SSL VPNs a good option for remote access
- 09 October, 2007 11:00
The mobility and remote-access boom is undeniable. Rapidly expanding wireless bandwidth coupled with the improving capabilities of laptop computers, mobile phones, personal digital assistants and other mobile devices is making it possible for organisations to adopt new means of satisfying the mobile workforce's demand for anytime, anywhere access to information.
While the move toward mobility is technology powered, it is business driven. Companies of all sizes recognize that remote access has the power to drive productivity, improve customer service and add agility to the corporate business model by allowing users timely and secure access to valuable resources regardless of location.
Although the benefits of remote access are extensive, the trend challenges organizations to maintain an all-inclusive view of who is entering the corporate network and to create a well-controlled but user-friendly environment to access sensitive information. Security is a prime reason that many organizations resist enabling remote access, or confine it to a select group of users.
Opening the infrastructure for remote connection always involves risk. Without proper safeguards, organizations are susceptible to data and identity theft, network abuse, viruses, worms and other security threats.
To reduce the risk many organizations turn to virtual private networks (VPN), which lets users access the company network via the Internet. Before implementing a VPN solution, it is important to consider not only security issues that can occur when users connect remotely, but to evaluate how much and which information your organization is willing to share over a remote connection.
If you are planning to transfer data that is in any way sensitive, be wary of preinstalled VPNs. Though most operating systems have built-in VPN protocols that can be implemented at low cost, you typically get what you pay for, as these protocols often rely on little more than usernames and passwords, usually lack robust authentication and encryption components, and can easily become open doorways that allow hackers to introduce worms and viruses.
Fortunately, vendors specializing in security solutions offer a range of products to secure network resources for remote use while effectively minimizing threats. Though just one option in the remote access arsenal, VPN is mature, proven and, when implemented correctly, a valuable tool in the IT security arsenal. The appeal of VPN technology largely stems from how easily it:
- Restricts access to select applications and files,
- Manages authorizations,
- Protects the corporate network from damage, even if an infected laptop tries to connect, and
- Enforces access policies.
Because of ease of implementation, cross-compatibility and a wealth of options, SSL VPNs are expected be the primary remote-access method for more than two-thirds of teleworkers, more than three-quarters of contractors and more than 90% of casual employee access by 2008.
SSL is simple to install and leverages firewall ports already opened to secure Internet traffic, enabling users to connect into a network securely via a standard Web browser without the need to install special software. This alleviates connectivity problems with firewalls and negates the need to install software on the remote clients (e.g., desktops or laptops). SSL VPNs will support security policies that regulate access depending on the user, device or location. SSL can deny access if a less-than-secure situation is detected (for instance, logging on via an unsecured wireless LAN at a local coffee shop).
Administrators also find SSL especially useful since they are able to make policy changes or edit authorizations without having to update software on employee machines. In addition, SSL offers optional capability to restrict access to select, critical applications and easily incorporates multiple layers of authentication.
CDW's security experts recommend deploying personal firewalls, adware-scanning systems and intrusion-detection software on internal and mobile systems. For increased security, VPN applications can be configured to require all IP traffic to pass through the VPN tunnel, the same firewall as if the user were physically connected to the internal server, while the VPN connection is active. Mission-critical systems containing confidential corporate information should also leverage file-encryption and authentication applications.
Important things to consider before going mobile:
- Before buying, ask vendors how they test their products for security.
- Review software on the basis of security features.
- Have a process for monitoring vulnerability of the network.
- Install the latest patches, but first check newsgroups and other sources for patch anomalies.
- After adding new programs or hardware, install the latest patches.
- Use an automated tool to scan all PCs in the network for compliance and automatically download patches as appropriate.
- Use open standards such as Security Assertion Markup Language (SAML) when developing software architecture. SAML allows businesses to make statements regarding the identity, attributes and entitlements of a user to other entities.
- Do not use one server for multiple purposes (for example, Web server plus DNS server); the more services, the more vulnerabilities.
- Install firewalls inside the network, not just on the perimeter; segregate departmental applications.
- Deploy intruder-detection systems internally and within each network segment system administrators.
- Use one-time passwords -- they can be intercepted but will be invalid for future sessions.
Stan Oien manages information security and computer networking experts at CDW.