James Gretta

Friday, 29 July 2005 11:02

Do you need a VPN?

As internal corporate networks grow and telecommuting/remote offices become more commonplace, companies are turning to virtual private networks (VPNs) to provide access to internal corporate resources.

A VPN is a collection of private data and voice networks utilizing the public communications infrastructure. VPNs operate on the premise of tunnels, which protect the data inside from external threats, utilizing predetermined parameters.

The goal of a VPN is to offer the same services to both internal and authorized external personnel, while at the same time minimizing overhead costs. The need for point-to-point leased lines can be virtually eliminated when a VPN is implemented properly.

There are numerous vendors that offer a variety of VPN capable equipment. Several offer a variety of routers, firewalls, remote access clients and concentrators that support very scalable VPN implementations.

IP Security (IPSec) is the most dominant of all secure VPN technologies and is a standards-based method of providing integrity to data transmitted over IP. IPSec provides layer 3 encryption of data packets and utilizes various checks and balances to ensure data integrity. Key management and security associations, the IPSec parameters between devices, are negotiated utilizing the Internet key exchange.

The Internet offers a wide variety of opportunities and resources, but they do not come without inherent risks. These risks, as well as the need to protect sensitive information, are what drives the need for VPNs. The following three items may have you asking, “Do I need a VPN?”

  • Data privacy — Traffic traversing the Internet is unencrypted and can be viewed by unauthorized parties between the source and destination. This may be acceptable in many instances, but there are times when confidential information may be compromised.

  • Data integrity — While it may not be detrimental if unauthorized persons or entities could read your general e-mail, it could be problematic if they could access and possibly modify more sensitive documents, bank transactions, etc.

  • Identity theft — Hackers are becoming more creative in their techniques, and identity theft is becoming more prevalent. Nonsecure data such as credit card numbers, Social Security numbers and bank account numbers may give people the information they need to take on your identity and, in turn, gain access to your confidential information.

Although the answer to the question, “Do I need a VPN?” may seem relatively easy, the solution needs to be planned and implemented diligently. Defining exactly what types of information need to be secured is the first step. Certain traffic, such as remote file and mail requests, may need to access the corporate Internet, whereas World Wide Web (WWW) requests do not.

VPNs reference a series of permit-and-deny statements to determine which traffic should and should not traverse the VPN. If traffic is marked as interesting, it follows the IPSec encapsulation and encryption process and is forwarded to the other end of the tunnel for validation, de-encapsulation and decryption. Traffic that is not interesting will be routed in clear text, based on current implemented policies.

Another popular implementation is the use of remote access clients. These clients have software installed on PCs, laptops or PDAs and are able to securely access internal resources. Typically the software is very inexpensive and is a more-than-adequate solution for remote salespersons, managers, IT staff and executives.

Network and information security are becoming increasingly more important in corporate environments. VPNs offer another level of defense against unauthorized access to confidential information while still maintaining flexibility and scalability.

There are still instances in which point-to-point links make sense and are necessary, but in many cases, having a virtual point-to-point network is both cost effective and secure.

JAMES GRETTA is a network integration engineer at TriLogic Corp., a solutions integration company focusing on IT infrastructure solutions. He is a Cisco Certified Network Associate. Reach him at jgretta@tri-logic.com or (724) 745-0200.

Monday, 25 April 2005 10:24

Securing your network

As networks and inter-networking become more complex, the need for more advanced and capable security practices is paramount in keeping information and resources secure from malicious activities.

There are many best practices available, including a three-tiered approach that utilizes a firewall, intrusion detection system and virus scanning to prevent, detect and quarantine/remove malicious activities and threats from internal networks.

Firewalls

A firewall is the first line of defense in a comprehensive security solution. Firewalls inspect traffic and match it against a set of preconfigured rules. They can filter by source address, source port, destination address, destination port or any combination therein. Based upon these rule sets, the firewall either passes the traffic through to the internal network or blocks it entirely.

Firewalls come in a variety of flavors and from several manufacturers. Some are hardware or appliance-based; others are software-based and reside on high-end servers or workstations. Regardless of the platform an organization chooses to implement, the basic functionality is the same. Keeping current with technology, as well as maintaining and updating rules as new threats are exposed, will help increase your level of protection.

Intrusion Detection Systems

The Intrusion Detection System (IDS) is responsible for detecting paradoxical behavior based upon predetermined guidelines. There are two forms of IDS -- host-based and network-based. The host-based IDS is software-based and is used to detect malicious activity on a single endpoint, whereas a network-based IDS is used to inspect and detect malicious activity within its network segment.

A host-based IDS may be a personal firewall or a software agent running on a local machine. A network-based IDS operates in promiscuous mode and has sensors that monitors packets moving across the network segment. The packets are compared against various signatures and when suspicious activity is detected, alerts are sent to appropriate resources.

A combination of both systems should be implemented to detect the presence of malicious activity. There is one key point to remember when implementing host-based IDS -- protect every host.

Antivirus software

The final and most important part of this layered approach is the antivirus software. Antivirus software is written specifically to combat harmful viruses and remove them from your computer.

Antivirus software utilizes updates to keep a current listing of known virus definition files. Maintaining a current virus definition file can be accomplished by manual or scheduled updates. The definition files are updated by supporting software vendors as new viruses, worms and other malicious files are discovered, and are typically posted on the vendor's Web site.

Antivirus software is reactive in nature and is only a small part of a comprehensive security solution.

There are emerging technologies such as Network Admission Control (NAC) that proactively protect networks from clients whose integrity is not yet established. The theory behind NAC is that when a network-capable device attempts to access the LAN, it is segregated from known good resources until it adheres to established security guidelines.

NAC-compliant software scans the host to determine if it is properly patched and updated. If a machine requires updates, it can be automatically redirected to the proper resources. Once the updates are installed, the new host will be given predetermined access. In the event that the machine cannot be properly updated, the host may be denied access, given restricted access or placed in a quarantined area. This is another method of taking a proactive approach to defending your network.

Due to the popularity of mobile computing, it is nearly impossible to ensure a network is 100 percent secure. Computers are often used in multiple locations and on multiple networks. This causes an inherent risk within SMB and corporate networks, but with a properly designed and implemented security solution, the effects can be minimized.

Protecting internal resources from external attacks by utilizing a firewall, monitoring network segments and hosts utilizing IDS for known malicious and suspicious activity, and implementing and enforcing antivirus protection policies, as well as keeping current with emerging technologies, are only a few steps you can take to secure your network.

James Gretta is a network integration engineer at TriLogic Corp., a solutions integration company focusing on IT infrastructure solutions. Gretta is a Cisco Certified Network Associate (CCNA). Reach him at (724) 745-0200 or jgretta@tri-logic.com