Countering Advanced Persistent Threats with Comprehensive Network Security

The technological savvy and tenacity of cyber criminals has never been greater, and IT administrators trying to prepare for impending attacks are often left backpedaling. With all of the different ways a corporate network may be attacked, IT administrators must strive to implement a comprehensive remote access security framework within their enterprises.  Especially with the proliferation of mobile devices, with a wide variety of operating systems, being used to access the network, companies need to make sure they have all of their bases (or, in this case, endpoints) covered. While traditional attacks, such as viruses, spyware or bot infections are far from extinct, advanced persistent threats (APTs) have recently been garnering a lot of attention. APTs give IT teams headaches, because they are extremely stealthy in nature and are almost always aimed at a very specific target. Traditional attacks are generally created to quickly harm the machine and network they’re infiltrating, leaving before they can be detected by the network’s intrusion detection system (IDS). APTs, on the other hand, are designed to remain in the network undetected for extended periods of time, all the while stealing sensitive company data. The wide range of methods and vulnerabilities that these attacks use to gain access is what makes them so tricky to discover. Unfortunately, once an attack has commenced, it usually requires an IT administrator to notice anomalies in outbound data before anyone realizes there is a problem at all. Sophisticated APTs can be very difficult to spot, especially without the right framework in place. One recent example of an APT struck the New York Times. It appears that the cyberespionage...

PKI for Authenticating Remote Access VPNs: How Government Agencies Ensure Secure Communications

With many documents critical to matters of national security being accessed on a daily basis, government agencies must ensure that all users trying to establish connections of any type to their networks are who they say they are, that they are authorized to access locations that they are connecting to and that all communications are encrypted. Public Key Infrastructure (PKI) compliance is the system that the public sector uses to verify a user’s information when attempting to establish a secure connection. PKI compliance in the United States, for example, is administered and monitored by The Federal PKI Policy Authority, an interagency body that was setup under the CIO Council to enforce digital certificate standards for trusted identity authentication across federal agencies and between those agencies, universities, state and local governments, and commercial entities. PKI enables users on non-secured networks to transmit data securely and privately. It does so by using a pair of public and private cryptographic keys obtained and shared through a trusted Certificate Authority (CA). The PKI system ensures that the digital certificates generated to match an identity with their public keys are stored by the CA in a central repository and can be revoked if necessary. The public key cryptography assumed by the PKI system is the most common method on the Internet for authenticating a message sender or encrypting a message. Traditionally, cryptography has involved the creation and sharing of a secret key for the encryption and decryption of messages. The most well-known uses are email and document encryption and authentication, but PKI is actually much broader than that. It can provide authentication for VPNs...

NCP engineering Explores Trends in IPsec and SSL VPNs on insideHPC Slidecast

Initially created as a response to the difficulty of implementing earlier versions of IPsec VPNs, SSL VPNs have become increasingly common over the past few years. Because they were built to be easier to implement, they were thought of as easier to manage than IPsec, which led to their growing popularity. However, IPsec offers many features that SSL doesn’t have, as detailed in the presentation given by Rainer Enders, NCP’s CTO of Americas, in a slidecast for insideHPC. Rainer explored recent trends in remote access technologies and delved into the progression of IPsec and SSL VPNs. In many ways, SSL has been evolving to become more like IPsec because businesses have demanded many of the features that are traditionally in IPsec VPNs, such as access to the entire corporate network rather than just applications. As a result, the formerly “client-less” option has required a bigger footprint to add those features. At the same time, IPsec has become much easier to use. NCP’s IPsec VPN client suite features a firewall and Internet connection that are integrated into a single interface. Users only need to click on a button once to securely connect or disconnect. Everything else is automated, and users never need to worry. So, it’s no longer true that IPsec is more difficult to connect to than SSL. Although SSL and IPsec are becoming more alike in many ways, each has unique features that are useful for different business needs. NCP develops VPN functionality based on both protocols, and we are constantly working to make them easier for IT administrators to manage and for users to enjoy mobility’s benefits....

eWeek Explains How NCP’s VPN Client Supports Android BYOD Security

Enterprises know they’ll have happier employees if they embrace BYOD rather than prohibit it. Welcoming BYOD can be better for business output, too—the trick is to find the tools that keep employees productive when they’re using their own smartphones, tablets or laptops to access the corporate network remotely. In his recent reviews of NCP’s managed IPsec VPN clients compatible with Android (version 4.0 and higher), eWeek journalist Jeff Cogswell set out to determine just how well NCP’s VPN supports BYOD. The result? Not just a pass, but one with flying colors. Cogswell was particularly sold on a few of NCP’s product features that make it suited for welcoming Android-based mobile devices into the enterprise. For one, the installation was a quick and painless process. Right away, Cogswell connected to NCP’s test server and his own VPN server, which is OpenBSD. He also tested it with a Cisco server, and it worked in all cases—the fact that NCP’s Secure Enterprise Android Client is compatible with all common VPN gateways is a huge plus, since IT departments are increasingly compelled to support various platforms. The eWeek reviewer was also relieved that his smartphone didn’t have to be rooted; in fact, he said it’s a significant differentiator between NCP’s offering and other Android apps: “I have spent a lot of time using Android devices in recent years, and what struck me as particularly interesting is that your phone doesn’t need to be rooted. Rather, Android supports the networking tasks that this VPN client requires. That’s a huge plus.” Cogswell highlighted many other benefits, including how the client allows you to choose the...

May Feature of the Month: SSL VPN & PortableLAN Client, Part Three

Over the past couple of weeks, we have explored the Web proxy feature of our SSL VPN technology, which isolates the internal Web server from direct access via the Internet. We have also discussed the thin client SSL, which provides companies with secure remote access to a wide range of corporate applications that aren’t exclusively Web-enabled. This week, we will round out our May Feature of the Month series with NCP’s PortableLAN Client. The Web proxy and thin clients successfully delivered secure remote connections to those customers seeking access to Web- and non-http-enabled applications, yet we were noticing an increasing demand for a client that could deliver a fully transparent connection to the central network. With today’s workforce becoming increasingly mobile, our customers have made it clear that it is imperative for remote employees to have comprehensive network access. With this in mind, we created the NCP PortableLAN Client. To understand how the PortableLAN Client works, a basic knowledge of a local area network (LAN) is required. A LAN is a group of computers and associated devices that share a common communications line or wireless link (i.e. a corporate network). In order to deliver a fully transparent portable LAN, the SSL VPN software must be installed on each end device, similar to the process of installing an IPsec client. Once this is done, the client serves as the virtual connection, transmitting all network traffic via the encrypted SSL connection and allowing workers to connect remotely. Just like that, comprehensive, fully transparent network access is made available! Whether companies require their remote network access to be completely opaque, or specific...

May Feature of the Month: SSL VPN, Part Two: Thin Client

Last week, we took a look at the web proxy feature of our SSL VPN technology as part of our Feature of the Month series. This week, we’ll be focusing on NCP’s thin client SSL, which provides companies with secure remote access to a wide range of corporate applications that aren’t exclusively Web-enabled. Soon after enterprises saw clear productivity gains when mobile workers were able to access their corporate networks with NCP’s web proxy VPN, more customers started demanding greater functionality from their SSL VPNs. Specifically, our users wanted to connect directly to certain applications on specific ports. In response to that demand, we introduced our second-generation SSL in the form of a thin client, which is a small footprint software client installed and linked via the SSL session. Now, if companies wish to access non-http-enabled applications and are using an SSL VPN tunnel to communicate with a specific server within the company network, it is best to use a thin client SSL VPN. The thin client has to be installed at the end device and can be downloaded via Web browser. Specifically, companies use NCP’s port forwarding technology to open ports, configured by the administrator. These local ports allow software to securely communicate with the designated server within the company network. As you can imagine, workforce mobility has forced companies to seek even greater SSL capabilities, like comprehensive secure access to the resources housed on internal corporate networks. Tune in next time, when we round out our May Feature of the Month series by explaining our portableLAN fat client SSL functionality.            ...