Archive Page 2

19
Feb
10

What We’re Reading, Week of 2/15

By vpnhaus Leave a Comment
Categories: Highlights

Network Security Blog…
Responsible Disclosure Panel at RSA 2010
Martin McKeay will be participating in a panel at this year’s RSA Conference, taking place in San Francisco, CA.  The panel of industry experts will discuss exactly what responsible disclosure means to them and what responsibilities they owe each other. For a preview of what’s in store for the panel, check out this podcast where the experts they lay out the basis for their stance on responsible disclosure. If you are planning to attend RSA this year, make sure to stop by NCPs panel session on today’s remote access challenges and network technologies on Wednesday, March 3 at 10:40 a.m. PT in Green Room 130.

Security Uncorked…
Hosting a NAC and Endpoint Security Session at RSA 2010
Also at RSA this year, Jennifer Jabbusch will be hosting a peer-to-peer session on Network Access Control (NAC) and endpoint security. The discussion will focus on world case studies, an exploration of technical roadblocks and a dive into vendor-specific solutions.

NY Times Personal Tech…
Safe Travels for You and Your Data
In this article, Riva Richmond offers some tips for keeping your data protected while you are on the road. Before using a computer in a cybercafé or hotel, ask what security measures are in use and if they reset their computers after each user so unauthorized programs are removed. She suggesting backing up your data, especially personal and business documents since laptop theft at airports is so common. There are also risks when using public Wi-Fi so Riva stresses the importance of using a firewall as well as a secure VPN.

eWeek.com…
How to Implement Secure, PCI-Compliant Access Controls
Dave Olander, President and CEO at Xceedium, discusses the six attributes that next-generation access control systems need in order to meet both the letter and the spirit of the PCI DSS. They are: right-size permissions based on a zero trust model, implement fine-grained enforcement, integrate audit capabilities to validate controls, automate all the requirements from access to audit, deploy an identity-aware infrastructure, and create backward and forward compatibility.

18
Feb
10

VPN is hot again (thanks google!)

By vpnhaus Leave a Comment
Categories: Rethink Remote Access

A few weeks back, Google instituted an emergency update to its corporate VPN, which led to many questions whether the network was compromised—Google states “no”, however, timing suggests otherwise.  All of the discussions, questions and disorder got us thinking… if Google had to issue an ‘emergency VPN update’, perhaps the rest of corporate America should be rethinking their remote access to prevent any similar occurrences from happening.

In the case of Google, simple passwords could have been used to access the network, however, if two factor authentication and network access control (NAC)—or as we like to call a ‘pat-down’—were in place this simulation would have been much harder to pull off—even if phishing grabbed some passwords.  Forrester analyst, Chenxi Wang made some interesting observations on her blog—her initial analysis was that the attackers gained access to Google’s server via its corporate VPN, from a Microsoft browser vulnerability that was exploited.  Some employees’ desktops were compromised, and the attacker used these compromised desktops via Google’s VPN to get to some of the servers.  Google ‘clarified’ this later, stating that the method of access, at some point, may have involved VPN, but does not agree with the characterization that “the compromised client used their corporate VPN to gain access to the servers”.

Touching on the fact that the victim’s machine was running IE 6, an outdated browser, Chenxi suggests that the machine may not have been a corporate managed machine.  If this is indeed the case, Google’s should be rethinking their remote access policies, and enable employees to use personal devices that are secured and managed.  This idea is similar to former Forrester analyst, Natalie Lambert’s concept of BYOPC (Bring your own PC)— employees are going to use whatever device they can to access the network, and probably break many security policies while doing it.  Instead of restricting machines that are able to access the network and taking a chance and running to in a situation that Google had on their hands, companies can support a variety of devices, whether it be Windows 7, Windows Vista (32/64 Bit), Linux, Mac, Symbian, Windows Mobile etc. AND secure them.  It seems that Google’s technology was restricting employees’ practices because the system could not handle it, which by and large caused an emergency update to the entire corporate VPN infrastructure.

This emergency update caused a connectivity disturbance for more than 24 hours, which affected work flow and productivity.  A better VPN management system might have played a significant role for Google.

Follow this discussion on Twitter: @VPNHaus

12
Feb
10

What We’re Reading, Week of 2/8

By vpnhaus Leave a Comment
Categories: Uncategorized

Endpoint Security Info…
Endpoint Security: Playing it Smart
This post discusses that effective security is about playing it smart, which involves seeing what could happen and preventing it.  If devices such as iPods, USB sticks, netbooks, smartphones, and cameras, are helping you work better and making your life easier, then you should be using them. The idea is to know what threats they pose and how to prevent them.  One way to increase safety is to use a VPN client.

Washington Business Journal Blog…
Technology Delivers New Challenges for Snow Days
In this post, Jennifer Nycz-Conner discusses that in the past if there was a snow day it meant having a day off, but that has changed now that telecommuting is an option. People are expected to work, and be just as productive as they would be in the office. The ability to work remotely is great during emergencies such as snowstorms, especially when you can plan in advance. For anyone who does take advantage of telecommuting, we recommend connecting to your company’s network through a secure VPN.

Insecure about Security…
People May Be the Weakest Link in the Server Virtualization Chain
Jon Oltsik discusses a recent webinar on virtualization he participated in along with Extreme Networks and Microsoft. The 113 audience members were asked two polling questions. The first question was which of the following factors is holding your organization back from using server virtualization more prominently throughout the enterprise? 42% said lack of virtualization skills/knowledge within IT. The second question was, as you move forward with virtualization, which of the following IT groups need to become more educated and involved in the project? 72% said networking group, 52& said server group, and 45% said security/compliance group.

11
Feb
10

Is a 64-bit ipsec client enough?

By vpnhaus Leave a Comment
Categories: 64-Bit and Rethink Remote Access

We’ve been seeing a lot of discussion in the forums about Cisco’s IPsec VPN client (welcome to the party—you’re four years late).  In 2010, a 64-bit client isn’t enough.  Perhaps four years ago this would work, but not today.  In today’s mobile world, users are constantly on-the-go and purchasing the latest and best devices—they need more than just a VPN client.

NCPs client was developed with both the user and administrator in mind.  When an employee is away on business, they need to connect and remain connected to the network hassle-free.  They need to be reassured that their desired device, whether it be a laptop, mobile phone, etc., will work with their VPN client and have access to the appropriate files, email, folders, etc. they need.

Overlapping subnets, roaming across networks and connections dropping shouldn’t be an issue.  Users should be able to use important features, such as two-factor authentication, end-point security software and personal firewalls without any IT knowledge or help desk support.  It should be a matter of a one-click and get connected.  Will a 64-bit IPsec VPN client be enough to meet customers’ remote access needs?  No, and we think you’ll agree.

Follow this discussion on Twitter @VPNHaus

05
Feb
10

What We’re Reading, Week of 2/1

By vpnhaus Leave a Comment
Categories: Highlights

Chenxi Wang’s Blog…
Ok. There Is More (or Maybe Less) to the VPN Story, Google Says
Chenxi Wang recently posted on the Microsoft vulnerability that led to the Google hack. Google contacted her directly to say that they cannot confirm that the attack came through the VPN. They said that a Google employee’s machine (running Internet Explorer v6) was compromised via the IE vulnerability. The attacker used the compromised machine to somehow gain access to Google’s servers. The method of access, at some point, may have involved VPN, but Google does not agree with the characterization that “the compromised client used their corporate VPN to gain access to the servers.” If Google issued an “emergency VPN update” then perhaps other organizations should be rethinking their remote access.

CIO.com…
Windows 7 Tips: Best Security Features
In this article, Shane O’Neill describes the new security features in Windows 7. From encryption to malware fighters, there are key Windows 7 tools that keep enterprise and home PCs safe and secure. The top six Windows 7 security features that both consumers and enterprise users should know how to use are: Bit Locker to Go, Internet Explorer 8 for safe browsing, Microsoft Security Essentials, AppLocker, more control of UAC and backing up data.

Network Security Blog…
PCI Compliance and “Public Cloud” Don’t Mix
In this post, Martin McKeay makes the argument that PCI compliance and public clouds do not mix. Martin says the primary problem with attaining PCI compliance in the cloud is an issue of visibility, meaning there’s no way to truly review and validate system configuration when your systems are temporary.  Cloud service providers will need to look at ways to offer services that take advantage of all of the positive aspects of cloud computing, while allowing for all of the 200+ PCI requirements to be met.  Providers will need to look at how they manage the creation and deletion of virtual servers, segregation of resources and collection, and monitoring and retention of log information. Martin concludes that you cannot be ‘PCI Compliant in the Cloud’, but you can use cloud services and be compliant.

« Previous Entries
Next Entries »