Haus is starting a series of posts looking at how to rethink remote access. We have asked IT experts with no affiliation to us to share their thoughts with you.
In this post, Chris Larson, President of WICA Technologies shares ideas on remote access policy. Who is WICA Technologies? An application development company that deals with security at that level, that believes a fundamental understanding of network and application security is a must for any developer.
“[Remote access policy] depends on the target audience more than anything else. Different scenarios require different approaches, as is often the case. Factors such as cost, number of users and levels of security are always considerations that need to be analyzed. Remember that no matter how good the solution, there is always the possibility of vulnerabilities and unwanted intrusion. However, the most basic policies should always involve the following aspects:
Written remote access policy and agreement
Any good policy starts with defining what the policy is and providing a business use-case for developing the technical requirements. It could be as simple as ‘You are permitted to access remote resources from any computer provided if you are careful’ to ‘You must use only approved, company-provided hardware and software when accessing remote resources.’ Remember that small companies may need to be more flexible in what an end-user can do than a large, structured corporate environment. Enforcement here is a matter of HR providing the document(s) to the manager or end user, signing an acceptance of the policy and keeping that document on file. Abuse of the policy is grounds for revocation of remote access or even termination.
Encrypted connection from endpoint to endpoint
Ensuring security during the transmission of data across public lines is a must no matter what. Whether this is an on-demand VPN software solution, SSL via a web browser, built-in encryption of GoToMyPC or a more dedicated solution of Router-to-Router dedicated VPN, some form of encryption is a best practice in all remote access scenarios.
Limiting the activities of all users based on a role-based security policy
Ensuring that the security policy for each user accessing remote resources is properly defined and supports such things as not allowing end users to shut down remote access servers and preventing users from installing rogue applications provides a safer and more stable environment for all end users.
In an ideal solution where cost is not an object, you would have point-to-point networking configured at the router level so that everything was transparent to the end user. I would still recommend a VPN as part of that communication. Aside from simple encryption, the VPN provides an IP address to the client that emulates an IP address within the private network. Using VLAN’s, the remote users can be segmented away from the true internal network to further limit the access available to them.
For highly secure installations, NAC offers an additional layer of security that is more easily manageable than such primitive techniques as MAC address filtering and IP restricting. I would further look at remote devices requiring biometric authentication rather than keyboard or smart card access to a workstation. I would combine that with RSA security tokens to ensure that there are two security devices required to log in. Unless someone chopped off a finger and stole the token, that workstation would be locked down fairly well.
Security should always be equal to the perceived value of the organization from an outsider’s perspective. A beer distributor is generally a far lower value than a technology company, even if they are of approximately the same size. An advertising company, especially one that works with large organizations, even when significantly smaller than comparable businesses, is a very high value target.
Security is 90% perception, 10% implementation. If the perception of the security is impressive, most people will not bother with trying to break it. They simply do not care. However, for those that make a living by attacking security and opening holes to get information are not going to rely on packet sniffing and bandwidth monitoring to gain access if they REALLY want to get in. It is generally easier to put a Trojan Horse on a system inside the network that calls out to a workstation than to try and penetrate from the outside in.”