Secure VPN connections

By | February 7, 2005

A growing number of company employees now need to spend many hours working from outside of the office. However, at the same time, in order to ensure rapid and effective communications with clients or suppliers, it is essential that they are connected to the corporate network.

Such connections can be made through a wide range of devices, in particular laptops and wireless networks, DSL or modem.

Regardless of the type of connection, there can be many elements in these computers that are not controlled by the network administrator and therefore infringe corporate security policy. Worse still, in many cases (and the experience of Panda Software’s tech support centers corroborates this) users of these computers frequently disable security measures (antivirus, firewall, etc.) to improve performance. In no time at all, malicious code will have taken over the system.

When an infected computer connects again to the corporate network, either through a remote connection or directly to the office network, there is a high risk that malicious code will spread across the network.

Just as with roaming employees, teleworkers may also be a danger. The increasing number of people working from home covers a wide range of activities and often involves using a computer with a permanent connection between the employee and the company.

This method of working also often sees the computer used by the employee for their work doubling up as the family’s home computer. Teleworking is no doubt one of the best options for making work compatible with family life, but on the downside, it is highly likely that people with little training in security issues (or even the owner of the computer), unwittingly give malicious code access to the computer.

Another problem that can’t be ignored is the possible interception of communications between the out-of-office worker and their headquarters. Just the thought of a hacker accessing a company’s strategic plan is enough to make managers of any company shudder.

There is no 100 percent method to ensure that a connection is not intercepted, just as can happen with any form of communication (mail, telegram, email, etc). For this reason, there are systems to make data illegible to those other than intended recipients: encryption systems. Thanks to these, even if the data is accessed, it cannot be read.

One of the systems most frequently used to ensure the confidentiality of communications with remote employees are virtual private networks or VPNs. These systems involve the installation of encryption systems in the remote worker’s computer and in the entry point for communications in the company. This means that the Internet, a public network, can be virtually converted into a private network, as even if a transmission could be intercepted, the data transmitted can’t be interpreted.

Now, if the concept of encrypting the data transmitted by teleworkers is combined with that of protection against malicious code, the problem arises of users that don’t meet security requirements and who are infected by a virus or infiltrated by a hacker and thanks to the VPN, the virus or attacker can then access corporate resources with the same privileges as the VPN user. The risk is potentially extremely serious.

Users of computers within the corporate network have the support of network administrators or technicians so that security policies can be implemented rapidly due to the physical proximity. However, when it comes to workers in another location, the proximity doesn’t exist and this can lead to disaster.

To avoid these problems, the solution normally lies in the installation of security mechanisms in remote computers to prevent malicious code from entering and which can’t be disabled by users. This is a simple solution to implement, but may not be understood by users, who will feel that their systems are being monitored and sealed off, and may even be rejected by those that own their systems.

Given this possible reaction, the best option is to establish security levels that must be met before the encrypted connection with the office is established. So by checking, for example, if there is a firewall enabled, administrators can rest assured that remote users that connect to the network are not being spied on by hackers.

The checking of security levels, for example, should be as wide ranging as possible. The security policy in the company could demand that users have ‘X’ antivirus installed with update ‘Y’. But if the remote user is establishing a connection with her own computer, she is within her rights to have her own antivirus with update settings in accordance with her own criteria. So even if the system is secure from an objective point of view, it won’t be fulfilling the company’s security policy.

The solution in these cases is a system for checking remote security in a wider sense, accepting that there are other security solutions and these could be used by remote users. By checking security from a wider perspective, without compromising on the levels applied, users will have the flexibility to choose their own solutions without affecting security requirements.

There’s no doubt of the need to establish a system for checking the security status of remote computers connected via VPN to the corporate network. This check should be perceived by remote users as a bonus in terms of security and not as a corporate imposition and it should have a sufficiently wide ranging nature to include non-corporate products and systems, chose by the remote worker for the home system.

In this way, all those involved will be improving security in a realistic and effective way.

Leave a Reply