Inside and outside the network perimeter

Posted: June 19, 2008 in Posts, Rethink Remote Access

Frank Cassano has written a series of posts at BlogInfoSec titled “Assessing Your Organization’s Network Perimeter” (see Part 1 and Part 2). We had a quick chat with NCP’s Rene Poot to get his perspective on Cassano’s analysis. Here’s what Rene had to say:

What should be mentioned as (one of the many) details would be that users within a company using WLAN although physically within the confines of the building are to be treated as remote access users. Someone outside on the street with a laptop and a malicious intent should be able to detect and possibly participate within the WLAN if not secured enough, as if they’re within the building and as one of the users. It’s therefore imperative to realize that physical and virtual perimeters do not necessarily coincide!

Another point would be how far do I want to ‘extend the perimeter’ and use the right ‘technology’ to fulfill the requirements:

Incidental access to internal resources can best be facilitated with SSL-VPN access. This allows for a limited access to internal resources by those that need it; such as suppliers/consultants/contractors and so on. This doesn’t require the user to install a ‘client’, but merely downloads the code within the browser and uses the browser to access the internal resources, and this access can be carefully controlled centrally on the SSL-VPN gateway.

Conversely a full time employee may require to have access to the ‘regular’ resources he would normally have at his desk, while he’s on the road. An ‘full access’ or ‘LAN emulation’ (working remotely as if one is sitting at one’s desk) VPN solution would be a better suited option. This would imply that the latter’s work platform is secured; not only the communication between the two points, but the remote user’s device has become an extension to the corporate network perimeter; and thus should be protected accordingly. Why attack the corporate ‘perimeter’ firewall, when one can attack and possibly use a remote access user’s machine as a stepping stone into the corporate network?!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s