The need for a comprehensive remote access security framework cannot be emphasized enough. Those looking for proof of this concept need look no further than the recent Adobe hacking, and the chilling implications it has on network security. Our previous two posts in this series have discussed why the proliferation of mobile devices has made corporate networks more susceptible to malicious attacks, how unknown users and/or devices pose a serious threat to network security, and how establishing endpoint identities and roles can help protect against breaches.
But what if cyber criminals could create superficial identities and roles that pass as legitimate? The unfortunate truth is, this scenario is a very real possibility. The most common method cyber criminals use to gain network access is spoofing endpoints’ Media Access Control (MAC) addresses.
A MAC address is a device’s unique hardware number. When employees connect to their networks, a correspondence table relates their IP address to their computer’s physical MAC address. As previously explained, devices can be linked in a relationship registry to user identities based on a particular user/device combination. Once that’s done, a policy can be implemented that will grant or deny network access based on those combinations. Ideally, this process will screen out users that attempt to access the network with invalid credentials. But when a MAC address has been spoofed, another layer of defense is needed.
Though there are several ways to detect a false MAC address, one of the best bets is to simply build a protocol right into an IPsec VPN client. This would allow the client to establish a secure, encrypted connection with the target network and submit device health information. For example, the client would indicate if a MAC address is legitimate, or if it there are signs that it has been tampered with and may be spoofed. Only when credentials for the user and device match the pre-set criteria will network access be granted.
It’s worth noting that a suitable security framework for policy-based network access control is under development in the form of Trusted Network Connect (TNC) by the Trusted Computing Group (TCG). The TNC has specified a protocol, Interface for Metadata Access Points (IF-MAP) that allows the devices to publish or consume security-relevant metadata to/from the Metadata Access Point (MAP) Server. This approach truly incorporates one of the main aspects of a comprehensive remote access security framework: trust-level establishment. Trust level establishment is, at its simplest, conducted by evaluating the access elements such as those previously discussed.
From conducting an initial screening process to determine legitimate devices and users, to enforcing the policies that are established, to cross referencing against user/device combinations, a comprehensive remote access framework can go a long way in terms of securing corporate networks from malicious attacks. Is it a foolproof system? Certainly not, and cyber criminals will continue to try and discover ways to penetrate whatever defenses IT security professionals establish. But by being proactive, and taking precautionary steps such as those we’ve outlined on VPN Haus, enterprises can at least take steps in the right direction.