February 02, 2011, 1:42 PM — In the course of scores of conversations about security, I have regularly elicited a gobsmacked silence with a simple question: "How do you reliably secure access from an untrusted computer?"
We at Nemertes have interviewed hundreds of companies about a broad range of security topics and the security aspects of specific technologies. One topic that comes up again and again: secure remote access from "wild" computers, e.g., not assets owned by the organization but rather someone's personal computer, or a hotel or Kinko's somewhere.
Remote access attacks: Hackers turn back the clock with Telnet attacks
We have had many discussions with IT folks who were busily deploying (SSL or IPsec) VPN clients, or secured Web access to various applications, or even access to virtual desktops. They were doing their utmost to secure the connections robustly without killing performance or making the system too inconvenient to use. Many of them were aiming the solutions at both trusted and untrusted machines.
However, when I ask about the security of the endpoint itself - "if it is compromised, isn't your session security compromised automatically? How do you reliably secure access from an untrusted computer?" -- I get the loooong pause.
Usually the dead air is followed by an answer similar to "Yeah, I suppose so, but we have to assume it isn't compromised, dealing with the compromised scenario is low on our priority list, and right now we can't really extend our scope that far..." and so on. They have spent significant time considering the possibility of pwned workstations within their LANs, and spend time and effort working to prevent, detect, and eradicate such compromises. Unfortunately, they have not, as it turns out, worked the alarmingly high possibility that a home computer is compromised into their planning. All their network encryption can come to naught in the face of a keyboard sniffer or root kit hiding in Windows somewhere.
Very few people explain how they use network-access control systems to try to assess the health of VPN hosts connecting. This is great for VPN hosts but not so good for Web accessible systems or remote desktops delivered via a browser.