Posts Tagged ‘WiFi’

By Nicholas Greene

With RSA 2012 kicking off next week, then Interop and BlackHat just around the corner after that – we are officially in trade show season. Of course, every show brings with it the challenge of connecting to its official Wi-Fi connection to plug back into corporate headquarters to do everything from email to sending documents and beyond. And as most of us know, this could invite a barrage of security vulnerabilities.

Of course, at IT conferences like Interop and Black Hat, you’ll find yourself with a better class of wireless network– it’s more or less a given that their Wi-Fi connections will be more secure than those at many other trade shows, as the organizers know enough to take an active role in securing the data of attendees. But the real risks come in when, for example, connecting via a hotel or a café near the show – or worse, a rogue unsecured network that tricks users into signing on with a strangely “official sounding” name.

So how will you stay safe this trade show season? In short, VPNs are the key. A VPN will give you all the security you’d get from a private network, and places it into a public arena; opening the requisite ports for easier connectivity, keeping your activities anonymous from others on the network, and encrypting any data you send between yourself and the server.

Unlike with unsecure (and even secure) wireless networks, no known exploits currently exist that are capable of subverting the security on most of the well-designed Virtual Private Networks. While it’s certainly true that a user connected to a VPN can interact with other systems on the network as though they were local, the users of those systems should generally be trustworthy, if you’ve implemented a proper VPN solution.

If you’re connecting to a corporate network, there’s a good chance that the company will already have some sort of VPN solution in place- all that’s left in such a situation is to set it up to run on your own system, and you’ll be golden. Generally, this is as simple as installing the client software for whatever solution you’re running- your company should provide it for you before you leave for the show.

If you’re not an enterprise attendee, or your company doesn’t yet have a VPN solution implemented, it might be worth looking into getting one- NCP has several VPN clients available– for enterprise users, the centrally managed solution’s ideal.

More on VPNs and trade show security next time.

Today’s SSL myth tackles the topic of RSA SecurID. The prevailing myth is that RSA SecurID provides a secure connection – but of course, this isn’t so.  The RSA SecurID token authentication system is a two-factor authentication method, which is the most common secure access method in the U.S. with 40 million users. The RSA SecurID token authentication method uses the RSA ACE Server, which is a clock synchronization key scheme. It works on a timing frequency that changes the token keys so that they never seem to be the same. The frequency and the seed key were both found on the RSA ACE Server, which was hacked by perpetrators on March 18, 2011.

Here is the way one inventor describes the scheme in his patent granted in 2008: “The pseudorandom token codes are only valid during a short time that they are displayed (e.g. 30 seconds). A hash function that generates the pseudo-random token code takes a current time and a secret key as inputs. The secret key is provided to the token by the manufacturer and then provided to the authentication server. ”

This scheme makes the authentication system very time sensitive. If an authentication server and
token have clocks that diverge, the system quickly breaks. Also, the security of the leading hash function has been called into question.” The inventor is referring to a detailed cryptanalysis study by Springer-Verlag, 2003. These researchers found that the block cipher at the heart of the RSA SecurID hash function can be broken in a few milliseconds using a 2003-vintage PC.  Once again, myth debunked.

Source: EMC Corporation

By Cameron Laird

In “Die, VPN! We’re all ‘telecommuters’ now–and IT must adjust,” John C. Welch accurately describes much of the changing landscape through which corporate computing is traveling now:

  • Work is as likely to take place outside the office as in;
  • Work in some domains has become as likely to take place on an employee’s device as one owned by the corporation;
  • A large percentage of all work can be done through the Web; and
  • “Endpoint” (in)security is nothing short of horrifying: the data equivalents of bars of gold are regularly walked unescorted through neighborhoods so bad they can’t help but end up in the wrong hands.

The situation is unsustainable; what should be done?

Welch’s conclusion: adopt full-disk encryption (FDE)–and ditch VPNs. His arguments for FDE have merit. The ones against VPN? Well, I expect to use VPNs for a long time into the future, and you should, too. Here’s why:

What is VPN?

First, let’s review the basics: information technology (IT) departments are responsible for computing operations. Computers have, in general, the capacity to make general-purpose calculations. This means both that IT is called on to perform a wide, wide range of tasks–everything from routing telephone connections in a call center, to control of machine actions in a steel plant, to running accounting programs in a hair salon–and also that there is inevitably more than one technique to complete each task or fulfill each requirement.

Even the simplest analysis of the “remote problem” exhibits these characteristics. Let’s begin with Welch’s starting point: much of the work of the future will be done outside the conventional workplace, and therefore outside the usual control policies traditional IT establishes. Everyone agrees that the fundamental data of the workplace deserves protection — whether the business deals in customer names and addresses, proprietary product recipes, or factory inventories and outputs — these details must be kept private. For an IT department, data appear in two states, “in transit,” as it travels from central organization repositories to the hardware of an individual remote worker; and “at rest”, which, for this purpose, means stored on the hardware of an individual remote worker. Welch’s FDE prescriptions address “at rest” or “endpoint” vulnerabilities, with the assumption that any local copy–any file or document or report–of data on a remote machine is necessarily encrypted. In turn, to view company data, an unauthorized person would need not only physical possession of the remote machine, but also a key to unlock the latter’s storage encryption.

Data “in transit” requires a mechanism that enables protection while traveling. With computers, there are many different ways to protect data in transit. In broad terms, though, a VPN  encapsulates everything that passes back and forth from a remote worker in a single consistent way. With a VPN in place, the higher-level applications that are meaningful to an end-user, including software for project management, office productivity, multimedia chat, project collaboration, file access, enterprise resource planning (ERP), and so on, all have the impression that the remote worker is using a computer networked within the home network of the organization. The VPN takes responsibility for translating every data transmission so that what appears to be a message sent to or received from a local computer is actually a corresponding encrypted message to or from a remote location.

Cameron Laird is an award-winning author and developer for Phaseit, where his recent work has concentrated on back-end programming for secure Web applications.

By Sylvia Rosen

Imagine, you’re at the train station on your way to an important meeting. While you’re waiting, you’re drafting an urgent email. Just before you hit the send button, your wireless connection is lost – and with it, you lose your VPN connection and the link to your office email. Frustrated, you log back in, crossing your fingers that your email saved. Of course, it didn’t. Twenty minutes – and lots of good ideas — down the drain.

Sound familiar? Too many VPN solutions aren’t enabled to handle connection outages or changes, resulting in wasted productivity, and even worse, lost data.  This hassle is eliminated with VPNs that support roaming among different types of networks — allowing users to focus on business instead of worrying about their connection. VPNs with seamless roaming automatically switch to the best available network and ensure that users never have to re-authenticate.

Seamless Roaming

Seamless roaming enables smooth transitions between networks, making it ideal for traveling professionals who are always on the go. VPNs that enable seamless roaming secure your data, even in the event of a wireless outage or switching between networks, like Wi-Fi and 3G.

“If all your traffic goes to the VPN while you are connected to it, then everything is secure; nobody can really attack your machine,” explains Rainer Enders, the CTO Americas for NCP engineering. “When the VPN drops, you go back to regular ‘connecting mode’ through the Internet. If your VPN doesn’t enable seamless roaming, you now have a connecting path that is an insecure tunnel, which is why your connection to your corporate server will likely give way.”

Seamless roaming VPN, however, changes this. With seamless roaming, IT administrators can now ensure that each piece of equipment can connect securely and stay connected securely. Stay tuned for more on this.

Sylvia Rosen writes articles on a variety of telecom topics, including VoIP Phone Systems and Call Center Services.

Editor’s Note: This is a second in a two-part series. Part 1 focused on the mobile landscape.

By Cameron Laird

To minimize costs of installation is attractive, of course. For most organizations, though, personnel costs across the scope of operations dominate what the IT (information technology) department does: it makes sense to make remote connections as convenient as possible for valuable line workers, and minimize the costs of retraining them. That’s where an IPSec (Internet Protocol Security) VPN shines: IPSec VPN establishes a connection that gives the remote user every appearance that she’s connected within the home LAN (local area network), including access to fileshares, printers, and all office-automation applications. By IPSec encapsulation, all this is possible even when transported by purely HTTP/HTTPS facilities of the sort remote workers increasingly encounter.

While SSL vulnerabilities of various sorts and likelihood have been in the news in 2011, the greatest risks with SSL solutions, points out Tom Henderson, Managing Director of Extreme Labs, have to do with key management. Among other precautions, “keys ought to be rotated because as they become aged, someone hacking at them eventually can get the keys …” and penetrate the network. IPSec has longer and considerably more resistant keys.

For all these reasons, the appeal of SSL/TLS VPNs as “installation-free” is only superficial; deeper examination shows that IPSec VPNs enjoy crucial advantages in:

  • support of the full range of applications and accesses remote workers require; and
  • robust key management, resistance to “man in the middle” attacks, and secure networking even from the most public and untrusted access points.