Welcome to Volume 2, Issue 18 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community. Many of our columnists teach and speak at The Internet Security Conference.
The editorial calendar at this time includes:
Previous issues are posted here.
TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
In this issue, Mandy Andress discusses the growing importance of personal firewalls. This is an especially important issue for companies that are enabling teleworkers and expanding remote access--and as Mandy suggests, a VPN client isn't the only security measure your remote access and teleworker employees need when they connect to your company or your eBusiness environment over the public Internet.
People want to be able to work from anywhere, whether it be from home, a hotel room, a client's office, or the beach. Of course, they also want access to resources identical to those they use sitting at the desk in their office. How do you provide this access securely, protecting the highly valuable and confidential information that resides on an internal corporate network?
The most cost-effective solution available today is a remote access Virtual Private Network (VPN), which is why they are gaining popularity in record numbers. A VPN solves the problem of how to protect sensitive information as it travels across a public network, but it opens numerous new security issues. This article discusses these issues and how to mitigate the risk they introduce through the use of personal firewalls.
What issues arise when you enable your employees with remote network access? The all-encompassing issue is that for every employee with remote access, you open one more backdoor into your network. A backdoor is a system outside the physically secured premises of the corporation and not subject to systematic auditing and administrative control. So, if you are a large enterprise with thousands of users connecting through remote access, you have just opened several thousand backdoors. Passing through this backdoor, which is generally wide open, can give an unauthorized user complete access to your internal network.
Remote access users connecting through cable modem/DSL connections should cause the most concern for security personnel. Systems directly connected to these always-on networks are ripe for picking from would-be hackers and script kiddies continuously scanning network subnets. I have a cable modem and in the span of one hour, I was scanned repeatedly, including probes for SNMP, FTP, WhatsUp, DNS, SubSeven, NetBus, OS fingerprint, RPC, Telnet, and Land Attack.
A VPN solution that employs two-factor authentication, such as digital certificates or SecurID, is still vulnerable. VPN authentication is used to create the tunnel, but once everything is connected, any person with access to the system can access the internal resources at the other end of the tunnel, whether it is a single host or the entire network. Application controls and intrusion detection are the only potential layers of security left between a compromised laptop and a compromised network.
All systems connecting to the corporate network through remote access should be considered a component of the internal network and corporate security policies should reflect this. Ideally, a remote access policy is developed that defines who can have remote access (Can all employees? Is it limited to IT personnel? etc.), what means they can use to connect (Can they use cable modem/DSL, dial-up, etc.?), and what additional security measures must be taken on a system used for remote access (firewalls, anti-virus, etc.).
Ideally, since these remote access systems are directly facing the Internet, they should be appropriately hardened, run a minimum amount of services, and not enable high-risk activities such as file and print sharing. Well, we do not live in an ideal world, so we know the system will not be hardened to the level it should, users will install rogue applications, such as ftp servers, pc anywhere, and ICQ, and they will enable file and print sharing. We cannot completely control the end user, so the popular approach today is to try the next best thing: install a firewall on the system and block this access from the outside world.
Personal firewalls have really taken off the last few months. Numerous products are available and they all have their own claims as to why they are the best product on the market. But do these products work and, more importantly, do they work well in an enterprise environment?
First, personal firewalls can help mitigate the risk of remote access, but they do not provide the complete solution. Many of these products do not protect completely against Trojans such as BackOrifice or malicious Java or ActiveX content. Personal firewalls should be only one component of a remote access security solution, combined, at a minimum, with anti-virus software and appropriate browser security.
There are two main groups of personal firewalls, those that are stand-alone applications and those that are "agents" and can be managed from a central server. The main difference between the two groups is control and logging. Does the company want control of the security policy configuration on the remote system and be able to monitor what attacks and probes are being launched against machines or are they content with the application just being there, running in the background? Each group has pros and cons and the decision needs to be made before looking for a specific solution to implement.
The three most popular personal firewall applications are Zone Alarm, Black Ice Defender, and Norton Personal Firewall. Other available products include Tiny Personal Firewall, McAfee Personal Firewall (formerly Signal9 ConSeal), PGP Desktop Firewall, and Sygate Personal Firewall (formerly Sybergen Secure Desktop).
These applications are ideal for a small environment, but they do not scale for use in an enterprise. The application must be installed and individually configured for each machine, a difficult proposition in today's work environment where employees can work out of the office several weeks at a time. The company then loses control of the policy configuration, since the end user could easily alter the configuration or completely disable the application, leaving a false sense of security for the corporate network. Additionally, administrators cannot receive real time alerts or log information from these applications.
The second group, firewall agents, communicate with a central server for policy changes, application updates, and event logging. Several also allow policies to be locked so users cannot modify them and several agents run in the background, completely transparent to the user. The well-known products in this category include Black Ice Agent with ICEcap Manager and CyberArmor by InfoExpress. Other available products include F-Secure Distributed Firewall and Sybergen Management Server.
These products are better suited for the enterprise than the stand-alone applications because they allow ongoing monitoring and policy configuration by administrators with little end user involvement, but they all still have a few issues that need to be ironed out before they can be fully effective in an enterprise environment. All the products listed above, with the exception of CyberArmor, identify the system to the management server by network information such as IP address or DNS name. This is troublesome for those with dynamic IPs in their broadband access or connect to various networks, such as a corporate LAN and broadband Internet, with different IP addresses. With a dynamic IP address on remote access systems, the management server cannot locate the end user system, disabling centralized management capabilities.
The communication between the agent and the management server are not always secure, allowing network sniffers to pinpoint remote access systems and develop more targeted attacks. F-Secure does not encrypt its communication, suggesting the user should implement their VPN+ client. Even if the communications are encrypted, the process implemented in the application may not be ideal. CyberArmor encrypts communications with an Administrator defined pre-shared key that is used for all agents. If the key is compromised, an attacker can modify the security policy of all the remote systems.
Not all products support all protocols. CyberArmor cannot support protocols with dynamic ports such as NetMeeting. F-Secure and Sybergen provide better user-management capabilities than the other products, but Sybergen does not allow locked-policy configuration. BlackICE provides excellent reporting and logging capabilities, but does not support ICMP blocking or application control. CyberArmor is the only product in my firewall agent list that allows you to define different policies depending on where the system is connected and automatically detects which policy should be in place. So, you can define a policy with less restricted access if the system is on the corporate LAN than if the system is connected to the Internet. Sybergen alerts you when an application is trying to contact the network if not defined as a trusted application, but it requires the client to communicate with the management server before it can be added to a user group, creating more work for the Administrator. Of course, all these products support only Windows OS, with the exception of CyberArmor. In my opinion, the best bet for Linux users is still IPChains.
All in all, each product has features valuable for an enterprise environment and features that could be improved. Personal firewall vendors are currently searching for that magical "sweet spot," the point where the product is simple for the end user, yet includes the flexibility and remote control features required for complex enterprise environments. Viable remote access technology for the enterprise has been available for some time, but securing these solutions is a growing area still in its infancy. How will these security products evolve to better fit the needs of the enterprise? What new technologies will surface to take their place? This is a new and dynamic area that will be interesting to watch in the coming year.