Secure Remote Access and Control, Anyware Technology Inc.
Home, Secure Remote Access and Control About Us, Network Security Software Products, Secure Remote Access and Control Support, Network Security Software News & Events, Secure Remote Access and Control Demo & Download, Network Security Software Contact Us, Secure Remote Access and Control Search, Network Security Software Careers, Secure Remote Access and Control
Network Security Software EverLink Logo   News & Events  

  Mobile Computing & Communication Archive of Anyware
   
 


Real Security in a Virtual World

By Cassimir Medford, April 2000

These are unsettling times for corporate CEOs, network managers and IT professionals. They have to retrofit their networks to accommodate the Internet and a disparate mix of telecommuters, mobile workers, suppliers, partners, distributors and customers. All the while, they must be sure to keep the network safe from intruders. Opening up your network to the vulnerabilities and unpredictability of the Internet adds an overarching, unwelcome and often unquantifiable risk factor to the security equation.

To make things even more difficult, vendors are going to market with hundreds of products based on technology that is either inadequate or incomplete. Moreover, no single vendor, standards body or service provider has all the security answers to your questions. What results is a patchwork quilt that might show a few weak seams. Users large and small must weave together a mix of security protections and hope that it's enough to prevent the next intruder from bringing down the network, stealing crucial information or interrupting the flow of business.

That is what you are getting with virtual private networks (VPNs). This technique leverages the ubiquity of the Internet and can save a large company millions of dollars in equipment and communications fees, while providing better service. Using the Internet for remote access provides companies with a compelling utility, but companies must be as careful in the virtual world as they are in the real world.

VPNs allow corporations and end users to significantly reduce remote-access costs by using the comparatively new technique of tunneling through the Internet to establish secure communications. Companies previously had to pay high costs for leased lines or long-distance dial-up connections for every remote session. Companies also had to keep banks of modems at the ready to provide remote users access to corporate files and applications.

With a VPN, connectivity is provided for the cost of a local call to an Internet service provider (ISP). Although there are many subspecies of VPNs, they fall into three main categories:

First, there is remote-access VPN, which is the most popular form. This technique relies on a simple local dial-up call to an Internet service provider. After authentication with the host server, the call is securely routed through the Internet to a corporate Web site, where a remote user can access files and e-mail. The packets that travel through the ISP tunnel are encrypted for security.

The second kind of VPN is the intranet VPN, in which a corporation, in concert with a service provider, creates dedicated links between remote sites using the shared VPN network or the Internet. This is a more secure and expensive way of connecting remote employees than the first method.

The third is an extranet VPN, where corporations connect with customers and suppliers outside the firewall using permanent VPN connections. The problem is that shared VPNs are by their nature insecure, so companies must find ways of securing their VPN connections from snoopers or computer vandals.

How much security a company installs depends on the cost and amount of protection it needs vs. the costs of lost business and productivity. Security must be applied to cover increased access and heightened network complexity, and companies must be aware of the cost of downtime.

For instance, an hour of downtime for retailer Amazon.com could mean millions of dollars in lost sales and a loss of crucial credibility. But to Shakespeare & Co. Booksellers, an hour of downtime could mean a delay in transferring sales figures from its five locations to its main site in Manhattan, a slowdown in integrating that data into the company's accounting system and possibly even ground lost to competition. The level of networked exposure varies widely by business.

"Each company has to decide how high they want to set the bar," says Steph Marr, a security expert who is corporate vice president of New York-based networking specialist Predictive Systems Inc.'s Information Security practice. "They must set it to the point where it's no longer worth anyone's effort to come after their stuff. If you have a $10,000 asset, it is not worth spending $10,000 to protect it. On the other hand, if it's a $100,000 asset, it may be well worth it to spend $10,000 protecting it," he says.

Marr is no newcomer to the world of network security. Ten years ago, he assisted the FBI in capturing Kevin Mitnick, the infamous computer hacker who made a splash when he broke into the systems of several telecommunications companies. Much of the communications industry's heightened security concerns date to that saga. (See sidebar above "In Pursuit of a Wanted Man.")

Security on a Budget

For Shakespeare & Co., though, the critical Internet security exposure is limited compared to its struggle to occupy a precarious marketplace niche. The New York-based bookseller is surrounded by national superstores like Barnes & Noble and Borders, which bring to bear economies of scale that have driven many small booksellers out of business. Book selling is notorious for its thin margins, and Shakespeare & Co. must keep its high-wire act going in an area where real estate is among the most expensive in the world and where there's no safety net to catch an overextended company.
"The network is critical to us," says co-owner Bill Spath. "If a hacker should bring the system down, we would have to go to our back-up dial-up systems. We run all our sales reports off a single computer at our main site." Shakespeare is typical of many small- and medium-size businesses looking to gain competitive advantages from VPN technology. The company realized enormous savings after switching from ISDN service to Digital Subscriber Line VPN connections, which rely on local phone calls to ISPs, to link standalone computers at Shakespeare's six sites.

"The network assists us in making critical business decisions. Our stores are primarily near schools, so we've emphasized that aspect of our business," Spath says. "We also compete against the schools' in-house bookstores." Shakespeare & Co. can alter the inventory in any of its stores to fight off any incursion into its niche by a larger competitor — or meet a change in a local market. For example, its store near the Brooklyn Academy of Music can stock up on books that match the changing programs at BAM.

To put it all together, Shakespeare worked with Panix, a full-service ISP and network-services company. Panix built Shakespeare's DSL VPN network with Netopia Inc.'s R7100 SDSL routers and assists with the ongoing management and maintenance of the network. This is a form of remote-access outsourcing that is becoming more commonplace. A third-party like Panix takes some responsibility for the network, freeing the client from managing and monitoring uptime and communications.

"Secure VPN is a complicated technology that is relatively inexpensive, so it moved down the food chain pretty quickly," says Alexis Rosen, president of New York-based Panix. "Most companies, outside of the very largest companies, need assistance, particularly with the security of the network."

Outsourced network services are not new. Today there are dozens of outfits offering managed services for wholesale outsourcing to small companies. Companies like AT&T of Basking Ridge, NJ, and MCI WorldCom Inc. of Clinton, MS, have long targeted large companies with outsourced network services, offering everything from the management of the client's routers to full responsibility for the entire network. But the emergence of popular and inexpensive technologies like Frame Relay and DSL has placed VPNs within the financial reach of smaller companies. According to the experts, you don't have to be a Fortune 500 company to have a secure network.

Know Your Outsourcer
Another approach is to contract with iPass Inc., a Mountain View, CA, company that specializes in deploying VPN technology. The critical difference with iPass' products is that the company has established a network of hundreds of international ISPs to deliver dial-up numbers in thousands of locations. The scheme works like this: The remote worker dials into the iPass server, which authenticates the user and routes data to and from the company's server. All this is done with minimal investment.

But companies must do their homework before picking a small outsourcer. Many outsourcers are just starting out, with little or no track record in the business, so clients have little to go on when making their selection. It's a new market with few established rules, which can cloud the decision-making process.

"The thing that makes security difficult is that it is not really about computers, it's about trust, so it can be difficult for a client to find the right outsourcer," notes Rosen. "All too often the outsourcers down the food chain are just food. We have seen hundreds of consultants in this area who are artists masquerading as computer professionals. They got caught up in the Web movement, and they are branching off into the network-security business."

At this early stage of the remote-access outsourcing business, clients are seeking contractual arrangements with outsourcers, but many are unwilling to take broad responsibility for downtime or security breaches. "It can get messy," Rosen believes. "Generally, responsibilities are not clearly spelled out, and all too often there are no contracts. Contracts are a very good idea for both the client and the outsourcer. The large consulting firms all have contracts, but at the lower end of the spectrum, things are still being sorted out."

Do It Yourself
Outsourcing the responsibility of a VPN is a sensible option for businesses of all sizes that don't have the necessary expertise in-house. But for some brave souls, doing it yourself is a viable option.
For companies with limited critical exposure, a homegrown attitude or restricted budget, VPN tunneling can be secured via the very inexpensive Point-to-Point Tunneling Protocol. PPTP exists in all Windows clients, so it is much easier and cheaper to deploy than any other security system.

At present, there are at least a dozen vendors targeting companies willing to venture down the do-it-yourself route. One of the emerging leaders is VPN-equipment company Netopia Inc. of Alameda, CA. The company's routers include support for VPNs and all of the popular encryption schemes.

"Companies can get away without helping the mobile user to set up PPTP, says Paul Tuong, product manager at Netopia. "All they have to do is configure the PPTP server at the corporate office and ask the mobile users to turn on PPTP on their computers. That's the easy way to go, and there is not a lot of cost involved."

Setting up a computer for PPTP is no more difficult than creating a modem connection. If the company really wants to cut costs, it can set up a PPTP VPN server and leave the rest to the remote user, including finding the ISP.

Then there is IPSEC, which is the emerging standard for security on IP networks. The standard is here, for the most part, but getting early standards-based systems to talk to each other is a lot like putting shoes on a centipede. With hundreds of variables and parameters, the interoperability process goes well beyond the publication of a standard.

Setting up client computers for an IPSEC VPN connection will be much more elaborate and expensive. A system administrator would be required to install the client piece of the IPSEC VPN on each computer. The key must be set so that it works properly with the server, so fairly complex deployment and testing issues are involved.

"IPSEC is still in the bake-off and testing stage, where developers use the Internet to test their systems' interoperability," offers Avi Rembaum, marketing manager for Radguard Ltd., a vendor of secure remote-access systems based in Tel Aviv, Israel. "In testing interoperability, there are always bizarre situations that come up. There are also tests to prove that IPSEC works with other technologies."

The Integrated Approach
Trying to build a secure network is like trying to hit a moving target. Most networks are distributed, making them weak in many different areas. Clients, servers, cabling and routers all are vulnerable. As a result, network security has evolved as a tactical patchwork of related disciplines — authentication, access control, encryption, data integrity and attack detection. That means many organizations use special-purpose point products to secure wide-area network segments, authenticate some remote users or provide access control at the boundaries of the corporate network.

It's a small-bore approach to a big job. Consequently, the pieces don't always come together as a strategic whole. Dial-in must be managed separately from the firewall, which has no relation to user privileges on the enterprise. This can pose its own set of problems. Mobile users and telecommuters often find themselves jumping through multiple hoops of password authentication. In other instances, users must log in to their ISP accounts, then authenticate themselves to the remote-access server and go through a series of obstacles to use each networked application, particularly e-mail.

Is it possible to establish one coherent security policy where a user goes through a single sign-on rather than a series of security interruptions? At least two vendors — Cisco Systems Inc., based in San Jose, CA, and Check Point Software Technologies Ltd. of Redwood City, CA — think they have the strategy to make possible a single security policy that will apply to the whole enterprise. Such a product would dynamically enforce the security policy over the length and breadth of the network, which probably has several technologies working at the same time.

Cisco Systems is using its position as a leading vendor in network hardware to promote its Security Policy Manager. With this framework, Cisco promises customers the ability to integrate multiple installed security technologies — such as RADIUS, TACACS+, Kerberos, digital certificates and Microsoft login — to establish a consistent set of user privileges across the enterprise. As users move around the network, their privileges should follow them automatically. Users will be able to employ a single login to achieve a consistent secure level of access to network services, no matter where they are.

"You can create a security policy, including a firewall security policy, [and have it] automatically distributed to all the routers and firewalls in the system," says Steve Collen, Cisco's marketing director, enterprise WAN group. "Security is the essential component of VPNs, and you have to continually reinvent and add to your security systems."


Check Point offers a similar if less ambitious integrated security program. The company, which was among the pioneers of firewall technology, also markets VPN gateways and VPN clients. Together, the products form a VPN suite. "We've totally integrated the VPN gateway into our firewall because we think you can't afford to separate security from communications," says Steve Schick, marketing manager for Check Point. "That's critical; otherwise, you are going to undermine your overall security.


Schick points to potential interoperability issues as a monkey wrench in the VPN works. "Can one company's VPN connect to another company's VPN? Can you easily define your security policies and send them out all at once to all enforcement points? Can you handle content security? Can you handle QOS (Quality of Service)? Those are big issues." On the other hand, Cisco's Collen points to the payoff: Replacing dial-up with a local point-of-presence will reap a payback in three months on any investment made.

Once network security is built into the infrastructure, how does a corporate end user know that the system is actually working? Flip the question over and ask how you know if someone has truly compromised the network.

Hackers tend to employ sophisticated antidetection schemes, many of which are easily available on the Internet. A live "intelligent" security monitor that can scan the network for security breaches and vulnerabilities seems like a pretty good scheme to counter this kind of activity. That scheme is the value proposition pioneered by Internet Security Systems Inc. The Atlanta company markets SAFEsuite, a set of security auditing and scanning tools designed as both an alarm system and a test system for the installed enterprise security system.

Another notable add-on tool for VPN networks is EverLink, a software system that approaches the problem of security from the application layer. EverLink, from Anyware Technology Inc. of City of Industry, CA, takes a granular approach, allowing corporations to grant authorized access to individual outsiders rather than universal or group access to the entire network. Access is also specific to the application, computer or file inside the firewall. All other applications, computers or files will be securely hidden from the outsider or remote user.

"Our product is complementary with VPN technology because we address areas VPNs don't address. We give systems administrators a whole new level of control," explains Ming Huang, chief technology officer and founder of Anyware. In other words, it pays to know who is talking to whom. "VPNs can only control the packets; they cannot control a telnet session, for instance. We give system administrators additional functionality at the application layer. The VPN may be secure, but the corporation may not know who is sending what to whom," he says.

Security Features
To secure a commercial building, a private security company is usually hired to wire the perimeter with an alarm or provide a guard to watch the premises. If someone successfully breaks in, the security company is often at fault. But computers are different from buildings. They are dynamic, and break-ins can occur beyond the purview of the naked eye: Stealthy visitors will not destroy data, only copy it. Many such network events are not even detected until well after the break-in.

When there is a breach of security that results in downtime and real costs, who will be held responsible? The vendor? The service company? The ISP? The telephone company? Initially, the contracts between the various parties will determine responsibility, but that simply might not be enough.

"Ultimately, the courts will decide. There has to be an element of trust, and that trust will be in the judicial system, not in each other," says Marr, of Predictive. "But we as an industry have to improve our chain of control and ‘handling' of evidence. The integrity of the process will assist investigation and adjudication. We can't leave it all up to lawyers."

For every advance in security, the hacker figures out a new way to break in. For every new threat to the network, a new solution is found to protect it. Companies can only hope to keep hackers at bay, but the duet between the network intruder and the network cop will endure well into the future. The key will be to stay at least one step ahead of the bad guys.

Cassimir Medford is a freelance writer who specializes in network topics. Based in New York, he can be contacted at cmedford@aol.com.



 
  News & Events
News
Partners
Security Resources
Events
Testimonials
VAR Opportunities

Online Flash Demo
Company Profile
EverLink Suite
EverLink CA Server
EverLink SRAC Server
     
Copyright © 1996 - 2002 Anyware Technology, Inc. All rights reserved