Archive for September, 2009

What We’re Reading, Week of 9/21

Posted: September 24, 2009 in Highlights

The Forrester Blog | Infrastructure & Operations Professionals…
It’s Flu Season, Connect AND Optimize Your Workers
As businesses prepare for office closures due to H1N1 (and other potential disasters), friend of NCP, Chris Silva reflects on employees’ remote connectivity experiences and questions the influence it can have on productivity levels. In addition to speed and responsiveness, optimization is needed for remote access—this ensures employees have the adequate resources they require. Chris leaves us with some food for thought—the next time you log on remotely, ‘take note of the experience; is this the way your entire organization should be served in the event of a disaster’?

10 Must-Have Steps for an Effective SMB Information Security Program
Linda Tucci discusses The National Institute of Standards and Technology’s guide to help small businesses and organizations implement an effective information security program. It lists 10 absolutely necessary actions a small business should take to protect its information, systems and networks, along with 10 highly recommended practices. It also includes a short section on contingency and disaster recovery planning, as well as business policies for information security. This is a great resource for small businesses to turn to; do you feel these tips are valuable?

New US healthcare rules criticized by encryption experts
Agent Smith reports on the new data breach rules which became effective September 23rd. According to the HITECH Act, US health organizations that use encryption will no longer be required to notify clients of breaches. Furthermore, only HIPAA-covered healthcare providers and health plans that neglect to use encryption will be required to notify individuals about a breach. Encryption experts are criticizing this act because it puts individuals’ information at risk if such notices are not disclosed. To read more on this topic check out Information Security Resources.

Pat the Device Down

Posted: September 22, 2009 in Endpoint Management, Posts

Read an interesting article on InfoWorld earlier this week about the iPhone falsely reporting VPN policies and encryption support.  While the iPhone has been updated and fixed, miscommunication with Exchange VPN servers brings up a larger question—should the server do more than just query the device client and should the enterprise VPN take on a NAC function through a device ‘pat down’?

Allowing for a full ‘pat-down’ before allowing a VPN connection, the NCP Secure Enterprise Management System looks at the actual individual device rather than a standard set of queries.  NCPs ‘pat down’ checks and makes certain that security software is up-to-date, the right form of encryption is being used, firewall settings are enabled, and the machine is compliant to pre-set network policy enforcement parameters.  By running this pat-down, the administrator will be reassured its employees’ devices are compliant, and those who aren’t are alerted to take the necessary steps to reach compliance.  Without an endpoint device ‘pat-down’ enterprise remote access can be compromised, just as the InfoWorld article illustrates.

For more information on this issue, check out a recent article published in Processor or visit

What We’re Reading, Week of 9/14

Posted: September 18, 2009 in Highlights

Cloud security through control vs. ownership
Guest writer and analyst, Andreas M. Antonopoulos explains the complexity of cloud computing security from an auditor’s point of view. As cloud computing becomes mainstream, the questions of location, ownership and control become major concerns. In response to these concerns, Andreas raises an interesting point—“We do not need to own the assets in order to exert security, anymore than we need to own the Internet in order to trust a VPN”. What are your thoughts on Andreas’ point? Do you agree or disagree?

Network Computing…
Does Windows 7 Make VPNs Obsolete?
Blogger, Alexander Wolfe describes Windows 7’s DirectAccess and Windows Server 2008 R2. There are clear benefits of using the DirectAccess feature, however, if your company does not upgrade its’ sever to 2008 R2—you are out of luck. NCP Secure Entry Client does not require this upgrades, and will work with existing equipment.

Inside INTEROP Blog…
Working the Mobile Enterprise
Blogger, Curt Franklin loves his iPhone, but expresses his concern about the security issues associated with it, particularly, using it for work. With employees accessing confidential documents on their phones (and laptops), it is important to protect your information with encryption and OTP password tokens and certificates through a VPN—this way information is not spied out, and information remains private.


Posted: September 17, 2009 in 64-Bit, Posts, Windows 7

NCP has recently been selected to provide end-point security solutions for Texas-based YES Prep Public Schools.  The school’s IT manager needed a secure VPN solution that would not only allow staff access to the Intranet, but also flexibility to integrate the solution to existing and future devices and operating systems.  NCP Secure Entry Client provided 64-bit support to gain access to the network and prepared the school’s migration to Windows 7.

As we’ve blogged in the past, the need for end-point security is critical for school systems.  Security breaches do affect this market, and hackers gain access to student’s personal records, school internal documents and other confidential data.   Education institutions need to be ware and take action to protect their network, and the most effective way to this is with a VPN.

NCPs universal client provides YES’ teachers with secure and constant communications to the Intranet, where they can access lesson plans and student files immediately.  It also enables YES staff to be in contact with each other in the seven different locations.  This access is important to YES because it grants students with the quality education they deserve.  The entry client saved YES from downgrading their 64-bit machines to 32-bit; and the client will work on new operating system, Windows 7.

For more information on this issue, check out a recent article published in Processor.

Having trouble connecting to the network when you are on the road?  Don’t worry, you are not alone.  When traveling, many users report issues to their network administrators stating they cannot access the company’s network.  Employees complain that they either had connection and it was dropped; they were connected, but no VPN access; or simply no connection could be made.  All of these are common signs of overlapping subnets.

An overlapping subnet is when you establish a connection from the VPN client to another network with the same ‘private IP address range’, and an ‘overlap’ occurs with the addresses.  I.e. the hotel router assigns your machine a ‘private IP address range’, i.e., and this address matches the office’s.  When the client connects, it uses the source IP address it currently has, which is the home network.  The gateway sees this as an internal (local) address, and thus subnets overlap  and deny your VPN connection.

Here is a technical description NCP shared with us:

IPsec includes two negotiation phases; phase 1 authenticates and negotiates a secure channel to set up a Phase 2 tunnel.  Phase 1:  ‘ISAKMP/IKE’ takes place over UDP500.  Once the negotiations have taken place, one or more IPsec tunnel(s) is created in Phase 2 (between the two peers—client and the gateway.  Traffic is sent using ESP (Encapsulated Security Payload) Frames, which are not within UDP or TCP, except ESP = IP Protocol 50; something ‘parallel’ as it were to the aforementioned TCP or UDP.  However, if there’s a router or firewall in between that performs Network Address/Port Translation (aka Network Address Translation) these packets will either be dropped or modified (modified, meaning tampered with, therefore being dropped by the gateway or client).  Some routers/firewalls allow for ‘ESP Pass-through’, meaning these ESP frames will not be dropped and it’ll work.

99% of the time there is going to be NAT performed on the packets.  In order to circumvent this problem, the ESP frames are wrapped inside UDP packets which may be modified/touched by the routers.  Once they arrive at either the two peers, the outer (modified) UDP headers are stripped off, revealing the untouched ESP frames which then can be processed.  This UDP encapsulation is called NAT-Traversal or NAT-T.

Back to our original definition, IPsec uses UDP 500 and ESP frames, the latter may be encapsulated within UDP 4500 (or variable; other gateways sometimes use UDP10000).

We will follow up on this topic with solution in a later post—stay tuned.