Windows Terminal Services A service of Windows that implements the Remote Data Protocol (RDP), which intercepts video calls to the operating system and repackages them for trans-mission to a remote user (as well as receiving keystrokes and mouse pointer data from the remote user), thus enabling a low-bandwidth remotely controlled desktop environment in which any applications can be run.
Despite all of these security precautions, it remains impossible for you to truly control what happens to computers that are outside of your network. A coworker’s child may download a video game demo that contains a Trojan horse that connects back to a hacker and allows them access to your VPN.
Or, even more likely, you may click yes to a download request on a web site thinking that it’s necessary to view content when the download is actually spy-ware. Chapter 8 discusses spyware in depth. No firewall device or personal firewall application can prevent these sorts of problems because home users will circumvent the highly restrictive policies that would be required to miti-gate them.
Separation of Security
My company uses USB keychain flash memory to store secure information. Our laptops have the encryption software, and the file containing the encrypted disk is stored on the USB keychain, which is kept with each user’s car keys. This way, encrypted data isn’t lost when the laptops are stolen or broken, and the keychains don’t suffer from hard disk failure because they’re solid state. Also, the USB inter-face is ubiquitous (unlike PCMCIA, CardFlash, Memory Stick, or Smart Media mem-ory solutions) and can be mounted on any computer with the encryption software.
The encryption software we use performs steganography, so our encrypted disk stores are actually large sound files that remain playable with encrypted data in them, thus fooling anyone who happens to find the keychain into thinking that it’s just a dongle with a song on it.
4374Book.fm Page 107 Tuesday, August 10, 2004 10:46 AM
108 Chapter 7
So you have to ask yourself whether allowing VPN access from home users is necessary and wise considering your security posture. You may very well be bet-ter off allowing controlled access for specific protocols through your firewall than providing the wide open unencumbered access that a VPN provides. While hackers could attempt to exploit your open protocols, securing a single known open protocol is far easier than securing against the wide range of exploits that could be perpetrated through a VPN.
If users really only need a single protocol to perform their work and that pro-tocol doesn’t suffer from known exploits and provides strong authentication, it’s a good candidate for simply passing through your firewall.
An example of a protocol that could be reliably used in this manner is Windows Terminal Services. Terminal servers provide a broad range of services to users very efficiently and are commonly used to provide low-bandwidth users with access to a network’s data.
Secure Shell (SSH)
A secure encrypted version of the classic Telnet application. SSH uses public key cryptography to authenticate SSH connections and private key encryption with changing keys to secure data while in transit.
As long as passwords aren’t easily guessed, exposing Terminal Services to the Internet is a lot more secure than opening up VPN connections to your network.
Viruses cannot automatically transit through a Terminal Services connection because there’s no file services connection. A hacker who has exploited a home user’s computer doesn’t have any more access to the terminal server than they would have from their own home because they would still need the account name and password for the remote network in order to log in.
Once remote users have logged into Terminal Services, they will have just as much access to applications and just as much ability to perform work as they would have if they were in the building. The relative richness of the protocol is what makes it a good candidate to simply replace VPN accessibility for remote users.
Other protocols that could be candidates for opening to the Internet are Secure Shell (SSH)—for text-based applications on Unix machines—and secure web-enabled applications (as long as proper web server security measures have been implemented).
Terms to Know
flash memory Secure Shell (SSH)
NAT routers VPN software client
personal firewall applications Windows Terminal Services
4374Book.fm Page 108 Tuesday, August 10, 2004 10:46 AM
Securing Remote and Home Users 109
Review Questions
1. Why are VPN connections potentially dangerous?
2. What threats are presented to network security by laptop users?
3. Why are laptops the most likely source of virus infection in a protected network?
4. What percentage of corporate crimes has the FBI traced back to stolen laptops?
5. What software should be used to protect laptops from hackers?
6. What is the best way to protect home computers from hackers?
7. How should you reduce the risk posed by lost information when a laptop is stolen?
8. What is the best way to prevent the loss of data from a damaged or stolen laptop?
9. Are VPNs always the most secure way to provide remote access to secure networks?
4374Book.fm Page 109 Tuesday, August 10, 2004 10:46 AM
4374Book.fm Page 110 Tuesday, August 10, 2004 10:46 AM
In This Chapter