index_23
Auerbach Publications
© 2001 CRC Press LLC
08/01
As with any sound security practice, a security policy is crucial to the
protection of information. Specifying data access limitations and operat-
ing parameters for information exchange can greatly reduce the expo-
sure of information. In other words, if a certain type of information is not
needed for remote work, then remote access systems should not provide
access to that information or system. By simply reducing the breadth of
access provided by the remote access solution, data can be inherently
protected. The practice of limiting what is actually accessible by remote
users has materialized in the form of firewalls behind VPN devices seem-
ingly protecting the internal network from the VPN community. Unfortu-
nately, this design has enormous limitations and can limit the scalability
of the VPN in terms of flexibility of access. Another eventuality is the in-
clusion of filtering methods employed in the VPN access device. Filters
can be created to control traffic that is injected into the internal network,
and in some cases filters can be associated with actual authenticated us-
ers or groups.
No matter how access is restricted, at some point a remote user will
require sensitive information and anyone implementing services for users
has been faced with that "special case." Therefore, technology must take
over to protect information. Just as we look to firewalls to protect our in-
ternal networks from the Internet, we must look to technology again to
protect remote systems from relaying proprietary information into the
unknown. The application of host-based protection software is not en-
tirely new, but the growing number of attacks on personal systems has
raised awareness of their existence. However, these applications are
point solutions and not a solution that is scalable, flexible, or centrally
controlled or managed to maintain security. In essence, each user is re-
sponsible for his or her realized security posture.
CONCLUSION
VPNs can be enormously valuable; they can save time, money, expand
access, and allow organizations ultimate flexibility in communications.
However, the private link supplied by a VPN can open a virtual backdoor
to attackers. Organizations that permit sensitive data to traverse a VPN
potentially expose that information to a plethora of threats that do not
exist on the protected internal network.
There are many types of VPN products available, all with their own
methods of establishing the connection, maintaining connectivity, and
providing services usually found on the internal network. Unfortunately,
if the remote system is not involved in dedicated communications with
the central office via the VPN, the system can be considered extremely
vulnerable.
The Internet has grown to permeate our lives and daily activities, but
there has always been a line drawn in the sand by which separation