index_15
Auerbach Publications
© 2001 CRC Press LLC
08/01
tion. Next, we stretch the envelope of protection out to the remote dial-
in system; understandably, the envelope is weakened, but it certainly ex-
ists in nature to keep the information sheltered. The remote dial-in sys-
tem loses some of the protection supplied by the fortified environment
of corporate and is exposed to finite set of threats, but what is more im-
portant is the envelope of security for the corporate site had not been
dramatically affected.
In reality, the added risks of allowing remote systems to dial in directly
are typically associated with unauthorized access, usually gained through
the phone system. Corporate provides phone numbers to remote users
to gain access and those same numbers are accessible from anywhere on
the planet. Attackers can easily and quickly determine phone number
ranges that have a high probability of including the target remote access
numbers. Once the range is known, a phone-sweeping or "war-dialer"
program can be employed to test each number with little or no interven-
tion from the attacker. However, there are many factors that still manage
to keep these risks in check. Dial-back, advanced and multi-layered au-
thentication, extensive logging, time constraints, and access constraints
can combine to make a formidable target for the attacker. With only a
single point of access and the remote system in isolation, the security en-
velope remains intact and tangible. The degree of decay, of course, is di-
rectly related to the security of the single point of access at corporate and
the level of isolation of the remote system.
In the last scenario, where the employment of a VPN provides corpo-
rate connectivity over the Internet, the security is perceived to be very
high, if not greater than or equal to dial-up access solutions. Why not?
They appear to have the same attributes and arguably the same security.
In dial-up solutions, the communication is relatively protected, the sys-
tem providing termination at corporate can be secured, and authentica-
tion measures can be put in place to reduce unauthorized access. VPNs,
too, have these attributes and can be exercised to acquire an inclusive se-
curity envelope.
Unfortunately, the VPN offers a transparent envelope, a security
façade that would not normally exist at such intensity if VPNs were not
so accomplished as a protocol. The corporate-provided envelope is
stretched to a breaking point with VPNs by the sheer fact that the remote
system has gained control of the aspect of security and the employment
of protection. It will become very clear that the envelope of security is
no longer granted or managed by corporate but rather the remote system
is now the overseer of all security locally and into corporate.
A remote system connects to the Internet and obtains an IP address
from the ISP to allow communication with the rest of the Internet com-
munity. Somewhere on the Internet is a VPN gateway on the corporate
network that is providing access to the internal network. As the remote
system establishes the VPN to share data, a host of vulnerabilities are in-