Posts Tagged ‘Firewall’

VPN Haus recently spoke with Rainer Enders, CTO of NCP engineering, about multi-tenancy in VPNs and its advantages. In the final post of this two-part series, we look into some of the drawbacks of multi-tenancy and what it all means for enterprise users. For part one, click here.

Q: Are there any disadvantages to deploying a multi-tenant network? What are they, and how can they be mitigated? 

Enders: The main disadvantages of multi-tenant networks come into play at the backend. Great care must be taken that data domains are not breached so that unauthorized access can occur and potentially result in data leakage. From a technical standpoint data domains must be shielded against unauthorized access in multiple ways implementing the classical defense-in-depth approach. This can be accomplished by building software/virtual firewalls around the virtual containers. Those firewalls allow for filtering of customer assigned address spaces as well as protection against traffic that originates in adjacent domains from co-located VMs. Additionally implementing an integrated AAA approach is mandatory to enforce strict user and device authentication. Centralized authorization and provisioning systems play a key role in this strategy.

Q: Why are multi-tenant VPNs important to the enterprise sector? 

Enders: Multi-tenant VPNs play a key role in the service provider sector. The technology serves as a powerful enabler for cloud-based secure services, as it delivers the power and balance of operational and economical scale and efficiency without compromising security to the enterprise network customer.

By Dr. Avishai Wool

Practically every corporation that is connected to the Internet uses firewalls as the first line of its cyber-defense. However, the protection these firewalls provide is only as good as the policy they are configured to implement. It has been said that the single most important factor of your firewall’s security is how you configure it, yet according to feedback provided by payment card brands and PCI auditing firms, 80 percent of firewalls examined in a breach investigation are misconfigured.

Curious about this phenomenon, I obtained rule-sets from a variety of corporations that use the AlgoSec Firewall Analyzer [ed. note: Wool is CTO of AlgoSec]. Considering 36 vendor-neutral configuration errors that create risk behind the firewall, I evaluated more than 80 Check Point and Cisco firewall rule sets. After determining a measure of firewall complexity for each vendor, I discovered that indeed firewalls are poorly configured – and that there is a strong correlation between a rule-set’s complexity and the number of detected configuration errors.

Serious errors are alarmingly frequent. For instance, Microsoft services, which are a vector to numerous Internet worms, are allowed to enter networks from the outside in 42 percent of the surveyed firewalls. Furthermore, among the most complex firewalls, I detected at least 20  errors in 75 percent of the configurations.

Complex firewall rule-sets are too difficult for their administrators to manage effectively. It is safer to limit the complexity of a firewall rule-set. For example, instead of connecting an additional subnet to the primary firewall, which in turn generates more rules and objects, a company can reduce its risk by installing a dedicated firewall to protect the new subnet.

As my research indicates, there are very few high-complexity rule sets that are well-configured. Furthermore, there is a clear correlation between rule set complexity and the number of detected errors. Thus, we can say that for well-configured firewalls, good things come in small packages.

Dr. Avishai Wool is CTO of AlgoSec, a network security policy management company. 

Last week’s post on Branch Networking focused on High Availability, so this week we’ll take a dive into central management. As a quick overview, a central VPN management system is required for effective networking of branch offices. Even if there are only a few branch offices, the time and money that have to be spent on local network administration is out of proportion, especially with M2M networking.

Central management automates the management of remote / branch office VPN gateways. So the more VPN relevant systems the central management contains, the simpler and more manageable the network becomes for administrators. Of course, management should include configuration and software updates – but it should also include managing of digital software or hardware certificate rollouts, an LDAP console for identity and rights management, and security monitoring of the end-devices (Network Access Control / Endpoint Security).

Example Authentication

We know a VPN system secures all data transfers in an encrypted tunnel. However, sealing this communication has to take place as early as Internet dial up, which is the most frequent point of vantage for hacker attacks. The core problem is how the branch offices authenticate towards the central gateway. One possibility for authentication are pre-shared keys, another is the use of certificates. For security reasons, certificates are the better option because they can be adapted. This means old certificates can be locked and new ones can be issued. Certificate handling has to be organized; i.e. if one certificate expires, the VPN management should offer automatisms that request and issue new certificates.

Often, there’s another security requirement is simply overlooked. The firewall must only allow IPsec connections. Usually branch offices connect to the Internet via a DSL router. This router protects the VPN gateway and some VPN gateways also support the communication medium PPPoE. This means, the gateway can directly be used for DSL dial-up and a DSL router becomes obsolete. In this case, too, the firewall must only allow IPsec connections. Maintenance of the branch offices’ VPN gateway can also be possible by direct dial up via ISDN – not via the Internet.

Do you have questions about Branch Networking? We’ll do our best to help if you send your questions to or leave us a comment below. Also, stay tuned for next week’s Branch Networking post about “masking.”

ComputerWorld, Security Manager’s Journal: New Firewalls Should Increase Protection
CSO, 9 Security Tips for Protecting Mobile Workers
InformationWeek, Electronic Health Records Raise Security Risks
The Economist, A Sense of False Security

Internet News, OpenBSD Backdoored by the FBI?
Computerworld, Look, It Makes Them FEEL More Secure, OK?
Network World, What You Should Know About Next Generation Firewalls
Enterprise Network Planet, IPv4 Space Continues to Dwindle