Practising safe access

Battening down a corporate network against external attacks isn’t as easy as 1, 2, 3, but it’s not exactly rocket science either. Install some firewalls, throw in some intrusion detection software, some anti-virus and a solid corporate security policy, and an enterprise is well on its way to being secure.

This simple formula, however, applies only to outfits that allow no remote access into their networks. Given that networking is all about making employees more efficient and accessing corporate information from remote locations over the Internet is certainly an efficiency-building tactic, few enterprises practise remote access prohibition.

Enabling off-site users to access confidential corporate data raises a host of new security issues beyond the simple firewall, intrusion detection, anti-virus formula. By now everyone has heard the oft-repeated maxim that a network is only as secure as its weakest link. And there’s nothing weaker than an open, off-site window into an enterprise’s mission-critical data.

While additional security tools are certainly a requirement for enabling remote access, user buy-in is even more important. All the security measures in the world won’t make a difference if employees ignore them.

A clear, concise remote access security policy is an absolute must, according to John Girard, vice-president and research director with Gartner Group Inc. in Stamford, Conn.

“A 30-page document doesn’t cut it,” he said. “If you can’t explain the company’s basic security philosophy and needs in a couple of pages, you’ve lost everyone.”

The best way to begin formulating a security policy is to imagine all the potential attacks that could occur on a corporate network by giving remote users access to the network.

“You really have to think deviously for a while about all the ways you could be attached,” Girard said. “It can be helpful to bring in an independent auditing group to stage some attacks and check your vulnerability.”

Once a firm has tested its network security, it needs to come up with a formal security policy. In addition to technical staff, legal personnel need to be involved in crafting the policy, Girard explained, because only people with legal knowledge know what can be enforced and what can’t.

After the policies are set, a company has to make sure security remains at the forefront of employees’ minds.

“You have to make security a real issue for the company,” Girard said. “It needs to be something that gets discussed in the company newsletter using real-world examples.”

With a security policy in place, companies can begin looking at remote access security tools. The bedrock of any remote access security scheme is authentication. When an off-site user tries to enter the corporate network to begin a session, there must be some mechanism in place to ascertain that the off-site user is a trusted employee and not a malicious hacker.

Any remote access plan that relies on the Internet requires a dynamic password scheme, Girard said.

“We recommend people use some two-factor form of authentication or time-based unique password system, so every time they log in, someone won’t be able to guess the passwords that go with a particular user ID.”

In a two-factor authentication system, users are queried for a password when they log into the system and then they must insert a hardware-based token, or a token on a disk. The token could also reside directly on the user’s workstation.

After the token has been accepted, the authentication tool will issue a one-time, unique password, usable only for that particular session. If an electronic eavesdropper happens to pick up the password on the Internet, the eavesdropper will be unable to initiate any sessions, because the password will have expired.

Time-based generators work in a similar fashion. In a time-based system, the client constantly generates new passwords, for example, one every minute, based on an algorithm. The remote access server that users must access uses the same algorithm and knows what password a user should be entering at a particular time. So as with the two-factor system, a password is only really useful one time.

Both time-based and two-factor solutions obey the standard rule of authentication security, which is that each user must have something they “know” — a password — and something they “have” — a token.

The Empire Financial Group, based in Kingston, Ont., has been using an authentication tool from KyberPASS Corp. for approximately three years.

Empire uses remote access to allow the firm’s IS staff to provide on-call support from their homes at night and to give its group insurance representatives access to e-mail and the company’s mainframe when they’re on the road, said Carole Rivington, Empire’s database administrator. In all, the company has approximately 165 remote users.

KyberPASS uses public-key infrastructure (PKI) technology to authenticate remote access. KyberPASS users are each given a unique key, which can be on a floppy disk, a smart card or could be stored directly on the users’ hard drive. When users try to begin remote sessions, they’re prompted for their system password and their “key.” Once the users’ key is authenticated, KyberPASS sends them a public key which gives them access to the corporate network.

While the process might sound convoluted, it’s not really a very involved process from the user’s perspective, said Ron Walker, president and CEO of KyberPASS Corp. All users really need to remember is their system passwords. If the key is stored on the users’ hard drives, the rest of the process is transparent to them, Walker said. If the key is not on the hard drive, then all the users need to do is insert the key.

Walker said the process isn’t difficult on the enterprise side either.

“A lot of the issues I think are not technology issues,” he explained. “They have to do with a change in administration of user accounts.”

For example, Walker said, a Fortune 1000 company without a PKI implementation would likely have access lists handled by LAN administrators, another set managed by mainframe administrators and perhaps even another set handled by departmental administrators. With a PKI implementation, everything can be managed by one administrator with no real technical knowledge.

“You no longer have to be a technical guru to manage access control, whereas in the past you had to get onto an IP firewall and administer IP filters and that kind of thing,” Walker said. “Now you run an app that says, ‘Add Joanne and here are her access rights,’ and it generates her public/private key pair.”

Rivington said Empire had no problems implementing KyberPASS and has been happy with its performance.

Empire’s keys are stored on floppy disks. Rivington said the keys could easily be loaded onto users’ hard drives, but the firm hasn’t told users this can be done. The reason for this is Rivington isn’t 100 per cent certain everyone in the company would agree that having the keys stored on hard drives is a safe security policy.

Rivington herself sees no need for concern.

“If you have a floppy, what are you going to do with it?” she asked. “You’re going to leave it in the drive. The something you ‘have’ is the laptop and the something you ‘know’ is your password. Or something you ‘have’ is your floppy and the something you ‘know’ is your password. It still follows the rule of something you ‘have’ and something you ‘know.'”

St. Joseph’s Hospital in Marshfield, Wis., recently began implementing remote access over the Internet with an authentication tool from Arcot Systems Inc. The Arcot token is an electronic wallet that users download from a central server.

St. Joseph’s needed a remote access system to give referring physicians in outlying areas access to patient medical information. The hospital had previously tried using dial-up connections, but St. Joseph’s CIO Steve Pelton said the cost was prohibitive and the connections were difficult to manage.

Pelton said he likes the Arcot tool, because of its ease of use.

“In our model, the referring physicians are rather casual users,” he said. “They’re not going to be using the system every day, so we needed something that wouldn’t get lost or misplaced.”

While authentication tools are critical components in any remote access solution, they aren’t the only element required. Another mandatory item is a tool, or tools, to ensure remote workstations can deny service if someone tries to hack into them. With the advent of DSL and cable modem connections, this has become an especially important process, Girard said.

“If you’ve got a permanent IP address, then hackers can begin attacking your workstation directly,” he said. “And if you’ve got file sharing turned on, or if you’re connected to the Web and don’t have filtering and so on, your workstation is potentially hackable.”

In addition to ensuring remote clients have personal firewalls, proxy and filtering tools, Girard said, enterprises must lock down all security settings on remote clients.

“With personal computing, it’s easy to turn features on and off,” he said. “Users can intentionally or unintentionally disable important security features.”

Enterprises can lock workstations down with policy and registration features inherent to an OS, Girard said, but doing so is often a complex process.

“For instance,” he said, “the Microsoft policy system, once it’s set up by an administrator, is hard for a user to change. But if the user has a problem and they can’t get back onto an authorized network, nobody may be able to help them, because policies are all locked. There are third-party tools people need to start looking at to enforce the configuration and roll it back if the machine’s in trouble or it’s been tampered with. So if the user went in and turned off all the security, this kind of utility would put it back.”

If enterprises want additional security beyond authentication and firewalls they can implement VPNs. VPNs create tunnels over the Internet with all information within the tunnels travelling in an encrypted form.

Businesses that believe the Internet is reliable enough to meet their remote access demands, however, may not necessarily require a VPN, Girard said.

“If all people need to do is get to one or two Web-based applications or use a thin client that could be secured on its own, you don’t even need a VPN. Sometimes people go to too much trouble putting in a VPN and then it’s hard to manage.”