05
Feb
10

What We’re Reading, Week of 2/1

By vpnhaus Leave a Comment
Categories: Highlights

Chenxi Wang’s Blog…
Ok. There Is More (or Maybe Less) to the VPN Story, Google Says
Chenxi Wang recently posted on the Microsoft vulnerability that led to the Google hack. Google contacted her directly to say that they cannot confirm that the attack came through the VPN. They said that a Google employee’s machine (running Internet Explorer v6) was compromised via the IE vulnerability. The attacker used the compromised machine to somehow gain access to Google’s servers. The method of access, at some point, may have involved VPN, but Google does not agree with the characterization that “the compromised client used their corporate VPN to gain access to the servers.” If Google issued an “emergency VPN update” then perhaps other organizations should be rethinking their remote access.

CIO.com…
Windows 7 Tips: Best Security Features
In this article, Shane O’Neill describes the new security features in Windows 7. From encryption to malware fighters, there are key Windows 7 tools that keep enterprise and home PCs safe and secure. The top six Windows 7 security features that both consumers and enterprise users should know how to use are: Bit Locker to Go, Internet Explorer 8 for safe browsing, Microsoft Security Essentials, AppLocker, more control of UAC and backing up data.

Network Security Blog…
PCI Compliance and “Public Cloud” Don’t Mix
In this post, Martin McKeay makes the argument that PCI compliance and public clouds do not mix. Martin says the primary problem with attaining PCI compliance in the cloud is an issue of visibility, meaning there’s no way to truly review and validate system configuration when your systems are temporary.  Cloud service providers will need to look at ways to offer services that take advantage of all of the positive aspects of cloud computing, while allowing for all of the 200+ PCI requirements to be met.  Providers will need to look at how they manage the creation and deletion of virtual servers, segregation of resources and collection, and monitoring and retention of log information. Martin concludes that you cannot be ‘PCI Compliant in the Cloud’, but you can use cloud services and be compliant.

04
Feb
10

Split Tunneling: Part II

By vpnhaus Leave a Comment
Categories: Troubleshoot

Last month, we wrote about Rene Poot’s thoughts on split tunneling.  Here is the second installment from that conversation:

Spilt tunneling can also be used in conjunction with the local firewall that comes with the NCP client.  Rather than locking the user in to the tunnel as described earlier, one can also just use a shorter list of the subnets or hosts that can be reached from home via the VPN tunnel at the corporate side, and all other is simply dropped by the local VPN client’s firewall.  The user can then try to access expedia.com (our example from before), but it is simply dropped.

It all depends on how secure one wants to lock down this remote resource.  He or she can extend the full restrictive measures imposed on the corporate environment to the machine at home or on the road as if they’re still partaking in the central network, or choose to be less restrictive using a combination of split tunneling and firewall rules on the client.

It should be mentioned that Cisco gateways will most often ‘publish’ these ‘whitelists’ to the client during the negotiations, and so the ’split tunneling’ list is populated automatically.  Other gateways don’t supply this, and so the client MUST either define it manually or automatically be locked in.

A helpful resource Rene recommends is Security Now podcast: episode 208

Follow this discussion on Twitter @VPNHaus

28
Jan
10

What We’re Reading, Week of 1/25

By vpnhaus Leave a Comment
Categories: Highlights

The Windows Blog…
Remote Access Challenges
In this post, Alexander Kent explains some of the most common remote access challenges and offers advice on how to make your Windows Home Server accessible across the Internet. He addresses these issues: UPnP is not enabled or supported by your router, an Internet Service Provider is blocking Remote Access Ports, and Double NAT. If you have experienced issues with any of those challenges, this breakdown should be helpful.

Insecure about Security…
Will 2010 Be “The Year of IPv6?”
John Oltisk believes that the foundation of IPv6 is now firmly in place and we will see steady and growing momentum in the years to come and that by 2013, the transition will be nearly completed. He makes this prediction for the following reasons: the argument that we are running out of IP addresses is now taking hold, IPv6 is now supported in all major operating systems including Windows, Linux, MacOS, and z/OS, many governments around the world already run on IPv6 or are in the process of transitioning to IPv6 and IPv6 security will become more and more important moving forward.

Securosis…
Security Strategies for Long-Term, Targeted Threats
This post offers some security strategies for dealing with long-term, targeted threats such as the Advanced Persistent threat in Firestarter. One suggestion is to segregate networks and information since the more internal barriers an attacker needs to traverse, the greater your chance to detect. However, allowing VPN access across these barriers won’t help segregation nearly as much. The root cause of many breaches has been a weak endpoint connecting over VPN to a secured network. You can use NCP’s Secure Entry Client to make sure this does not happen.

21
Jan
10

What We’re Reading, Week of 1/18

By vpnhaus Leave a Comment
Categories: Highlights

Insecure about Security…
Approximately Half of All Organizations Will Increase Security and Networking Spending in 2010
In this post, John Olstik says that nearly half of all mid-market (100 to 999 employees) and enterprise (1,000 employees or more) companies will increase their spending on network hardware in 2010. Their top priorities will include WLAN, IP telephony, and WAN optimization. 48 percent of mid-market organization will increase their spending on information security technologies while 61 percent of enterprises will increase their spending on information technologies. Their top priorities are network security, endpoint security, and messaging/web security. John says 2010 will be “a good year for vendors to re-engage with customers, build long-term partnerships, and help them move beyond the Status Quo.”

IT Business Edge…
Evaluate Technologies with Remote Access in Mind
This post by Paul Mah discusses the new research from collaboration firm oneDrum, showing that many workers find themselves unable to work from home despite the fact that they are willing to do so. According to the survey, 61 percent of employees never work from home, even though 72 percent of SMBs allow it. One main reason for this was that work documents were not accessible outside of the office. Paul suggests that businesses gradually move toward teleworking, which can be achieved by evaluating new technologies with an eye toward facilitating it. Also, see our series of posts on how to rethink remote access.

The Security Catalyst…
Security from Scratch: Getting the Lay of the Land
Dennis Kurtz says that when building Security from Scratch, the challenge is in understanding the situation from the start. Once the team is identified/assembled, the focus shifts rapidly to getting a handle on the security posture of the organization. These are the areas Dennis considers his tactical review to understand what challenges lie ahead and to form a plan of action: Information Security Policy, Network/Perimeter Security Posture, SDLC Security Policies/Procedures/Practices and Applicable Compliance Requirements, Security Awareness. When checking for Network/Perimeter Security Posture,  Dennis recommends finding out if  remote access allowed and if so, how – VPN, SSH, nothing?

20
Jan
10

Arcane IP Conflict to Watch Out For

By vpnhaus Leave a Comment
Categories: Troubleshoot

Every once in a while, someone flags the NCP Help Desk with an arcane VPN connection question. Earlier this week, we came across a blog post by Merrick Chaffer on EMC Consulting Blogs, offering advice on just such an issue, and we thought we’d share it. Merrick decided to solve the problem on his own (Help Desk certainly would have ‘cracked this nut’ in an hour or so!).  

After spending a couple of weeks worrying that I’d have to be plugged directly into my router to connect to my work VPN network, with my Dell D830 Latitude laptop and Windows 7 64 bit, I finally chanced upon the solution. It turned out to be a device manager setting and potentially a setting in the BIOS on my D830 dell latitude (bios revision A14).

Follow the following steps if you are suffering the same issue yourself…

1. Changed the MTU setting on the VPN device…

2. Changed a setting in the bios, which dictated that the wifi connection should be turned off when another connection is available (i.e. LAN or 3G).

UPDATE: 23:15 15 January 2010: Actually I’ve just discovered the real route of my problems. Turns out that if my router (3com office connect adsl wireless 11g firewall router), assigns an ip address that is in use by one of the virtual server LAN IP addresses, on either wireless connection or LAN connection, then the VPN software fails to connect.

What actually happened was when I plugged another router into my firewall router, I got assigned 192.168.1.3 to my laptop wireless card, which wasn’t one of the entries in the virtual servers table, and that’s when it started working.

So if you have trouble connecting, double-check if you have conflicting IP addresses, or, drop us a line – help@ncp-e.com or @VPNHaus

« Previous Entries