Republished with permission from WatchGuard Technologies, Inc.
Security and xDSL
In my first column on security and xDSL connections, I discussed many of the perceived threats, vulnerabilities and issues that broadband local access connections and particularly DSL present, from a system administrator’s perspective.
In this column, I’ll discuss policies and technologies you can apply when you cede administrative control of desktops, stored information and information confidentiality to teleworkers, road warriors and branch offices.
Most organizations take measures to physically secure corporate facilities against intruders and natural disasters. Teleworkers operate systems, software, and services outside this physically secured environment. Like road warrior's laptops, these "work from home" systems are more vulnerable to theft than those that remain in a corporate office. Indeed, the danger of having computers at home may be greater than the risk for road warriors, since computers in the home are more likely to be left unattended than are traveling laptops. Loss of, or tampering with, sensitive information stored on these systems is more worrisome than the capital loss of the equipment itself. A good security policy must assure the integrity and privacy of sensitive information, irrespective of where it is stored. In the same way that an organization might evaluate a service provider’s physical security before outsourcing Web hosting or e-commerce services, so should it evaluate physical security at employee residences where sensitive information will be stored. For some employee residences—especially multi-tenant buildings—a company investment in deadbolt locks, anti-theft clamps, or a centrally monitored home security system may be justifiable. A thorough risk assessment should reveal which employees have access to information valuable enough to warrant such consideration.
Administrative Control of the Desktop
Most organizations have policies regarding the use of un-approved and un-licensed software. Many organizations have policies that identify the kinds of services employees may operate from their desktop computers. Similarly, many organizations now incorporate vulnerability scanning of desktops and insist on desktop anti-virus software. Enforcing these policies across enterprise LANs is a demanding practice that requires sophisticated software and security management software. Extending these practices to DSL-enabled teleworkers requires the same sophistication, and is good policy.
If teleworker systems cannot be software-managed in the same manner—or ifyou don’t centrally manage software in this manner—at least be aware that these systems can be troublesome hosts that run unauthorized services: Home systems are much more likely to host unapproved and unlicensed software. Corporate conventions for hardening hosts are likely to be ignored or overlooked.
Ceding control of the teleworker desktop can adversely affect an organization: Liability may accrue to your organization in cases where un-licensed software is discovered or reported. Viruses, worms, trojans, and other malware may enter your organization’s network—or your business partner’s network—via a teleworker system that doesn’t run or uses “stale” anti-virus software. Outside the office, employees may be tempted to run e-mail, name resolution, and/or routing services. If misconfigured or compromised, services operating on a teleworker’s system can disrupt enterprise servers that legitimately run these services.
Your security policy should address these issues. Hopefully, you will find that your policy already covers these issues for in-house desktops. You will need to complement your in-house implementation by providing teleworkers with information, software and equipment to implement them in their home office.
Let’s examine some of the policies you may want to assert, and practices and technologies you might use to implement them.
Desktop Access Security Measures
Your policy should dictate that teleworkers should not leave desktop systems accessible when unattended. Recommend and explain how employees can enable power-on, login and screen-saver passwords. Recommend short idle timeout values.
Boot protection is also advisable: Some PC encryption products block the use of bootable floppies, which can be used to circumvent login and screen-saver passwords. If you want stronger authentication than a simple password, use the “something you have” or “something you are” methods of authentication to prevent unauthorized system access:
OS and File System Security Measures
Be proactive. Use vulnerability scanning software to “harden” teleworker PCs. One of the many ways you can leverage the always-connected feature of DSL is to remotely probe your teleworker PCs and LANs using commercial scanners to check for OS vulnerabilities, unauthorized services and public-access network file systems. If you don’t have or cannot afford a commercial scanner, visit sites like Securityfocus.com or Whitehats.com and build yourself a toolkit of freeware or shareware monitoring and scanning tools.
Depending on the sophistication of your employees, you may want to teach them how to use file system access controls, or provide “how to” guides that illustrate proper implementation of security policies. Simply explaining how to turn off Microsoft File Sharing on Windows 95/98 can prove invaluable. If you expect users to remain on Windows 95/98, consider 3rd party software like Citadel Technologies’ FolderBolt (for Win 95/98/NT and Macintosh) that provides enhanced, granular file access controls. If your users run UNIX or Windows NT/2000, explain how access controls can be used to selectively assign user permissions to files, directories, or other secured objects (e.g. devices, ports). Discourage full access privileges to entire disks and partitions. Explain how to enable and use auditing and logging features, where available; as your teleworker numbers grow, these may prove as essential as firewall logs and audit files.
Storage Security Measures
In a recent Network Computing article, Phil Carden, used an apt analogy to describe stored file security: “The shell of an egg protects its contents. But, once that shell is broken, it's all over--unless it's a hard-boiled egg. The emphasis lately has been on building eggshells--firewalls and perimeter security--around your network. Why not also hard boil, or encrypt, stored data?”
Firewalls play an important role in securing DSL connections, but a firewall can’t stop a thief from carrying off your teleworker’s CPU or laptop. An area of security that is alarmingly lax across most organizations is the treatment of stored, sensitive information. If mobile workers and teleworkers are permitted to store classified or sensitive information on laptops or home computers, your security policy and practices should require use of file encryption and “wipe-clean” file deletion software. There are many simple solutions here, ranging from Windows system tray solutions like PGP Security’s PGP Desktop and the toolbar-based SynCrypt from SynData, to Peter Gutmann’s Secure File System for Win95/98/NT/OS2 and Protect Data’s Protect! disk encryption software.
A second aspect of storage security is archival and recovery, and treatment of archive media. Employees often use floppies or CDs for backing-up their files; be sure you have a policy in place for how and where copies are stored. If your organization operates automated (transparent) data protection and recovery for desktops and mobile laptops, be sure your archival process extends to teleworker systems.
Personal vs. Corporate Information—Segment the Operating Environment
Employees who use a company-provided computer for personal use should be advised to take measures to separate personal information from corporate information. The motivation ought to be obvious for any worker. However, if you need to make it clear, explain how easy it is for an employee to inadvertently share checking information with colleagues if he runs a personal Web server and unwittingly permits directory browsing; or if she runs an FTP server with global access permissions for all users.
An employee can create a dual-boot PC to logically separate work data from personal data. One configuration to consider is to boot Windows NT for work, and boot Windows 98 for home. NTFS data partitions will only be accessible when booting NT. Warn employees that FAT32 partitions used by Windows 98 will be visible from NT as well, if there are vulnerabilities in the NT configuration, these may unintentionally expose personal information.
Removable (and bootable) hard drives are especially convenient for employees who do not want two operating systems. Note that removable drives are even more vulnerable to physical theft, and for this reason should never be used without stored file encryption.
While we’re on the subject of operating systems, employees should never be allowed to run NT domain servers. The default installation of NT Server supports many services you may wish to prohibit (see Unauthorized Services, below).
Unauthorized Services and Rogue Servers
Your security policy should expressly prohibit teleworkers from running servers that you believe pose a threat to your organization’s normal operations should they be misconfigured or compromised. Unauthorized servers introduce several threats. Hackers typically port scan for TFTP, Telnet, Mail, and SNMP servers, then attempt to compromise a system through these services. Compromised mail servers are particularly susceptible to being used to relay SPAM, opening a slew of liability issues for your company. Once a hacker gains root or administrative privileges for a teleworker’s PC, she may then use it as a vector for further hacking into your organization, or beyond.
There few situations where teleworkers would need to host DNS service, and even fewer where a teleworker must enable routing protocols. Misconfigured DNS servers can disrupt proper operation of your own corporate servers, and a rogue router operating from a teleworker’s LAN can create black holes in your topology. DNS and routing protocols can also be attacked, with disastrous consequences.
Your policy regarding unauthorized services may extend to FTP and Web hosting. Incorrectly administered FTP (particularly anonymous FTP) or Web servers make private data Intenet-accessible. Securely hosting a Web site is more complex than most employees appreciate: File systems can be browsed if file permissions are misconfigured; employees can inadvertently make Intranet URLs accessible to unauthorized users. As an administrator, you should lie awake at night at the thought of ceding control of Web server features, CGIs and applets to individuals who may not understand programming languages well enough to recognize an exploitable script. While it may seem draconian, prohibiting Web hosting or FTP from teleworker LANs isn’t an unreasonable policy.
If you can’t prohibit servers, or feel that prohibition is not enforceable, seriously consider treating service requests from teleworker connections as you would any outside connection. Refuse name server zone transfer requests and certain SMTP message types. Block or discard routing advertisements (we’ll talk more about how dangerous these can be when we examine teleworker LANs in Part III).
Going forward, there is no question that workers will be connecting in from outside the office perimeter and away from the direct sphere of influence of an IS department. Wherever workers connect from, administrators will be called on to support them. Sensible precautions as outlined here can make the situation more secure for everyone.
In Part III, we’ll consider the roles of software-based personal firewalls, firewall appliances and access routers, with an emphasis on small office and teleworker LANs. We’ll also talk about how Virtual Private Networking and methods for securing application streams can be used to provide teleworkers and roaming employees secure access to intranets and mission-critical servers even over untrusted links (namely, the Internet).