17
Dec
09

What We’re Reading, Week of 12/14

By vpnhaus Leave a Comment
Categories: Highlights

eWeek Security Watch…
Survey Lists Top Enterprise Endpoint Security and Compliance Holes
This post by Brian Prince discusses a survey of about 100,000 endpoints from some 25 organizations, revealing that all of them had between 10 and 30 percent security- or policy-compliance issues. The survey found the key issues are missing third-party agents, unauthorized peer-to-peer applications, missing Microsoft updates and out-of-date or misconfigured antivirus.

The Ashimmy Blog…
The Evolution of NAC
While reading Alan Shimel’s post, An Incite-ful Tuesday: Playing catch up, we came across another post of his, The evolution of NAC, where he discusses Jeff Wilson of Infonetics Research’s strong support for NAC. He says that with companies going out of business and market numbers not growing as projected, a new angle needs to be taken on NAC. This is what Jeff and and team have done with their new whitepaper titled the “The Evolution of Network Access Control”, which is available free to download if you are interested.

Business Week…
Security Evaluation of Remote Users
In this post, Jeff Hughes offers some advice for companies to ensure that they are doing everything possible to secure their network from their own users. Companies should require that all remote users outside the perimeter firewall connect using a virtual private network. All employees should also use an antivirus solution and have their laptops regularly patched and updated and change their passwords frequently. He also recommends companies create a remote-access usage policy and set clear expectations.

Network World…
IT Pros Go Mobile for Holiday Work
According to survey results, fewer IT professionals intend to spend holiday time in the office this season and the number of high-tech workers planning to log hours at work reduced by half since 2006. Over 200 small and midsize businesses were surveyed to learn about IT pros’ holiday work plans. With Eighty-two percent of business managers intending to log in remotely, and 75% of IT staffers also telecommuting, let’s hope they will be using a secure VPN client.

14
Dec
09

Rethink Remote Access: Mike Meikle’s Advice

By vpnhaus Leave a Comment
Categories: Rethink Remote Access

For another perspective on our how to rethink remote access series, we spoke to IT expert Mike Meikle about why remote access policy is hard to adapt. Mike is a Capital One Platform/Program Management Consultant at Sapphire Technologies, providing advice and solutions to senior executives. He shares some thoughts with us on whether the issue is network security’s flexibility with.

Internal politics first off has doomed many sensible security efforts. From “Why can’t the VP have administrator access remotely to the email server?” to “I don’t want to have to remember/change my password”. Which usually leads to a bare bones approach to security as a whole. A metaphor for this is having a screen door on a bank vault.

Flexibility of network security is not the issue. Even though a hacker can break a password in three days with a mid-level system and a high-end graphics card, we haven’t adapted to this new reality. One-time passwords, tokens, biometrics, are still only utilized by a small segment of the population, mostly to government and high-level financial institutions. Security professionals have a hard time making the case to upper management for security “best practices” let alone more advanced technologies such as intrusion detection and prevention, etc. So most companies go by the axiom that a “locked door keeps an honest man honest”. These companies probably know that a dedicated individual, within or without, could walk off with valuable assets without too much trouble.

It all boils down to the user and his/her acceptance of the policy or solution. This topic was brought up on your blog by Andrew Baker. Without user buy-in to whatever you are selling or implementing, it will fail or be resisted heavily. Folks in IT are usually poor sales/marketing people, which is why IT and the business should work together on designing their solutions to fit the needs of the users within the company. Of course this would be weighed against a cost/benefit analysis and risk. A heavy-handed approach by IT or upper management will almost always guarantee a spectacular waste of money and time with an eventual bare-minimum compliance.

The solution? This goes all the way back to the strategic plan of the organization in question. Security has to start from the top down and be integrated in whatever solution, not tacked on as an afterthought. Also it involves training as Mr. Baker mentioned. Training for both employees and a company’s customers. Managing the expectations of both parties will help smooth the path for future adjustments.

10
Dec
09

What We’re Reading, Week of 12/7

By vpnhaus Leave a Comment
Categories: Highlights

RSA Blog…
VPN Man-in-the-Middle Attacks: Fact or Fiction?
In this post, Mischel Kwon speaks about the US-CERT warning issued in November about a not yet exploited vulnerability in SSL VPNs by using a man-in-the-middle attack.  While it was beneficial for people to be made aware of this attack, there are no reports of it being successful. He suggests implementing the US-CERT recommended mitigations: limit URL rewriting to trusted domains, limit VPN server network connectivity to trusted domains and disable URL hiding features. He also encourages people to contact their VPN vendors for more strategies.

The Tech Herald…
Protecting the Company as Employees Travel During the Holidays
This article by Steve Ragan discusses how businesses will want to protect their employees and their assets while they take their work home with them during the holidays. As more employees work remotely during their time off, holiday travel can present threats to companies due to unintentional data loss, leakage, and privacy problems. We recommend connecting to your company’s network through a VPN to help prevent potential threats.

Jupdi Blog…
DirectAccess Takes Place of VPN for Windows 7
This post by Gregg Housh discusses Microsoft’s DirectAccess feature for Windows 7, enabling employees to connect to their office network remotely.  There is a greater need for employees to be able to work from remote locations and typically, VPN solutions are used for that purpose. Gregg suggests that DirectAccess is easier to use than a VPN; however, it is only available if your company has upgraded its’ sever to 2008 R2. You can use NCP’s Secure Entry Client with your current equipment without having to upgrade.

Gartner Blog…
A Sneak Peek at the Top 10 2010 Security Technology Priorities
Every year Gartner surveys hundreds of enterprise security end users for its IT Key Metrics benchmarking database and publishes a high-level view of its findings. In this post, Adam Hills gives us a sneak peek at the “Top 10 Security Priorities, Worldwide” from this year’s survey.  Here’s what made the list: Intrusion Detection and Prevention, Patch Management, Data Loss Prevention, Antivirus, User Provisioning or Identity Management, Vulnerability Assessment, Firewalls, Security Information and Event Management, Network Access Control and Remote-Access or Site-to-Site VPN.

09
Dec
09

Warning: SSL VPN vulnerability

By vpnhaus Leave a Comment
Categories: Rethink Remote Access

Last Monday, the US-CERT warned the public of a SSL VPN vulnerability that affects a long list of vendors (not NCP however). The US-CERT states that these clientless SSL VPNs “break fundamental browser security mechanisms, [where] an attacker could use these devices to bypass authentication or conduct other web-based attacks”.

SSL VPNs provide employees with access to company servers, internal fileshares and remote desktop capabilities through a Web browser, and this vulnerability can expose users to man-in-the-middle attacks.  This is a serious problem because it gives attackers a way into sensitive company data.

There is no known fix to the vulnerability.  The advisory urges administrators to deploy workarounds and check with the specific vendors for product specific instructions.  Administrators can limit URL rewriting to trusted domains, configure the VPN device to only access specific network domains and disable URL hiding features.  Is it time to start rethinking remote access choices?

This issue was discovered by David Warren and Ryan Giobbi with help from Michal Zalewski and Mike Zusman.  For additional details on the SSL VPN vulnerability (vulnerability note VU#261869), visit: http://www.kb.cert.org/vuls/id/261869

07
Dec
09

Forefront a Rethinking of Remote Access?

By vpnhaus Leave a Comment
Categories: Rethink Remote Access

Haus doesn’t think so – it sounds more of the same NAC problems that have become so problematic for early adopters.  Here’s the scoop on the latest from Redmond as reported by John Fontana for Computerworld.

What is interesting to us is the extension of DirectAccess to XP and Vista users (however, you still need the R2 though).  It seems the rollout slow down is a result of developing a central management system for the whole suite.  This has always been the problem with NAC (well, that plus the complexity of setting it all up).

Will this solve the remote access issues IT has? We’re not sure. Lot’s of people are talking though – check out these IT complaints (great blog!), our own series on how to rethink remote access, and there are many more out there.  We think the only way to solve the remote access problems are for vendors to stop forcing rigid options on the market.  Complex, hard to manage and integration issues prevent rethinking today. For example:

  • Certificate creation, management
  • Two-factor authentication
  • End-point security software
  • Network AND device firewalls
  • Provisioning
  • Policy enforcement
  • Audit reporting (PCI, HIPAA, etc.)
  • Running IPsec and SSL parallel systems
  • Many vendors, pour integration

NAC is washed up in Haus’ opinion due to the management issues and complex setup requirements. NAC-like functions, however, certainly have their place … as long as it’s easy to manage!

« Previous Entries