December 19, 2008, 10:17 AM — Road warriors wirelessly connecting to the corporate network from hot spots at airports or coffee outlets. Just a few years ago, nightmare stories were common of even casual bystanders being able to eavesdrop on corporate communications made in such circumstances. As a result, there's a widespread acceptance that Virtual Private Networks (VPNs) are pretty much de rigueur for wireless use on the road.
But just how much security does a VPN provide? The answer, it seems, is "not as much as you might imagine." "People tend to fixate on the word 'private' in virtual private network,'" warns Jeremy Cioara, an author of five books for Cisco Press and a security instructor for training provider CBT Nuggets, based in Eugene, Ore. "They're sitting in Starbucks working at their laptop, and they think that because they're using a VPN, it's safe. It isn't."
So how should a CISO or CSO go about selecting a VPN that is safe and secure? How should it be configured and managed in order to maintain that security? And to what extent do security provisions in the layers of technology around the VPN impact the overall security of the connection it provides? As growing numbers of remote users communicate with their corporate networks via VPN-over-wireless, such questions are increasingly taking center-stage. The bottom line: It's not so much the VPN itself, but the environment in which it sits that the real vulnerability lies.
When it comes to choosing a VPN, there's certainly a wide range of choice-and price tags-available. For a free, open-source VPN, for instance, check out OpenVPN, which claims three million users and 150,000 downloads a month. There's a free VPN built into Microsoft Windows XP, too, in the form of its implementation of the Point-to-Point Tunneling Protocol (PPTP).
Fast-growing, New Yorkbased Castle Brands uses a PPTP-based VPN-having first weighed open-source and proprietary VPNs.
"We tried to keep the cost down, without compromising security," says director of IT Andre Preoteasa. "Throw in the up-front cost of some VPNs, the additional hardware, license fees and yearly support costs, and costs soon climb. With PPTP, if you've got Windows XP, you pretty much have it."
Initial access to the network is password-based, explains Preoteasa, with subsequent access control following role-based rules maintained on the server in the form of Microsoft Active Directory. "People can't just go anywhere and open up anything; the accounting guys get accounting access while the sales guys don't," he says.
But PPTP isn't without its shortcomings as a VPN, which is why there are plenty of commercial standalone VPNs on the market, says information security expert Winn Schwartau, founder of security awareness certification firm SCIPP International. Client-based VPNs, as opposed to operating system-based VPNs, he notes, offer a somewhat greater degree of manageability and flexibility-at a price, of course.
"PPTP isn't ideal, but it's a lot better than nothing," says Schwartau. "And unless you've got state secrets to protect, PPTP is going to keep away a lot of the ankle-biters. The casual guy at the airport looking for low-hanging fruit is going to look at your connection, see that it's encrypted and move on. There are still just too many other low-hanging fruit out there-such as doofuses with connections that aren't encrypted."
Wireless VPNs: Complex Considerations But when evaluating commercial-grade VPNs, the complexities multiply. Technology considerations play a surprisingly significant role in the selection process. At the Pentecostal Church of God in Joplin, Mo., for instance, IT director Don Allen found himself going with a VPN solution from NÃ¼rnberg, Germany, based vendor NCP Engineering, after several of the church's senior executives acquired laptops running under 64-bit Vista.
But these turned out to be incompatible with the church's existing-but-obsolete Cisco PIX router firewalls-a discovery that led him first to Cisco's customer support, where no solution was forthcoming, and then to Microsoft's, where a fix could be found. Microsoft's recommended solution: a VPN from a single vendor, NCP, which turned out to provide one that would work with 64-bit Vista.
"I downloaded the trial version, talked to NCP and then sent them some 200MB of screenshots," says Allen. "The next day I got an e-mail asking me to change one setting on the router, and copy a file onto each of the laptops. It worked straightaway, and I bought the licenses. We once again had secure communication, and it was much, much cheaper than buying a new router." Today, church executives routinely access the network while traveling, he reports, "and it's actually turned out to be a pretty elegant solution."
There's no suggestion that the NCP product is anything but highly secure, but such stories underpin why CISOs and experts are recommending that organizations see their wireless VPNs as just one plank of a much broader strategy to secure the remote laptop user. The thinking: Sure, the VPN provides encrypted point-to-point connectivity, but it doesn't provide an assurance of security.
A starting point, says Atlanta-based author and security expert James DeLuccia, is to have management control the laptop. "The VPN should be installed on a company-owned laptop, not a home computer, and I would then want to impose on that laptop some security policies and settings to make the VPN connection even more secure," he says.
The logic is part psychological and part pragmatism. With a corporate logo and corporate applications on the desktop, users are less likely to stray into areas of the Internet where security problems are more prevalent. Security policies then act to mitigate this risk even further. The currency of antivirus and antimalware programs can automatically be detected, and VPN connections to the corporate network can be disabled unless such measures are up to date. And stronger authentication measures can be put in place: not just passwords, but loaded certificates, tokens or other two-factor authentication devices.
At London-based law firm Lawrence Graham, a combination of tokenless, two-factor authentication techniques help ensure secure remote VPN wireless access, says the firm's IT director Jason Petrucci. "When lawyers log on to the system remotely from a laptop, they are presented with three authentication boxes: one for their username, one for their log-on password and the last for their combined personal PIN code and passcode," he says. "SecurEnvoy is used to manage and deliver this passcode by preloading three one-time passcodes within a text message, which is delivered to the user's BlackBerry."
As passcodes are used, replacements are automatically sent to each lawyer's BlackBerry. "Our lawyers carry BlackBerrys with them wherever they go. A physical token inevitably runs the risk of being left behind or lost altogether."
Multiple network connections in operation at the same time, conceivably wired as well as wireless, are another source of danger. With two open connections, for example, the laptop can become a bridge to the corporate network, warns Randy Abrams, the Seattle-based director of technical education at IT security company ESET. By piggybacking on the VPN connection, the hacker then has access to the network.
He's also encountered instances of users downloading corporate documents securely over an encrypted VPN-only then to forward them to their webmail accounts, unencrypted, over the public Internet. Worse, browser helper objects-little pieces of code routinely downloaded during Web browser sessions-can contain malicious keystroke loggers that wouldn't have been detected by a previous malware detection routine, yet become active immediately during the session. The solution: a very firm and hardwired policy of switching off parallel network connections the moment a VPN session starts.
And even parallel, encrypted VPN sessions aren't safe. Split VPN tunnels-which offer such a parallel connection-are very common in VPN clients, warns Seth Peter, chief technology officer at Minneapolis-based security consulting organization NetSPI. "The idea is that one tunnel goes to the corporate network, and the other to the public Internet. We recommend switching the second tunnel off, so that the only way to the Internet is via the corporate network," he says. "The trouble is, we don't see enough clients do that."
Given such considerations, how are wireless VPNs chosen, managed and operated in practice?
At beauty school operator Empire Education Group, headquartered in Pottsville, Pa., staff at the company's 88 schools connect to the corporate network with a Citrix VPN when they're traveling. On the network, Citrix Access Gateway "publishes" to them the applications they're approved to use, such as Word, Outlook and class databases for recording grades and attendance.
Management policies then deny users the ability to save locally during a session, forcing them to save on the network. "Users can only see the drives that are published to them, not those on their local machine," says Joseph Drasdis, Empire's vice president of IT. "From a security perspective, it's not a problem if a laptop is stolen because there's no information on it. Users have to save on the network, period."
Interestingly, he adds, Internet Explorer is also published to users from the network, which allows Empire to control which websites are accessible to employees with company laptops-a list comprising little more than Empire's own site, plus Microsoft's and a support site. The result: an ever-lower likelihood of malware encounters, says Drasdis.
Meanwhile, at Fortune 50 insurance company MetLife, protecting against data leakage-especially in respect of client information-is of paramount importance when enabling remote wireless access, says Jesus Montano, assistant vice president of enterprise security. "The challenge is balancing people's access requirements with our overall security requirements, and then working with them to find ways of creating an effective solution without compromising security," he says.
For wireless access from airports and coffee outlets, he explains, these days that means access via VPN vendor Check Point, solely from MetLife-owned laptops, with log-ons protected by RSA "hard token"-based, two-factor authentication. In addition to the encryption built into the VPN, all the data on the laptop is protected, he adds.
"All wireless traffic is encrypted; the devices are encrypted and wrapped around with a firewall," stresses Montano. "We think we've addressed the most obvious pitfalls in remote access, and think we've got a robust, highly engineered solution."