Soft-centred security
Posted on 15 Jun 2007 at 11:23
Steve Cassidy follows up last month's summary of hardware VPNs with a look at software VPN-based network designs.
I've seen laptop VPN systems that require typing in a one-time, one-minute, number-based password from a separate encryption key "calculator" device, and which restrict any use of the internet except through the corporate proxy once the link is established. While this may be the best way for the LAN admin to get to sleep at night, it made that particular product almost instantly useless once wireless internet access became largely pay-per-hour, because you had to start your wireless surfing session over an unsecured connection to a local proxy, which would demand your credit card details before letting you go further.
2 Software client to software product
Not much apparent difference as far as the user is concerned: with most of these systems, the laptop user runs a small local utility that sets itself up with a local private Ethernet address and then makes a connection through the internet (however that may be presented - wired, wireless or cellular) back to the office LAN. The actual difference is that the endpoint for that connection isn't the firewall or router that forms the remote LAN's border device: it's actually a full remote server that runs the company's normal server operating system, but with an extra service installed dedicated to the business of receiving calls from VPN clients. With the dedicated hardware option, it's generally the case that one very smart gateway device handles all the work, but in this case the gateway simply hands traffic on to the server that then handles authenticating the remote user and spoofing their traffic, so that the rest of the LAN users think they're talking to a local machine.
I hate this option, not because there's anything wrong with the design in theory, but because of what actually happens in practice. This design is frequently chosen by middle-sized businesses, because their tech team doesn't fancy scaling the lumpy learning curve of a dedicated hardware device, or because they're Jesuitical about following the Microsoft One True Way. Most commonly, these guys look rather askance at the admittedly difficult-to-master internet and firewall standards, and hence make use of as few features in their internet gateway as they can get away with. It's in such situations that I find firewalls ("oh yes, we've got one of those") set up, so that 1-to-1 NAT passes all external traffic to all internal PCs just so one server can be used as the VPN traffic endpoint - and because the chief techie couldn't be bothered to understand what "1-to-1 NAT" actually means. Not so much a firewall then, but rather a source of hot air, almost sufficient to lift a balloon, all because "this was how our ISP told us to make the VPN work". (In defence of maligned ISPs, I've yet to hear of a single ISP support department script that ever said anything of the sort about 1-to-1 NAT.)
Then there are those gateway devices the size of a matchbox, bought for £200 with a P166 processor inside, with all the company's servers hanging off its single DMZ port because otherwise "the chairman can't see his files when he VPNs in". Everyone else's traffic has to stagger through this matchbox firewall just to get to the servers. More than once I've seen this sort of setup spend tens of thousands of pounds converting everybody to Terminal Services, not because that's how their VPN users work, but because otherwise nobody inside the LAN can get more than a trickle of data per second.
These are only two of the diverse ways in which a software-to-software VPN deployment can push the mind of an in-house techie beyond his limit of comprehension, and more often than not the result is truly terrifying. In defence of these pressurised and overworked techies, a common species in the medium-sized business sector, there are reasons why such poor choices are made. In particular, the hardware firewall vendors seem to have decided to operate a "progressive reveal" pricing model, whereby the price you pay for a small-business firewall ends up being about one-fifth of what it really costs to run said device with lots of clients, authenticating them all remotely by talking to a local Active Directory resource and running its own key or certificate-exchange system.
Download a year of Steve Cassidy's Networks columns by heading to our Free Downloads site
From around the web
advertisement
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
- Can you send a truly anonymous email?
- Is it safe to send bank details over email?
- Sainsbury's Bank bans password storage
- MobileMe triggers credit card blocks
- How to stay safe against session hijacking
- Chrome's shine getting lost in translation
- BytePac: the cardboard hard disk enclosure
- How tech loosens our grip on reality
- Hokum watch: Safer Internet Day
- Why I'm deleting Adobe from my PC
- Prepare to be patronised: it's Safer Internet Day
- Dear Sony, Samsung and every other tech company in the world: stop trying to be Apple
- Will Apple's Final Cut Pro X update placate the pros?
- Smartr Contacts for iPhone review
- Switching to Office 365's Outlook Web App
- Symantec: we didn't "bribe" hackers, police did
- Tesco Bank customers targeted by fake Twitter account
- VeriSign slammed for security breach cover-up
- MPs attack Government scare tactics on cybercrime
- Symantec tells customers to disable pcAnywhere
- O2 apologises as it plugs phone number leak
- Hacking contest focuses on patching rather than speed
- McAfee warns of flaw in own security software
- Israel suffers multiple hack attacks
- F-Secure: Android adverts pose security risk
advertisement
Printed from www.pcpro.co.uk