HostedDB - Dedicated UNIX Servers
index_15
Auerbach Publications © 2001 CRC Press LLC 08/01 tion. Next, we stretch the envelope of protection out to the remote dial- in system; understandably, the envelope is weakened, but it certainly ex- ists in nature to keep the information sheltered. The remote dial-in sys- tem loses some of the protection supplied by the fortified environment of corporate and is exposed to finite set of threats, but what is more im- portant is the envelope of security for the corporate site had not been dramatically affected. In reality, the added risks of allowing remote systems to dial in directly are typically associated with unauthorized access, usually gained through the phone system. Corporate provides phone numbers to remote users to gain access and those same numbers are accessible from anywhere on the planet. Attackers can easily and quickly determine phone number ranges that have a high probability of including the target remote access numbers. Once the range is known, a phone-sweeping or "war-dialer" program can be employed to test each number with little or no interven- tion from the attacker. However, there are many factors that still manage to keep these risks in check. Dial-back, advanced and multi-layered au- thentication, extensive logging, time constraints, and access constraints can combine to make a formidable target for the attacker. With only a single point of access and the remote system in isolation, the security en- velope remains intact and tangible. The degree of decay, of course, is di- rectly related to the security of the single point of access at corporate and the level of isolation of the remote system. In the last scenario, where the employment of a VPN provides corpo- rate connectivity over the Internet, the security is perceived to be very high, if not greater than or equal to dial-up access solutions. Why not? They appear to have the same attributes and arguably the same security. In dial-up solutions, the communication is relatively protected, the sys- tem providing termination at corporate can be secured, and authentica- tion measures can be put in place to reduce unauthorized access. VPNs, too, have these attributes and can be exercised to acquire an inclusive se- curity envelope. Unfortunately, the VPN offers a transparent envelope, a security façade that would not normally exist at such intensity if VPNs were not so accomplished as a protocol. The corporate-provided envelope is stretched to a breaking point with VPNs by the sheer fact that the remote system has gained control of the aspect of security and the employment of protection. It will become very clear that the envelope of security is no longer granted or managed by corporate but rather the remote system is now the overseer of all security — locally and into corporate. A remote system connects to the Internet and obtains an IP address from the ISP to allow communication with the rest of the Internet com- munity. Somewhere on the Internet is a VPN gateway on the corporate network that is providing access to the internal network. As the remote system establishes the VPN to share data, a host of vulnerabilities are in-