Installers urged to insist on VPNs for remote-access needs
With new network installations comes the inevitable question from the service customer or building owner: "What about security?" When it comes to allowing remote access via broadband, the answer is sobering yet not without resolution
With new network installations comes the inevitable question from the service customer or building owner: "What about security?" When it comes to allowing remote access via broadband, the answer is sobering yet not without resolution.
A recent study released by GartnerGroup Inc. (Stamford, CT) warns that by 2004, increased remote broadband access to a host network could raise costs of responding to security incidents by 200% compared to users connecting over dial-up Internet access.
The key, says the report, is that nearly nine million U.S. households will subscribe to cable-modem services and nearly seven million will subscribe to xDSL (high-bandwidth digital-subscriber-line) services. And because both services let users remain connected for an indefinite time, the GartnerGroup says always-on "static Internet-protocol [IP] address is a hacker's dream."
John Pescatore, research director for GartnerGroup's network security services, says "broadband technologies should not be used for remote access without employing strong encryption and authentication as implemented in virtual private networks [VPNs]." Remote access via broadband services, Pescatore says, can bypass the corporate firewall, negating inbound protection as well as outbound filtering and auditing. Pescatore further urges corporations and businesses to conduct periodic configuration audits and security scans "to ensure that dangerous services have not been activated, which an attacker can use to invade over the VPN connection."
A static IP address, however, doesn't necessarily make networks more vulnerable to hackers. David Ranch, a core and edge network specialist at Jupiter Networks (Mountain View, CA), says, "What is stopping me from hacking into people connected via their dial-up lines? Sure, they aren't connected as long, but with a few known security exploits and a port scanner, hackers can have a field day with either type of user."
For both types of hackers, Ranch concurs with Pescatore's urging to employ encryption and authentication methods. "Any company worth its salt will require the [remote] users to connect via a VPN into the company and then have it authenticated with some form of one-time password like Security Dynamics' SecureID, Axent Defender, etc." In addition, Ranch notes that many corporations that provide remote access for their employees are reducing security problems with "corporate DSL" lines, where "the [remote] connection doesn't go to the Internet but directly to the corporation behind their firewalls."
With cable-modem remote access, the GartnerGroup study points out that while most cable-service providers implement "customer-protection features" to block dangerous services, those features are often insufficient to protect against even simple attacks. Ranch concurs, yet suggests there's no cause for complete panic: "The current cable modems only keep your neighbor from sniffing your traffic because they're 'smart' bridges." But he adds, "Even if you could get the bridge to go into 'promiscuous' mode, all cable- modem-to-headend traffic is typically encrypted with DES encryption. It isn't the strongest thing on the planet, but it's better than nothing."
As for the report's predictions of exponential cost increases for remote broadband access security problems, Ranch believes that installers can quell much of their customers' fears by insisting that VPN and authentication methods be part of the package from the beginning.