||Add To My Personal Library
September 22, 2006
Vol.28 Issue 38|
Page(s) 1 in print issue
Securing Remote PC Access
New Security Services & Crypto Devices
Remote access to private company networks has been routine for telecommuters and road warriors since the bygone days of serial modems and dial-up accounts. Over time, as security threats have become more prevalent and challenging, corporate networks responded with ever-increasing layers of defense—firewalls, IPS, NAC (network access control) policies, etc.
Now, the common remote network access method for large enterprises is the VPN—a means of extending an internal network to external hosts by setting up encrypted tunnels over the public Internet. While VPNs are a secure and reliable solution, they can be expensive and complicated to install and configure, and they dont provide foolproof protection, causing many SMEs to investigate managed services for both remote access and authentication. Some of these solutions simplify deployment or enhance security of traditional VPNs, while others offer more limited network access at a fraction of the cost.
Remote Access & Security
VPNs allow controlled penetration of internal networks from anywhere on the Internet, but they are not immune from compromise. Conventional network security resembles that of a fortified medieval castle complete with turrets, moat, and drawbridge; however, anything that penetrates the exterior fortress has unfettered access to the unprotected interior. Because VPN portals are widely accessible to any potential hacker, access controls must be strict.
Most security experts consider basic username and password protection inadequate, recommending TFA (two-factor authentication) instead. TFA uses something you know (such as a password), as well as something you have (such as a keycard) or something you are (such as a fingerprint) to verify your identity. According to Paul Stamp, senior security analyst for Forrester Research, The more common two-factor authentication becomes, the more it starts being seen by auditors as best practice. Theyll start demanding companies implement two-factor authentication, and already regulations like PCI (Visas Payment Card Industry Security Standard) are demanding it.
TFA can be implemented in many ways, including smart cards (similar to an ATM card with a PIN), USB tokens (a flash drive with embedded crypto keys), or RSA Securitys (www.rsasecurity.com) SecurID (a card or key fob that generates a pseudo-random number every minute). In order to log in to a given account, users must possess a security device assigned to that account and know the PIN assigned to the device. Given the ease of use and adaptability of USB keys, Stamp feels they will be the front runner in the future.
The complexity and expense of deploying a VPN has been a deterrent for many organizations, and while using a hardware appliance simplifies things, VPNs can still be costly—especially when used in conjunction with TFA. According to Eric Skinner, vice president of product management at Entrust, smart cards and readers or one-time password tokens can run $30 and up.
In response, Entrust (www.entrust.com) has developed a technology called the grid card, which resembles a wallet-sized bingo card with numbers arranged on a row and column grid that provides a highly secure, challenge-response password scheme at low cost. During log in, card users enter numbers at the requested grid coordinates (usually three); say A5, E1, and G4. Because each card is unique and contains thousands of numeric combinations, Skinner feels the security provided is equivalent to that from electronically-generated systems, yet the cards are very cheap to deploy and easy to use.
VPNs are facing increased competition from newer Web-based services that have spawned from the remote-control PC software business. According to IDCs Stephen Drake, Over the last few years, several vendors, including existing remote-control providers, have brought back the concept of remote access in a services model but in a manner where users can leverage their desktops anywhere they can get Internet access, with little to download. Its being framed as a VPN alternative or complement. These services, including GoToMyPC (www.gotomypc.com), PCNow (pcnow.webex.com), Im InTouch (www.imintouch.net), and LogMeIn (logmein.com), which run about $100 to $200 per PC per year, provide access to a Windows Desktop, remote files, and even printers, via a browser or small applet.
Given the newness of remote-access services, security is still a concern. Most dont yet offer TFA, although GoToMyPC and PCNow offer proprietary methods for one-time passwords. Another drawback, according to IDCs Drake, is that the inherent need to keep a PC on and running to access files also raises a number of security concerns for organizations, which include access issues as well as the physical presence of a device remaining within an office.
A new offering, MobiNET from Route 1 (www.route1.com), couples the convenience of Web-based remote desktop services with extreme security. MobiNET works in conjunction with its MobiKEY USB crypto key to provide TFA access to a remote desktop without requiring installation of any additional software, drivers, or network stacks—everything is run off the MobiKEY.
According to CEO Andrew White, Route 1s service has a number of advantages over VPNs. VPNs only secure the transport of data; however, a contaminated remote PC can infect the entire corporate network. He also notes that because the product launches off the USB key and runs in protected memory, it isnt tied to one PC (like most VPN installations), and it doesnt leave behind any potentially sensitive files or logs on the host machine. White notes that remote access has been deemed one of the top 10 disruptive technologies; however, security is a concern for most IT managers. Part of our hurdle with potential customers wasnt how well it worked but how secure it is, he says.
Another hurdle is the administrative complexity of another account database. To the rescue are a number of managed PKI services that alleviate the burden of installing directory servers and managing accounts and keys. Vendors such as Cybertrust, Entrust, and VeriSign centrally provide the PKI infrastructure that can then be used to authenticate users with most VPN hardware platforms—typically using HTTP, LDAP, or RADIUS directory queries.
Consider The Options
SMEs have a plethora of technology and service options when designing a remote-access solution for employees. For maximal flexibility and accessibility, traditional VPNs relying on PKI-based TFA is the preferred approach. VPN appliances have greatly simplified the network implementation, while managed PKI services can provide increased security while eliminating the need to staff dedicated security experts. For those with more limited remote-access needs, a number of Web-based remote desktop products are available; however, their security is not yet as robust as a PKI-backed VPN. Finally, newer remote-access services such as Route 1s MobiNET promise to combine the simplicity of a managed Web service with military-grade security.
by Kurt Marko
Remote-Access Security Services |
|Company/URL ||Product ||Description |
|Remote Desktop |
|01 Communique |
|I'm InTouch ||Allows connection to home or office computers to run programs; transfer files; manage email, contacts, and calendar events; and print remote documents locally |
|Route 1 |
|MobiNET ||Manages a user's identity and authorized services by issuing RSA digital certificates to subscribers; works with MobiKEY |
|Managed PKI |
|Managed PKI ||Enables companies to issue digital certificates for use with common applications; applications include client authentication to secure email, digital signing, and VPN |
|Managed PKI ||Includes management functions such as high availability, disaster recovery, automated failover, and network protectionCan be used for one-time password authentication, simple sign-on, Web sign-on, network logon, or as part of a larger PKI implementation |
|Portable Crypto Devices |
|eTokens ||Can be used for one-time password authentication, simple sign-on, Web sign-on, network logon, or as part of a larger PKI implementation |
|RSA Security |
|Smart Cards & USB Authenticators ||User's digital credentials are stored for secure login to the user's PC and network and application environment |
Sponsored Links |
MXI Security Stealth MXP
Secure digital identity and encrypted storage; user-bound via three-factor authentication
SPYRUS Hydra Privacy Card (Hydra PC) Series II
Unique, portable multifunctional security device that combines removable/replaceable miniSD memory with the highly secure Suite B cryptographic algorithms