What We’re Reading, Week of 6/22

SearchSecurity…
Cloud computing security: Choosing a VPN type to connect to the cloud
Friend of NCP, Diana Kelley, analyst at SecurityCurve is writing a series on cloud computing security. In this 1st part series, Diana drills down and discusses the specifics regarding devices that connect to the cloud, and how VPNs affect cloud security. The article takes point-to-point into perspective, as opposed to whether or not SSL or IPSec is best suited – there are varied uses for each within Kelley’s article. Well worth a read and it begs the bigger questions of, “is VPN really a factor for applications living in a cloud, or is securing the applications themselves really the issue”? For example,

“VPN types include network-to-network, multiple service host-server, to single-service host-server. Each of these implementations can be used in a cloud computing environment, and each has security strengths and weaknesses. The oldest VPN technology is the network-to-network VPN. This architecture has the greatest risk associated with it, due in part to the number of hosts involved. While this architecture would not likely be used in the client-to-cloud connection, it could be used within the cloud, especially with server farms or mashups.”

What are your thoughts on cloud computing security?

what we’re reading, week of 6/15

End-Point Security.Info…
Employees Couldn’t Care Less about Data Security
Gathering information from the Ponemon Institute, Agent Smith provides shocking statistics about employees and their security practices. So how does this list relate to VPNs? I’m glad you asked! Users will bypass cumbersome VPN policies if they can get away with it. Network admin’s need to look at their policies and how the technology they use supports these. Do they hinder the user? Can the user change settings? Will you be able to tell something has been changed? User education and centrally managed policy enforcement are key for VPNs.

Datamation…
Fixes for Wi-Fi Hotspot Annoyances
Are you always on the go? Do you get frustrated with WiFi? Eric Geier provides travelers tips when connecting wirelessly. Going one step further, VPN Haus recommends making sure you’re mindful of man-in-the-middle attacks which are all too common at hotspots. If you have a run-of-the-mill VPN client, chances are high that data packets are being allowed access to your device while the client authenticates you to the network. A better solution is to find a VPN client that forces the network to authenticate itself to your device. No data transfer and now man-in-the-middle.

WindowsSecurity.com…
What’s in the Windows 7 Firewall?
Deb Shinder previews the Redmond’s newest firewall and offers configuration tips. We have to ask, “With W7 pushing IPSec VPN on the masses, what good is a built-in firewall without central policy control”? Exhibit A: Agent Smiths’ post. The W7 firewall is, in effect, a personal firewall that the user, well, uses! We’re sure it’s a good firewall although we have to question the lack of central management.

Browser-based Backdoor Attack for SSL?

Read an interesting post last week on ThreatPost, New attack class exploits intranet weaknesses. Dennis Fisher reports on a new class of attacks caused by organizations using non-routable IP space on their internal networks—including an attack that compromises VPN users through the use of a persistent JavaScript backdoor. The research was done by Robert Hansen, Amit Klein and HD Moore.

It appears to us the attacks are subject to SSL rather than IPSec VPNs because it is browser-based. Moreover, the diagrams look like the attacks originated inside the network. We can’t be sure based solely on the paper. Can anyone clarify or have opinions on this research paper?

what we’re reading, week of 6/8

Rational Survivability…
Most CIO’s Not Sold On Cloud? Good, They Shouldn’t Be…
Chris Hoff reports on a study that states dearly two-thirds of CTOs and CIOs are not adopting or planning to adopt the cloud. Hoff believes people should not rush in to adopting such methods, as the cloud is an operational model, not a technology.

eWeek…
Is Mobile Security an Oxymoron?
Andrew Garcia tests the new iPhone mobile applications as it encrypts information through the air. Results varied, and with that Andrew suggests users take some time to consider what their device is broadcasting to anyone nearby when on Wi-Fi hot spots.

Developing Security…
Are hackers partially schizophrenic?
Justin Foster puts forth the idea hackers are partially schizophrenic (“a mere- unprovable observation”). Justin compares the two as his reasoning.

VPN Horror Stories

We asked network admin’s on LinkedIn and Twitter to share their VPN horror stories with us and here are a few we thought you’d enjoy (or cringe at!).

1. Scenario: Choosing the default IP ranges to set up the ADSL modem at BOTH ends

Picture a whole swarm of dialup laptop users beginning to change to ADSL connections at home while changing the gateway to the 10.x.x.x

One by one remote users complained the VPN was down however the Internet was working just fine. Days go by before it is discovered that a popular brand of modem is the source of the trouble. The default setups were all IP 192.168.1.1, masked 255.255.255.0 or in the worse case 10.0.0.1, 255.255.0.0. Changing the 10.0.0.1/255.255.0.0 fixed the problem – but what a mess trying to figure out that this was the trouble.

Moral of the story: avoid the defaults in the office and set a standard for work from home equipment connecting to business networks.

2. Scenario: Screen saver of terminal servers over VPN with chargeable bandwidth

Our remote warehouse uses a VPN through Terminal Servers. Thin clients were used for years without any problems, then, out of the blue came a very expensive bill for 5 GB of additional data use arrives. I looked for the usual suspects on the Internet logs: You Tube, MP3, Napster, virus / hacking etc, and nothing. Remote controlling the client sessions didn’t show anything either. Hardware tests were all negative too. The next month, yet another bill, but this time for 15 GB of excess data…. Turns out that someone set up a screen saver on the thin clients with a fireworks display that was being transmitted through the VPN at about 1mb per minute. Turned out to be one VERY expensive screen saver!

3. Scenario: Backtracking / organization of a setup

We configured all the VPN PtP site endpoints in a circle—all with the same parameters with no filtering whatsoever (i.e. all sites could reach each other). Each of the parameters for the separate VPN clients were configured as point-to-multipoint into the network and setup user logs from home and had access to the entire corporate network, unfiltered. It was the wild west of VPNs! Of course, with this setup, the admin didn’t have any documentation (or clue) as how to track back the problem when things started to go down.

Thanks to everyone who shared their VPN horror stories with us. If you have a VPN story you’d like to share drop us a line DM us on Twitter.