What We're Reading, Week of 6/22

SearchSecurity… Cloud computing security: Choosing a VPN type to connect to the cloud Friend of NCP, Diana Kelley, analyst at SecurityCurve is writing a series on cloud computing security. In this 1st part series, Diana drills down and discusses the specifics regarding devices that connect to the cloud, and how VPNs affect cloud security. The article takes point-to-point into perspective, as opposed to whether or not SSL or IPSec is best suited – there are varied uses for each within Kelley’s article. Well worth a read and it begs the bigger questions of, “is VPN really a factor for applications living in a cloud, or is securing the applications themselves really the issue”? For example, “VPN types include network-to-network, multiple service host-server, to single-service host-server. Each of these implementations can be used in a cloud computing environment, and each has security strengths and weaknesses. The oldest VPN technology is the network-to-network VPN. This architecture has the greatest risk associated with it, due in part to the number of hosts involved. While this architecture would not likely be used in the client-to-cloud connection, it could be used within the cloud, especially with server farms or mashups.” What are your thoughts on cloud computing...

What We’re Reading, Week of 6/22

SearchSecurity… Cloud computing security: Choosing a VPN type to connect to the cloud Friend of NCP, Diana Kelley, analyst at SecurityCurve is writing a series on cloud computing security. In this 1st part series, Diana drills down and discusses the specifics regarding devices that connect to the cloud, and how VPNs affect cloud security. The article takes point-to-point into perspective, as opposed to whether or not SSL or IPSec is best suited – there are varied uses for each within Kelley’s article. Well worth a read and it begs the bigger questions of, “is VPN really a factor for applications living in a cloud, or is securing the applications themselves really the issue”? For example, “VPN types include network-to-network, multiple service host-server, to single-service host-server. Each of these implementations can be used in a cloud computing environment, and each has security strengths and weaknesses. The oldest VPN technology is the network-to-network VPN. This architecture has the greatest risk associated with it, due in part to the number of hosts involved. While this architecture would not likely be used in the client-to-cloud connection, it could be used within the cloud, especially with server farms or mashups.” What are your thoughts on cloud computing...

what we're reading, week of 6/15

End-Point Security.Info… Employees Couldn’t Care Less about Data Security Gathering information from the Ponemon Institute, Agent Smith provides shocking statistics about employees and their security practices. So how does this list relate to VPNs? I’m glad you asked! Users will bypass cumbersome VPN policies if they can get away with it. Network admin’s need to look at their policies and how the technology they use supports these. Do they hinder the user? Can the user change settings? Will you be able to tell something has been changed? User education and centrally managed policy enforcement are key for VPNs. Datamation… Fixes for Wi-Fi Hotspot Annoyances Are you always on the go? Do you get frustrated with WiFi? Eric Geier provides travelers tips when connecting wirelessly. Going one step further, VPN Haus recommends making sure you’re mindful of man-in-the-middle attacks which are all too common at hotspots. If you have a run-of-the-mill VPN client, chances are high that data packets are being allowed access to your device while the client authenticates you to the network. A better solution is to find a VPN client that forces the network to authenticate itself to your device. No data transfer and now man-in-the-middle. WindowsSecurity.com… What’s in the Windows 7 Firewall? Deb Shinder previews the Redmond’s newest firewall and offers configuration tips. We have to ask, “With W7 pushing IPSec VPN on the masses, what good is a built-in firewall without central policy control”? Exhibit A: Agent Smiths’ post. The W7 firewall is, in effect, a personal firewall that the user, well, uses! We’re sure it’s a good firewall although we have to question the...

what we’re reading, week of 6/15

End-Point Security.Info… Employees Couldn’t Care Less about Data Security Gathering information from the Ponemon Institute, Agent Smith provides shocking statistics about employees and their security practices. So how does this list relate to VPNs? I’m glad you asked! Users will bypass cumbersome VPN policies if they can get away with it. Network admin’s need to look at their policies and how the technology they use supports these. Do they hinder the user? Can the user change settings? Will you be able to tell something has been changed? User education and centrally managed policy enforcement are key for VPNs. Datamation… Fixes for Wi-Fi Hotspot Annoyances Are you always on the go? Do you get frustrated with WiFi? Eric Geier provides travelers tips when connecting wirelessly. Going one step further, VPN Haus recommends making sure you’re mindful of man-in-the-middle attacks which are all too common at hotspots. If you have a run-of-the-mill VPN client, chances are high that data packets are being allowed access to your device while the client authenticates you to the network. A better solution is to find a VPN client that forces the network to authenticate itself to your device. No data transfer and now man-in-the-middle. WindowsSecurity.com… What’s in the Windows 7 Firewall? Deb Shinder previews the Redmond’s newest firewall and offers configuration tips. We have to ask, “With W7 pushing IPSec VPN on the masses, what good is a built-in firewall without central policy control”? Exhibit A: Agent Smiths’ post. The W7 firewall is, in effect, a personal firewall that the user, well, uses! We’re sure it’s a good firewall although we have to question the...

Browser-based Backdoor Attack for SSL?

Read an interesting post last week on ThreatPost, New attack class exploits intranet weaknesses. Dennis Fisher reports on a new class of attacks caused by organizations using non-routable IP space on their internal networks—including an attack that compromises VPN users through the use of a persistent JavaScript backdoor. The research was done by Robert Hansen, Amit Klein and HD Moore. It appears to us the attacks are subject to SSL rather than IPSec VPNs because it is browser-based. Moreover, the diagrams look like the attacks originated inside the network. We can’t be sure based solely on the paper. Can anyone clarify or have opinions on this research...