Who Needs Remote Access?

Determining who needs to use your VPNs is not an easy task that can be done in just minutes. It is not uncommon for almost every employee to need some form of VPN access at one point or another.This introduces many challenges from user management to the auditing of your systems and individual access logs.This is an area in which your user groups and centralized user management systems will play an important role. It will help ensure your access rights are secure and granted to only those individuals or groups that need access. As you implement a remote access VPN solution, keep your access controls simple and easy to audit. Long term, this will help you maintain a strong security posture with your remote access solutions. Many organizations deploy their remote access solutions granting their users unrestricted access to all internal network resources.This is probably one of the most critical mistakes you can make as a security professional. Access controls should be specific and related to the requirements defined by your written security policies. Some additional best practice recommendations for remote VPN users include:

- Grant access to user groups and not individual users.

- Implement access control, granting access only to those resources that are required.

- Require a strong authentication system, based on a user and not a device.

- Enable strong audit capabilities.

- Require password changes twice as often as policy requirements or internal systems for remote VPN users. Creating logical security configurations for firewalls and VPN devices is not a trivial task. It takes time and patience to create a strong security posture for any organization. Since these devices are common targets for attack and exploitation, they are the areas that require a lot of attention.With practice and over time, the process to effectively convert your written policies into logical security configurations will become easier. As discussed early in the article, our primary goal is to create a roadmap that is abstracted from specific vendors’ devices or product feature set.This very important step will help create an overall more secure environment.This process helps security administrators implement secure configurations that reflect the business goals of the organization. While it is not important to rank each step as it relates to another, it is easy to understand how focusing time and effort to each can help achieve success during implementation, and to maintain it through the entire management lifecycle.

Solutions Fast Track

Logical Security Configurations

- Logical security configurations are documents that interpret written security policy requirements and define configuration requirements for a specific type of enforcement device, like a firewall or VPN product.

- Unlike a device configuration for a specific vendor’s product or version, logical security configurations are written to common feature sets found in the target enforcement devices. - Logical security configurations are developed for a type or group of enforcement devices versus one for each device in your environment.

- A specific written policy requirement or item is commonly used by many logical security configuration documents across the enterprise. Planning Logical Security Configurations - Identification of network assets is a critical requirement in the overall security posture of an organization.

- Networks evolve and constantly change and as a result, a method to capture, organize, edit, and audit this information is recommended.

- Network asset profiling is an exercise to capture and validate information specific to each device.

A combination of automated tools and interviews is commonly used by security professionals. - Security area is a term used to group together network assets based on common attributes of those devices.

- Security area risk rating is a numerical value assigned to each area that helps a security professional understand the relationship between those two areas. As traffic passes from one area to another area, this rating helps understand the policy that should be enforced for that traffic. - Users and user groups are a key element in security policy development. Most access is granted to user groups versus individual users. Writing Logical Security Configurations - Logical security configurations are written for each type of device that will be used to enforce an organization’s written security policies.

- VPN remote access to your company’s resources is considered high risk, and as a result, additional user authentication and access restrictions are recommended to reduce the chance of a security breach.

- Logical security configurations, once written, should be audited and reviewed against actual configurations on a regular basis. - It is a best practice to separate the responsibilities for writing security policies, logical configurations, and implementation guides.

Why Have Different Types of Firewalls?

Before we delve into what types of firewalls there are, we must understand the present threats. While there are many types of threats, we only discuss a few of them in this article, paying the most attention to those that can be mitigated by firewalls. Ensuring a physically secure network environment is the first step in controlling access to your network’s data and system files; however, it is only part of a good security plan.This is truer today than in the past, because there are more ways into a network than there used to be.A medium- or large-sized network can have multiple Internet Service Providers (ISP’s), virtual private network (VPN) servers, and various remote access avenues for mobile employees including Remote Desktop, browserbased file sharing and e-mail access, mobile phones, and Personal Digital Assistants (PDAs).

Physical Security

One of the most important and overlooked aspects of a comprehensive network security plan is physical access control.This matter is usually left up to facilities managers and plant security departments, or outsourced to security guard companies. Some network administrators concern themselves with sophisticated software and hardware solutions to prevent intruders from accessing internal computers remotely, while at the same time not protecting the servers, routers, cable, and other physical components from direct access.To many “security-conscious” organization’s computers are locked all day, only to be left open at night for the janitorial staff. It is not uncommon for computer espionage experts to pose as members of cleaning crews to gain physical access to machines that hold sensitive data.This is a favorite ploy for several reasons:

- Cleaning services are often contracted out and their workers are often transient, so your company’s employees might not know who is a legitimate member of the cleaning company staff.

- Cleaning is usually done late at night when all or most company employees are gone, making it easier to surreptitiously steal data.

- The cleaning crew members are paid little attention by company employees, who take their presence for granted and think nothing of them being in areas where the presence of others would normally be questioned. Physically breaking into a server room and stealing a hard disk where sensitive data resides is a crude method of breaching security; nonetheless, it happens. In some organizations, it may be the easiest way to gain unauthorized access, especially for an intruder who has help “on the inside.” It is beyond the scope of this article to go into detail about how to physically secure your network, but it is important for you to make physical access control the outer perimeter of your security plan, which means:

- Controlling physical access to the servers

- Controlling physical access to networked workstations

- Controlling physical access to network devices

- Controlling physical access to the cable

- Being aware of security considerations with wireless media

- Being aware of security considerations related to portable computers

- Recognizing the security risk of allowing data to be printed

- Recognizing the security risks involving floppy disks, CDs, tapes, and other removable media There are also different types of external intruders who will physically break into your facility to gain access to your network. Although not a true “insider,” because he or she is not authorized to be there and do not have a valid account on the network, this person still has many of the advantages (refer to the “Internal Security Breaches” section.) Your security policy should take into account the threats posed by these “hybrid” intruders. Remember, someone with physical access to your servers has complete control over your data. Someone with physical access to your authentication servers owns everything.

Network Security

Virtual intruders can access your network from across the street or from halfway around the world.They can do as much damage as a thief that breaks into your company headquarters to steal or destroy data, and are much harder to catch.The following sections examine specific network security risks and ways to prevent them. For a number of years, firewalls were used to divide an organization’s internal network from the Internet.There was usually a demilitarized zone (DMZ), which contained less valuable resources that had to be exposed to the Internet (e.g.,Web servers, VPN gateways, and so forth), and a private network that contained all of the organization’s resources (e.g., user computers, servers, printers, and so forth). Perimeter defense is still vitally important, given the ever-increasing threat level from outside the network. However, it is no longer adequate by itself. With the growth of the Internet, many organizations focused their security efforts on defending against outside attackers (i.e., those originating from an external network) who are not authorized to access the systems. Firewalls were the primary focus of these efforts. Money was spent building a strong perimeter defense, resulting in what Bill Cheswick from Bell Labs famously described years ago as,“A crunchy shell around a soft, chewy center.”Any attacker who succeeded in getting through (or around) the perimeter defenses, would have a relatively easy time compromising internal systems.This situation is analogous to the enemy parachuting into the castle keep instead of breaking through the walls. Perimeter defense is still vitally important, given the increased threat level from outside the network; however, it is simply no longer adequate by itself. Various information security studies and surveys have found that the majority of attacks come from inside an organization. Given how lucrative the sale of information can be, people inside organizations can be a greater threat than people outside the organization.These internal threats can include authorized users attempting to exceed their permissions, or unauthorized users trying to go where they should not be.Therefore, an insider is more dangerous than an outsider, because he or she has a level of access to facilities and systems that the outsider does not. Many organizations lack the internal preventive controls and other countermeasures to adequately defend against this threat.Wide open networks and servers sitting in unsecured areas provide easy access to the internal hacker. The greatest threat, however, arises when an insider colludes with a structured outside attacker.With few resources exposed to the outside world, it is easier for the bad guys to enlist internal people to do their dirty work.The outsider’s skills combined with the insider’s access could result in substantial damage or loss to the organization.