|
Vendor Accent
Telecommuting today: risks on the rise
 Telecommuting
seems to be the best option for harried information workers. It also helps companies
hire talented employees across a wider geographical area. However, it could
well be the back door for attacks through VPN tunnels that connect insecure
home computers to a corporate network, writes Shubhomoy Biswas.
Advancement of information and technology means more people
can work outside the traditional workplace. Telecommuting means using information
technology and telecommunications to replace work-related travel. Simply put,
it means working at home or closer to home.
Telecommuting is changing the way 21st century companies operate, bringing considerable
benefits to both employers and workers. Companies can expand their labour pool,
to attract the most talented employees regardless of location. Operations can
be expanded quickly and cost-effectively without opening additional branch offices.
Employee productivity increases with reduced commuting time and fewer daily
interruptions.
Telecommuting or teleworking results in some pretty significant challenges on
the information security front. The move towards teleworking could result in
a dramatic increase in corporate security breaches.
The basic equipment that a telecommuter needs are a telephone and an Internet
connection. Many use VPNs and broadband connections to access their corporate
networks. They also share their residential broadband connection with other
household users, linked together by a home network. The home networks may be
as simple as two computers connected by a hub. Since all computers on the network
are connected directly or indirectly to a VPN appliance, any attack that compromises
any machine on the network can put a VPN and, through it, your corporate network
in jeopardy.
Threats come in all shapes
Threats can take various forms. Most consist of malicious
code: viruses, worms and Trojan horses. Such malware can invade
home systems through direct penetration of “always-on”
broadband connections, as well as e-mail attachments, software downloads
and active Web content such as Java applets or ActiveX controls.
Malicious code might also be surreptitiously planted on home computers
by hackers exploiting security holes during home user activities
such as peer-to-peer file exchange, networked multi-player gaming,
instant messaging and home video-conferencing.
Once on a PC, malware can pass through a VPN tunnel and use host scanning to
find and infect vulnerable machines on the corporate network. Or hostile code
could “zombify” a home PC and launch Denial of Service (DOS) attacks
on a corporate network via the VPN.
Another danger comes from attacks such as those perpetrated by the Back Orifice
and Subseven Trojans where malicious content infects a home computer and allows
a hacker to commandeer the PC. The hacker can then infiltrate an internal corporate
network, assuming all the rights and privileges of an authorised user.
Of course, the first scenario above (hostile code spreading to corporate systems)
might be prevented by anti-virus (AV) software on a company’s network.
Even assuming that the latest AV software is running in all the right places
on the LAN, the network would still be vulnerable to “first strike”
infections by fresh, unrecognised code. Nor would our hypothetical AV software
protect against the second and third scenarios (DOS and hacker intrusions launched
from a home PC).
Wireless home networks present a special risk. Unless fully secured by measures
such as encryption and password protection, such networks are vulnerable to
“drive-by” hackers, who can tap into the network over the airwaves
in the vicinity of the house (even from cars travelling through the neighbourhood).
Having penetrated a network, wireless hackers can then launch any of the attacks
described above.
Yet another danger comes from would-be intruders inside the home, such as a
telecommuter’s own mischievous child or roommate. Working from their own
PCs on the home network, such in-home hackers can gain unrestricted access to
a VPN and do serious harm, whether motivated by actual malice or just idle curiosity.
Whatever the modus operandi, any of the above attacks can have disastrous consequences,
resulting in: the destruction or damage of valuable data, theft of sensitive
information and disruption of operations and downtime (e.g. by crashing systems
or degrading network performance).
The financial impact is often considerable. Several high-profile attacks such
as the Nimda and Code Red Trojans have cost individual companies millions of
dollars, including the expense of recovery, downtime and lost business. According
to Information Week, the total cost of virus attacks and computer cracking ran
to $266 billion in 2001.
| Isolate the telecommuter connection |
In cases where the teleworker unit is on a shared network
at home it should not be possible for the VPN tunnel to be accessible to
anyone else on the home network. |
| Enforce network protection at the telecommuter site |
Companies should consider giving teleworkers security levels
at home that comply with the basic minimum corporate standards thereby enforcing
a multi-layered defence mechanism that incorporates firewall, anti-virus,
content filtering and authentication. |
| Scale the telecommuting network infrastructure |
The majority of enterprises will require VPN connections with
many different users so it is important that the solution should be scalable
to allow security measures to be deployed rapidly via a Web browser. |
| Manage telecommuting security policies |
Any solution must be capable of being managed remotely by
the company's service professionals so that the VPN links remain in full
control of the organisation at all times. |
Conventional solutions fall short
Recognising that always-on broadband connections are a tempting target (and
available round-the-clock) for hackers, companies have increasingly turned to
security appliances that combine VPN and firewall capabilities. Installed at
the telecommuter’s premises, such devices simultaneously perform VPN encryption
and defend the client computer against Internet-borne intrusions. Many companies
also guard the telecommuter’s computer with measures such as anti-virus
and attachment blocking.
The trouble with these traditional approaches is that they focus only on the
telecommuter’s computer and fail to take into account the other machines
and users on the home network. Most traditional VPN firewalls, for example,
make no distinction among the various computers attached to them (i.e., between
trusted workers and untrusted household members). Once the VPN tunnel is up
and running, it’s an open door that any device or user on the home network
can walk through.
Even those VPN firewalls that do feature user-level authentication (ULA) don’t
fully solve the problem. Whether using passwords, certificates, secure IDs or
other techniques, ULA does allow the VPN firewall to distinguish between individual
home network users (based on their IP addresses), allowing authorised workers
to enter the VPN and blocking unauthorised home users.
However, such safeguards can be bypassed by hackers (outside or inside the home)
using IP spoofing, letting them access the VPN by passing an unauthorised home
machine off as an authorised one.
What does one do, then? Extend corporate security policies and protection to
the entire home network? That’s out of the question, being neither appropriate
nor even possible in most cases. How about detaching the telecommuter’s
work computer from the home network, and installing two separate broadband connections
and Internet accounts—one for the telecommuter, one for other members of
the household? That’s both expensive, requiring costly duplication of services
and equipment, and highly restrictive, preventing the household from sharing
appropriate network resources such as printers and file servers.
They should also comply with international and local information security standards.
Since telecommuting has become the lifeline of any organisation, abiding by
the above actions is vital.
The author is Country Manager, SonicWALL. He can be reached
at sbiswas@sonicwall.com
|
