’t have gone to the trouble of connecting to the Internet in the first place.
Every service allowed through our Firebox represents a hole, albeit a carefully watched and controlled hole, from the Internet in to our internal systems or from our internal systems out to the Internet. There are other “holes” in our perimeter defenses as well. Those holes are the subject of this editorial. They are the holes created to give access to the mobile systems of our telecommuters and travelers.
So, if it is not new now, why is it important now? It has become commonplace for officers of corporations, software developers, and middle managers to travel with a laptop computer and connect from wherever they are in the world to the Internet and to their corporate networks. It is becoming commonplace for people to read their personal as well as corporate e-mail from hotels, home, and kiosks at airports and exhibit halls. As the population of mobile and telecommuter users grows, so does the risk that connection via these methods will result in an attack or network compromise.
Threats and Risks
1. Computer virus infection (possibly leading to the infection of customers): Anti-virus software on the office system and firewall-based malicious code scanning doesn’t protect our users at home or on the road; they are away from the administrative support of the IT staff and are outside the protective boundary of the firewall.
2. Loss or destruction of corporate information: Computers at home usually have no system support staff or network-based back-up facility silently saving files in the early morning hours.
3. Theft of corporate property: When a computer is at home or carried in a briefcase, it does not benefit from the guard at the door or the photo badge system of your corporate physical security perimeter. This can lead to theft of information or breach of the security perimeter.
4. Theft of corporate information: Inside an organization, sensitive corporate data usually flows across wires within the confines of the corporate building. Workers connecting from home or hotel using the Internet send data across that “danger zone” making it vulnerable to “packet sniffing".
5. Password pilfering leading to network break-in: Just as sensitive corporate data can be copied over a network connection, so can usernames and passwords. If a valid username and password combination used to access sensitive corporate network services and data is captured anyone else can use that same pairing. Anyone can then gain authenticated and authorized access to the same information, and can often do it in such a way as to not be recognizable as an intrusion. As my colleague Rik Farrow has said in his recent article on Social Engineering, “The easiest way to break into a computer is to use a valid user ID and password”
Finally, “personal firewalls” and vulnerability scanners are available. Personal firewalls such as the WatchGuard Telecommuter (perfect for a permanent connection at home such as DSL or Cable Modem) or its software-based cousins (more portable but less versatile and not as effective) “harden” computers by putting filters on network services and enforcing control of sharing on file systems. Vulnerability scanners check for known problems and insecure system set-ups (or set-ups that are against the corporate security policy). These technologies can provide a considerable degree of assurance in the safety of otherwise vulnerable systems.
Physical security may be more complicated to implement: One can install burglar alarms on homes (and should if the corporate data is sensitive enough). One can even put proximity alarms and anti-theft cables on otherwise portable computers.
Unfortunately, the precautions above can have a negative effect it there aren’t security policy-based acceptable use guides dictating what must and must not be done. In the next column I will discuss and recommend some acceptable use guidelines for the telecommuter and road warrior .