Remote Access Challenge
Computers, laptops, and now tablets are all over the place. Everyone has at least one, and wherever they go, they want to stay connected and work–be it at Starbucks, at home, or at some hotel during a business trip. As an IT professional, you know that providing remote access to business network resources is relatively easy. The challenge comes when you have to deal with unmanaged laptops and desktop computers.
When you provide remote access, you are extending your business network beyond your company's geographical boundaries. You are extending it to an employees' home, hotels, or even Starbucks! You are also extending your network to computers your company doesn't own nor manage. For all you know, these devices could be infected with all kinds of malware, virii, and worms.
Regardless, for the sake of productivity, most mobile employees, as well as employers, would like to squeeze as much as they can from their time, no matter where they happen to be. So what are you to do? How can you offer remote access and mitigate risks? There are some things you can do that takes into account security.
Remote Access Security Problem with Traditional VPNs
Traditional VPNs (virtual private networks) provide remote users with access to a company's network resources. In the early days of computers, remote access was done by launching a VPN client on a computer which then initiated a two-factor authentication. The two-factor authentication involved providing a login password and a 6 digit number from an RSA secure token.
After successfully authenticating, a computer was securely connected to the company's network. Through the wonders of a secure tunneling protocol and the Internet, a computer was effectively inside a company's network, since it has an internal IP address.
Today, some companies still do this.
Although the authentication aspect of this sounds very secure, the biggest problem of this VPN solution is that it completely exposes the company's network to the remote computer. Users' personal computers could easily be infected with a "bot" which turns computers into "zombies" designed to be controlled by some malicious hackers. These threats are designed to continuously spread to other vulnerable machines. If computers in a company's network aren't patched with the appropriate security fixes designed to remove the corresponding vulnerability, the risk of computers becoming infected would be very high.
It only takes one machine to begin the infection process, which could then lead to the entire company network being unavailable as a result of a DoS (denial of service) attack from infected machines.
This is one of the most common scenarios and is one of the biggest weaknesses of traditional VPNs.
Remote Access Solutions
Since this article is about setting up remote access, the scope of our discussion will be limited to how we can secure the border. Note that when I refer to "the border", I'm referring to the logical network border that is established when a remote access session is created between a user's machine and a company's network.
That said, in the network world, it is a well know fact that the most secure network is one that isn't connected to the outside.
The good news is that there are many commercial solutions out there. Each solution provides remote access security by not extending the company's logical border to outside personal computers. In fact, all solutions are designed to keep the users' personal computer outside the company's network, where they belong.
Below are some well known solutions:
- Cisco ASA 5500 Series Secure Remote Access
- WatchGuard Remote Access Solutions
- Barracuda SSL VPN
- Juniper SA Series Secure Access SSL VPN
The ones listed above provide so-called "air gap"-like access to a company's network resources. This is done by providing a web-only interface to access company internal network resources. This means that the remote computer–i.e. the user's personal computer–isn't in a company's network. In effect, the remote computer is just a web client, and is only communicating with the remote access appliance (basically a middle man between the remote computer and whatever internal network resource is published through that appliance) using a secure protocol like SSL (secure socket layer).
Thus, even if the remote computer is infected, your company's internal network will never get exposed to it. The only computers or systems a compromised remote computer can infect will be those in its local network and other machines on the Internet vulnerable to the effects of such threats.
That said, which solution should you choose?
It really depends on many things. Key determining factors are price, and product support. For the above listed solutions, the cost can range anywhere from $10,000 to the $50,000 range. This is just for the initial non-recurring cost.
Also consider annual maintenance cost. Once your company becomes highly dependent on a solution, they'll want to keep it going. Typical annual maintenance cost is around 15% to 20% of purchase price.
Technical support is also crucial. Depending on your company's threshhold for wait time, you may choose a particular vendor or a particular support contract; but all this must also be justified from a business standpoint, taking into account ROI (return on investment).
Users now have access to a multitude of personal computing resources. In an effort to increase productivity, companies provide remote access to employees. A remote access solution almost always dictates a VPN solution.
Providing remote access to users using traditional VPN solutions isn't secure, as it extends the company's network border to the users' personal computer. This exposes the company's network to all sorts of problems, including exposure to worms, malware, and virii. Network remote access security must be of paramount consideration.
There are better VPN solutions out there. The solutions enumerated in this article provide an almost "air gap" like isolation between the users' personal computers and a company's network. Remote access is provided through a secure web portal where users can launch their access to internal company network resources. With this approach, users' personal computers never become part of the company's network, and thus remain outside the border, keeping any malware, worm, or virus at bay.
- My professional experience in Information Technology and Network Security