What We’re Reading, Week of 11/5

Government Computer News – NIST spells out baseline security requirements for next-gen mobile devices
CSO – Election sabotage: A threat much older than hacked e-voting
InformationWeek – Malware Tools Get Smarter To Nab Financial Data
SearchSecurity – Remote access Trojan evades detection using mouse functions

How can I make sure my VPN is encrypted and working properly?

*Editor’s Note: These columns originally appeared in TechTarget’s SearchEnterpriseWan.com

By Rainer Enders, CTO of Americas for NCP engineering

The simplest way to do this is to act like a hacker. Snoop around the network traffic, either on the device itself or a port on the network. In the case of IPsec, for example, you would see encapsulating security payload (ESP) frames (Protocol 50).  Yet, when you look inside the packet payload, you will only see garbled characters — no clear text at all. Network snooping tools are easily available on the Internet and are simple to use. Of these, Wireshark is probably the most popular tool. You may find this resource on how to do penetration testing on your VPN useful.

Can I compare performance metrics of an MPLS VPN to another network?

This is a very complex question that is difficult to answer without knowing the specifics. Performance assessments can range in effort and complexity. It is ultimately important to understand the underlying requirements, which will determine the parameters that are relevant to performance. So, first you want to define “performance:”  What are the relevant parameters, such as throughput, latency, packet loss and jitter? Once you measure the aforementioned metrics of your Layer 2 and Layer 3 MPLS VPN networks, you should be able to compare them evenly.

What We’re Reading, Week of 1/2

Help Net Security, Securing Android for the Enterprise
Infosec Island, How to Re-Awaken Your Inner Hacker
InfoWorld, New year, same old security passwords
eWeek, Enterprises Need Encryption to Secure Private Data

What You Need to Know about Branch Networking: Central Management

Last week’s post on Branch Networking focused on High Availability, so this week we’ll take a dive into central management. As a quick overview, a central VPN management system is required for effective networking of branch offices. Even if there are only a few branch offices, the time and money that have to be spent on local network administration is out of proportion, especially with M2M networking.

Central management automates the management of remote / branch office VPN gateways. So the more VPN relevant systems the central management contains, the simpler and more manageable the network becomes for administrators. Of course, management should include configuration and software updates – but it should also include managing of digital software or hardware certificate rollouts, an LDAP console for identity and rights management, and security monitoring of the end-devices (Network Access Control / Endpoint Security).

Example Authentication

We know a VPN system secures all data transfers in an encrypted tunnel. However, sealing this communication has to take place as early as Internet dial up, which is the most frequent point of vantage for hacker attacks. The core problem is how the branch offices authenticate towards the central gateway. One possibility for authentication are pre-shared keys, another is the use of certificates. For security reasons, certificates are the better option because they can be adapted. This means old certificates can be locked and new ones can be issued. Certificate handling has to be organized; i.e. if one certificate expires, the VPN management should offer automatisms that request and issue new certificates.

Often, there’s another security requirement is simply overlooked. The firewall must only allow IPsec connections. Usually branch offices connect to the Internet via a DSL router. This router protects the VPN gateway and some VPN gateways also support the communication medium PPPoE. This means, the gateway can directly be used for DSL dial-up and a DSL router becomes obsolete. In this case, too, the firewall must only allow IPsec connections. Maintenance of the branch offices’ VPN gateway can also be possible by direct dial up via ISDN – not via the Internet.

Do you have questions about Branch Networking? We’ll do our best to help if you send your questions to editor@vpnhaus.com or leave us a comment below. Also, stay tuned for next week’s Branch Networking post about “masking.”

The Disgruntled Security Breach Strikes Again

We’ve said it before and we’ll say it again – disgruntled, former employees pose a major risk to your network. If you’ve been following the headlines this week, you know why we’re bringing this up again.

A former IT employee at Gucci was charged with remotely taking over the haute-couture company’s computers, shutting down servers, and deleting emails, the Wall Street Journal reported yesterday. According to the WSJ, here’s what’s happened:

Sam Chihlung Yun, 34 years old, allegedly created an account in the name of a fictional employee and used it to access the company’s network after he was fired in May 2010, prosecutors said. He allegedly caused more than $200,000 in diminished productivity, as well as remediation costs, prosecutors said.

Now Mr. Yun is being charged with a 50-count indictment for unauthorized use of a computer, unlawful duplication of computer-related material, among other charges. So, how did he do it? InformationWeek is reporting that Yun created a VPN token in the name of a fictional employee, then when he was fired he used this USB-based token to gain remote access. In the aftermath of Yun’s attack in November, Gucci staff were not able to access any documents, files, or materials saved anywhere on its network.

Frightening, right? So what can you do? Review your user log carefully and often – if you spot a red flag, investigate. Also, make sure all former employees are completely provisioned off the network and reset all the passwords and access rights following their departure.

Gucci was lucky enough to catch and prosecute its culprit — but the fashion giant would have been luckier if it had stopped the breach before it even happened.