Managing safe and secure remote connections |
 |
By Ed Tittel and James Michael Stewart
09 Nov 2001 | SearchSecurity |
|
|
Managing safe and secure remote connections
By Ed Tittel and James Michael Stewart
This column starts with the premise that companies have a strong and
vested interest in securing and managing their telecommuting
employees' home office connections to the Internet. In fact, our
guiding assumption is that such organizations want to manage and
control their remote employees' networks and connections in much the
same way that they seek to protect their corporate networks and IS
operations from unauthorized access and use. The remote security
management problem is not unlike its on-premises equivalent, except
that it is far more broadly distributed and must inevitably work with
a variety of different connection types and speeds.
Although one might hope to find a whole set of products that combine
all the necessary security, access control and connection management
features in a single package, a search of offerings available at
present is bound to be somewhat disappointing. A quick sanity check
against our initial search criteria turned up only three products
that met most of those criteria (these are documented in the article
entitled "Hitting the Target" at the conclusion of this column).
In fact, most home office connectivity products available today
appear to focus on creating and sharing LAN broadband connections
such as cable modem or DSL, rather than on protecting or managing
such connections. While these kinds of solutions may be desirable for
individual home-based or small office users, they are not well suited
when it comes to providing centralized control over distributed
remote networks or computers and their Internet connections.
It's interesting to consider a "wish list" of features and functions
that most savvy IT organizations would like to see in such products
before they could take them seriously, and deploy them effectively:
* Secure external management access: Be it to create an initial
installation, to download updates or changes, or simply to
investigate the state and operating condition of a small home
office/remote network access device, support for secure remote access
using secure telnet (stelnet) or some encrypted remote access
technology would be required. For routers and other manageable
network devices, such links often occur through a special sideband
dial-up connection. The devices currently available on the
marketplace do not support either of these configurations terribly
well.
* Centralized security policy management: By and large, the
preference in most IT organizations is to define a single security
policy and then to take advantage of a mechanism to distribute (and
update) that policy as it manifests itself on various networked
devices throughout an enterprise. Though remote/small office devices
are not alone in failing to support such functionality directly (and
instead require reformulation of configuration files at best and
instantiation of equivalent settings through some GUI or command-line
interface at worst), none of the remote devices currently available
offers this capability.
* Remote IP agent capabilities: New developments in mobile IP
technology permit workstations (such as laptops) to maintain the same
static IP address assignment and use local and remote routers to
establish a tunnel from a foreign subnet to a home subnet. This
permits end-to-end services such as IPSec, voice over IP, or
streaming media, that sometimes require specific IP addresses to be
available to work properly. Again, as of this writing no small home
office devices support this kind of functionality.
* Basic firewall/bastion host services are as necessary for remote
users as they are for corporate networks, including packet screening
and filtering, proxy services, stateful inspection of application
layer protocols and services, network address translation, DHCP and
so forth. The picture here is less grim; many currently available
remote devices support most or all of these kinds of functions. These
functions aren't as amenable to centralized setup and management as
most enterprises might like, but at least they're available.
* Remote control/operation: For many IT operations it's eminently
desirable that their tech support staff be able to take over and
remotely manage or control remote devices, PCs and so forth. At least
one currently available small home office device supports this kind
of capability, and we expect to see support for this kind of
capability burgeon as more service companies form "management
partnerships" with equipment vendors, or as enterprises outsource
management and technical support of their local and remote networks
to service providers.
I could continue with this list indefinitely, but whereas the
preceding items represent core "must-have" requirements, other items
tend to fall into the "nice to have" category. Nevertheless, it's
plain that small home office device vendors haven't targeted the
remote enterprise as their primary sales targets. As the potential of
this market makes itself known in the next year or two, we expect
this situation to change and for centralized management, control and
operation of such devices to become commonplace and routine. Even
cable companies and DSL providers could benefit from the kind of
architecture that helps to protect users not only from external
security threats, but also from their own blissful ignorance of basic
principles of network security and management!
In the final analysis, it looks like the market for small home
office/remote connectivity solutions is heading toward a centrally
managed security and connectivity environment for remote locations,
but is only taking its first steps in that direction. These baby
steps are promising and represent a trend toward making security
concerns an important part of managing connections between employers
and employees, even when they're off the employers' premises. With
the right solution in place, this helps end-users connect remotely
with confidence that their locations are protected, while also
permitting companies and organizations to rest assured that their
remote data and communications are likewise safe and sound.
# #
Hitting the Target
By Ed Tittel and James Michael Stewart
Of all the small home office devices that turned up, most of them
included the following features or functions:
* Simple firewall capabilities
* Simple traffic screening on domain name, IP address, or port
address
* Network Address Translation (NAT) services
* DHCP for LAN clients
Those products that came closest to meeting our original search
criteria also included remote management capabilities, some of which
supported centralized management from the vendor, others from a
centralized, authorized IS location inside the purchasing
organization.
The first product in this category is WatchGuard's Firebox SOHO. It supports
DSL, cable or ISDN, but an external modem is required. It can
automatically download software and security updates, and no
installation or client software is required (the box handle
everything from firmware). It can share a share a single connection
with up to 10 users (and is upgradeable to a maximum of 50 users).
The Firebox SOHO also acts as a hub for connected systems, and VPN
services are available as a recommended, add-on feature. This device
is managed remotely by the vendor through a yearly subscription
contract, and some configuration control may be gained if the
recommended VPN software is also installed.
The second product in this category is McAfee's FireWall ASaP
(or
http://www.mcafeeasap.com/content/vpn_asap/default.asp). FireWall
ASaP combines the functions of a managed firewall with VPN services,
antivirus checks and content filtering capabilities, and it delivers
a general security solution that is pre-configured by McAfee to meet
your security requirements. As with the WatchGuard product, this
product is also managed and monitored by McAfee as needed. Thus, if
your needs change, you must contact McAfee to implement such changes
and pay for support service on a yearly contract. This device
requires a statically-assigned IP address and is designed for use
with McAfee's ASaP VPN product. Although we were unable to find exact
details on the connection types support, we'd guess that they include
cable modem and DSL at a minimum, perhaps along with ISDN and/or
analog telephone support, depending on the precise configuration
selected.
The third and final set of products in this category comes from Cisco
Systems (or http://www.cisco.com/warp/public/cc/pd/rt/1700/) and includes both their 800 and 1700 Series routers. These devices
support ISDN, serial connections (Frame Relay, leased lines, X.25 or
asynchronous dialup), IDSL and ADSL (modem integrated). Cisco also
allows service providers to deploy value-added services, such as
security with integrated stateful firewalls and/or IPSec virtual
private networks, third-party VPNs, integrated toll quality voice
over IP and differentiated classes of service through Quality of
Service Features. Cisco recommends setting up these routers by their
using Cisco 800 Fast Step, a Microsoft Windows-based configuration
tool (or by making arrangements with a service provider to do this
for you). The Cisco 800 Fast Step software ships with both types of
router and is also available on Cisco Connection Online on the World
Wide Web. Obviously, relationships with third-party service providers
for small home office security and configuration management will
involve some kind of service contract or billing relationship, but we
find it extremely interesting that Cisco built third parties into
this set of product offerings from the get-go. In fact, we expect to
see this entire market segment migrate in that direction in the next
year or two.
About the authors
Ed Tittel and Michael Stewart are both searchNetworking experts. Click over to ask them a question or read more about them.
|
|
|
|
