BEST PRACTICES SERIES
Complete Book of Remote Access Connectivity and Security
THE AUERBACH BEST PRACTICES SERIES Broadband Networking James Trulove, Editor ISBN: 0-8493-9821-5 Business Continuity Planning Ken Doughty, Editor ISBN: 0-8493-0907-7 The Complete Book of Remote Access: Connectivity and Security Victor Kasacavage, Editor ISBN: 0-8493-1253-1 Designing a Total Data Solution: Technology, Implementation, and Deployment Roxanne E. Burkey and Charles V. Breakfield, Editors ISBN: 0-8493-0893-3 High Performance Web Databases: Design, Development, and Deployment Sanjiv Purba, Editor ISBN: 0-8493-0882-8 Making Supply Chain Management Work James Ayers, Editor ISBN: 0-8493-1273-6 Financial Services Information Systems Jessica Keyes, Editor ISBN: 0-8493-9834-7 Healthcare Information Systems Phillip L. Davidson, Editor ISBN: 0-8493-9963-7
Multi-Operating System Networking: Living with UNIX, NetWare, and NT Raj Rajagopal, Editor ISBN: 0-8493-9831-2 Network Design Gilbert Held, Editor ISBN: 0-8493-0859-3 Network Manager’s Handbook John Lusa, Editor ISBN: 0-8493-9841-X New Directions in Internet Management Sanjiv Purba, Editor ISBN: 0-8493-1160-8 New Directions in Project Management Paul Tinnirello, Editor ISBN: 0-8493-1190-X The Privacy Papers: Managing Technology, Consumer, Employee, and Legislative Actions Rebecca Herold, Editor ISBN: 0-8493-1248-5 Web-to-Host Connectivity Lisa Lindgren and Anura Gurugé, Editors ISBN: 0-8493-0835-6 Winning the Outsourcing Game: Making the Best Deals and Making Them Work Janet Butler, Editor ISBN: 0-8493-0875-5
AUERBACH PUBLICATIONS www.auerbach-publications.com TO ORDER: Call: 1-800-272-7737 • Fax: 1-800-374-3401 E-mail:
[email protected]
BEST PRACTICES SERIES
Complete Book of Remote Access Connectivity and Security Editor
Victor Kasacavage
AUERBACH PUBLICATIONS A CRC Press Company Boca Raton London New York Washington, D.C.
AU1253_FM_Frame Page iv Wednesday, November 6, 2002 7:11 AM
Chapter 18, “Security Risks in Telecommuting,” © Pirkka Palomaki. All rights reserved.
Library of Congress Cataloging-in-Publication Data Complete book of remote access : connectivity and security / editor, Victor Kasacavage. p. cm. — (The Auerbach best practices series) Includes index. ISBN 0-8493-1253-1 (alk. paper) 1. Computer networks—Remote access. 2. Computer networks—Security measures. I. Kasacavage, Victor. II. Best practices series (Boca Raton, Fla.) TK5105.597 .C65 2002 004.6—dc21
2002034281 CIP
This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable efforts have been made to publish reliable data and information, but the authors and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use. Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. All rights reserved. Authorization to photocopy items for internal or personal use, or the personal or internal use of specific clients, may be granted by CRC Press LLC, provided that $1.50 per page photocopied is paid directly to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923 USA. The fee code for users of the Transactional Reporting Service is ISBN 0-8493-1253-1/03/$0.00+$1.50. The fee is subject to change without notice. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press LLC for such copying. Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation, without intent to infringe.
Visit the Auerbach Publications Web site at www.auerbach-publications.com © 2003 by CRC Press LLC Auerbach is an imprint of CRC Press LLC No claim to original U.S. Government works International Standard Book Number 0-8493-1253-1 Library of Congress Card Number 2002034281 Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 Printed on acid-free paper
AU1253_FM_Frame Page v Wednesday, November 6, 2002 7:11 AM
Contributors ALAN BERMAN, Consultant, Irvington, New York GERALD L. BAHR, Networking Consultant, Roswell, Georgia CHRISTINA M. BIRD, PH.D., CISSP, Senior Security Analyst, Counterpane Internet Security, San Jose, California ELLEN BONSALL, Marketing Director, U.S. Operations, ActivCard, Inc., San Francisco, California CARLSON COLOMB, Director, Host Access Marketing, Eicon Technology, Montreal, Quebec, Canada GILBERT HELD, Director, 4-Degree Consulting, Macon, Georgia SHEILA M. JACOBS, Assistant Professor, Management Information Systems, Oakland University, Rochester, Michigan DENISE M. JONES, Marketing Communications Manager, Cubix Corporation, Carson City, Nevada DENNIS SEYMOUR LEE, CISSP, President, Digital Solutions and Video, Inc. New York, New York ANDRES LLANA, JR., Telecommunications Consultant, Vermont Studies Group, Inc., King of Prussia, Pennsylvania PHILLIP Q. MAIER, Vice President, Information Security Engineering, Visa, San Francisco, California NANCY BLUMENSTALK MINGUS, President, Blumenstalk Associates, Inc., Williamsville, New York NATHAN J. MULLER, Senior Technical Consultant, e.spire Communications, Sterling, Virginia NAAMAN MUSTAFA, Principal Analyst, DTE Energy, Detroit, Michigan JEFFREY L. OTT, Information Security Consultant, Denver, Colorado PIRKKA PALOMAKI, Director, Product Marketing, F-Secure Corp., Helsinki, Finland THOMAS R. PELTIER, CISSP, President, Peltier & Associates, Wyandotte, Michigan MAHESH S. RAISINGHANI, Director of Research, Center for Applied Information Technology, and Faculty Member, University of Dallas Graduate School of Management, Dallas, Texas DUANE E. SHARP, President, SharpTech Associates, Mississauga, Ontario, Canada HEATHER SMARTT, Manager, PricewaterhouseCoopers, Dallas, Texas BILL STACKPOLE, CISSP, Information Security Consultant, Microsoft, Redmond, Washington v
AU1253_FM_Frame Page vi Wednesday, November 6, 2002 7:11 AM
Contributors JAMES S. TILLER, CISSP, Global Security Portfolio and Practice Manager, International Network Services, Tampa, Florida HEIKKI TOPI, Associate Professor of Computer Information Systems, Bentley College, Waltham, Massachusetts JOHN R. VACCA, Information Technology Consultant, Pomeroy, Ohio MICHAEL VAN PATTEN, Vice President of Marketing, Microdyne, Alexandria, Virginia MARY VAN SELL, Associate Professor, Management, Oakland University, Rochester, Michigan MATTHEW WALLACE, Senior Network Security Engineer, Exodus Communications, San Jose, California DAVID A. ZIMMER, American Eagle Group, Warrington, Pennsylvania
vi
AU1253_FM_Frame Page vii Wednesday, November 6, 2002 7:11 AM
Contents UNIT 1
INTRODUCTION TO REMOTE ACCESS . . . . . . . . . . . . . . . . . . . . . 1
1
Fundamentals of Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . 3 David A. Zimmer, Naaman Mustafa, and Thomas R. Peltier
2
Designing a Remote Access Solution . . . . . . . . . . . . . . . . . . . . . 13 Naaman Mustafa and Thomas R. Peltier
3
Remote Access Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Nathan J. Muller and Gerald L. Bahr
4
Extranets: Borderless Internet/Intranet Networking . . . . . . . 39 Duane E. Sharp
5
Implementing and Supporting Extranets. . . . . . . . . . . . . . . . . . 47 Phillip Q. Maier
6
Providing Access to External Databases . . . . . . . . . . . . . . . . . . 59 Gilbert Held
7
Remote LAN Access Technology . . . . . . . . . . . . . . . . . . . . . . . . . 65 Michael Van Patten
UNIT 2
TECHNOLOGY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
8
Communication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Denise M. Jones
9
Virtual Private Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Matthew Wallace and James S. Tiller
10
Overview of Traditional Carrier Virtual Private Networks . . . . 95 Nathan J. Muller and James S. Tiller
11
VPN Design Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Gilbert Held and James S. Tiller
12
Wireless Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Andres Llana, Jr.
13
Wireless Application Protocol (WAP). . . . . . . . . . . . . . . . . . . . 137 Mahesh S. Raisinghani and Carlson Colomb vii
AU1253_FM_Frame Page viii Wednesday, November 6, 2002 7:11 AM
Contents 14
Choosing a Remote Access Strategy . . . . . . . . . . . . . . . . . . . . . 157 John R. Vacca
UNIT 3
SECURITY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
15
An Introduction to Secure Remote Access . . . . . . . . . . . . . . . 165 Christina M. Bird
16
Centralized Authentication Services . . . . . . . . . . . . . . . . . . . . 183 Bill Stackpole
17
Remote Access Authentication . . . . . . . . . . . . . . . . . . . . . . . . . 201 Ellen Bonsall
18
Security Risks in Telecommuting . . . . . . . . . . . . . . . . . . . . . . . 213 Pirkka Palomaki
19
Secure External Network Communications. . . . . . . . . . . . . . . 221 John R. Vacca
20
Dial-Up Security Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Alan Berman and Jeffrey L. Ott
21
Top 10 Dial-In Security Mistakes . . . . . . . . . . . . . . . . . . . . . . . . 245 Heather Smartt
22
Virtual Private Network Security . . . . . . . . . . . . . . . . . . . . . . . 251 John R. Vacca
23
VPNs: Secure Remote Access over the Internet . . . . . . . . . . . 269 John R. Vacca
24
Wireless Internet Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Dennis Seymour Lee
UNIT 4
MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
25
Telecommuting: Issues for the IS Manager . . . . . . . . . . . . . . . 307 Sheila M. Jacobs and Mary Van Sell
26
Evaluating Organizational Readiness for Telecommuting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Nancy Blumenstalk Mingus
27
Supporting Telework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Heikki Topi
28
Assuming Command of Your Network . . . . . . . . . . . . . . . . . . . 333 David A. Zimmer and Andres Llana, Jr.
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 viii
AU1253_FM_Frame Page ix Wednesday, November 6, 2002 7:11 AM
Introduction The complete book of remote access. How does one compile a book that covers all of remote access? That is a daunting task. Currently, there are many books that cover the topic of remote access. Most of these books are Cisco specific, or only explain how to configure certain scenarios. To my knowledge, there are no books out there that actually cover all the relevant information needed to make decisions about what options exist and which solutions are right for you. This book hopes to fill that gap — the information gap that surrounds most technical books. The first section of the book presents a starting place and defines remote access. There are many different uses for remote access; this section presents an introduction to each one and shows how each would be used. The second section covers the technologies available to implement the different uses for remote access. It used to be that the only options were slow dial-up modem banks or expensive leased-line circuits. Today there are many options from dial-up to ISDN to high-speed access such as xDSL and cable modems. These higher speed, low-cost alternatives to leased lines have empowered the industry to provide many more access solutions. Of course, with all these new technologies comes the ever-present risk of attack. Issues regarding the security of a remote access solution are presented in all sections to some degree, but this third section focuses specifically on security. With any solution it is important to protect both endpoints of a solution, not just the primary corporate site. Finally, another issue arises with any remote access solution — how to manage it. Every vendor of remote access solutions has some product that is available to manage a solution, but that only deals with the hardware issues; there are many other management issues.
ix
AU1253_FM_Frame Page x Wednesday, November 6, 2002 7:11 AM
AU1253_FM_Frame Page xi Wednesday, November 6, 2002 7:11 AM
About the Editor Victor Kasacavage is a Senior Network Systems Consultant for International Network Services (INS) in their Philadelphia, Pennsylvania office. He has enjoyed a 12-year career in the computer networking industry and is a Cisco Certified Internetwork Expert (CCIE #6012). His background encompasses a diverse range of projects with an emphasis on planning, design, implementation, and optimization of data networks with a business solutions focus.
xi
AU1253_FM_Frame Page xii Wednesday, November 6, 2002 7:11 AM
AU1253_ch01_Frame Page 1 Saturday, October 26, 2002 4:18 PM
Unit 1
Introduction to Remote Access
AU1253_ch01_Frame Page 2 Saturday, October 26, 2002 4:18 PM
AU1253_ch01_Frame Page 3 Saturday, October 26, 2002 4:18 PM
Chapter 1
Fundamentals of Remote Access David A. Zimmer Naaman Mustafa Thomas R. Peltier
In the 1970s, remote access computing meant dumb terminals, 300-baud modems, and host mainframe computers. Today, however, remote access computing means high-performance workstations, cable modems, xDSL, high-speed modems, Integrated Services Digital Networks (ISDN) terminal adapters, and sophisticated servers. This book attempts to give an overview of today’s remote access computing and highlight the issues surrounding this technology. To many, telecommuting represents the state of the art for working environments. To others, it represents a method of working that has been sufficient for years. Both perceptions are correct. Telecommuting is a combination of new techniques, aided by advances in technology, work philosophies, the growth of the Information Age, and the tried-andtrue techniques. About 100 years ago, during the Industrial Revolution, work styles changed from an agrarian-based culture, in which the workers lived and worked in the same location, to an industrial society, in which jobs were located at a central site independent of where the worker lived. Because today’s information-based businesses do not require a centralized location to be accomplished, society is reverting to a form in which the work can be located with the worker. Many factors are driving this realization. The advances in computers and technologies permit people to carry tremendous computer power and large quantities of information with them. The telecommunication advances permit transmission of other information from remote computers halfway around the world in a matter of minutes. Various factors are adding weight to the momentum toward telecommuting. Government directives, through various legislative acts, for 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
3
AU1253_ch01_Frame Page 4 Saturday, October 26, 2002 4:18 PM
INTRODUCTION TO REMOTE ACCESS higher-quality air, are requiring companies to reduce employee travel. Employee retention and recruitment at minimal costs nudge companies to consider alternate forms of employment. Employees’ desires for better family relations and improved quality of life push them toward telecommuting. There is also the need to support the mobile workforce, the traveling executives, sales force, and other workers who are not located in a traditional office building. OVERVIEW Telecommuting, for the purposes of this book, is defined as “the practice of an employee performing his or her normal duties from a remote location, typically home, on a full- or part-time basis.” The definition distinguishes between the person who takes work home for an evening or opts to work from home on a particular day and the person who follows a schedule of working in the main office certain times and from home or remote location on other days. The formalization of the work location schedule becomes an agreement between employee and employer. Company policies cover insurance policies, working relationships, employee and employer responsibilities, and office setup. Although the term telecommute is beginning to be used casually to describe the occasional home session, telecommuting actually requires a formal agreement between employer and employee. Company policy statements must consider which party will supply the equipment to be used (e.g., computer, fax machines, copiers, and extra phone lines), who will pay the recurring expenses (e.g., additional electric bills, higher or additional phone bills, such special requirements as ISDN or other broadband lines), who will handle equipment protection (e.g., company equipment policy or a rider on the homeowner policy if located in a home office), and other issues, such as injury protection, work hours and schedules, and job responsibilities and milestones. Remote access is the ability to connect and gain access to internal network resources that are physically disbursed. Typically, this means that a workstation equipped with remote access software will give authorized users at the remote site access to dial in over a phone, ISDN line, or broadband access to read e-mail, troubleshoot problems, run applications, and transfer files to and from the corporate computers. There are many things that the reader needs to be aware of relative to remote access solutions. The following sections examine them. Who Uses Remote Access? The current number one user of remote access is the telecommuter, the newest in a number of traditional users. The mainstay of the remote access usage has always been the traveling workforce, either sales and marketing 4
AU1253_ch01_Frame Page 5 Saturday, October 26, 2002 4:18 PM
Fundamentals of Remote Access personnel or field technicians and service representatives. For many years, the applications development support personnel and systems support employees have had remote access to the systems to solve problems that may occur during off-shift operations. Several types of users within and outside an organization may benefit from an integrated network and the level and type of information available on it. Among these users are: • • • • • • • •
Employees at remote sites Mobile employees Telecommuters Contractors Alliance partners Customers Suppliers Channel partners
Why Organizations Need Remote Access With the advent of the Internet, intranet, telecommuting, e-mail, and voice mail, we have come to expect that we can have ready access to any data warehouse that will make users more productive, entertain, or make our lives more productive. It is estimated that many large corporations are spending between $500,000 to over $1,000,000 per year to support remote access for their employees. This does not include the costs for the laptops that are used in the office as well as on the road. It is directed only toward server hardware, software, supporting equipment, and various access lines. Remote access computing helps businesses comply with the Clean Air Act by reducing travel to work. It also helps businesses comply with other legislation like the Family Leave Act, which allows employees to spend time away from the office to be with a newborn child or for family medical emergencies. Service technicians who are on the road need office connectivity to get assignments, order parts, and send billing information. Small branch offices need access to the information from the corporate systems and may not need their own processor. For many organizations, remote access is a cost-effective replacement for additional hardware. Busy executives need connectivity to work from home or on the road. Successful telecommuting programs require reliable connectivity to the corporate network. Coupled with reliable access is the ability to remotely troubleshoot and fix applications and system problems. An effective telecommuting program incorporates all elements found in the workplace and moves them out to the remote access user. 5
AU1253_ch01_Frame Page 6 Saturday, October 26, 2002 4:18 PM
INTRODUCTION TO REMOTE ACCESS BENEFITS OF REMOTE ACCESS Telecommuting pilots show the productivity of employees working at any hour of the day or night actually increased by 10 to 30 percent. To test this statistic, when working on a specific item, log the number of interruptions received every hour. Count the telephone calls, the visitors to the office, and the times stopped for other matters and conversation. Employees working at home are less likely to take time off if they are sick or have a cold or minor aches and pains. They can also adjust their work schedules to meet necessary appointments. Telecommuting can reduce the stress of commuting, eliminate interruptions and frustrations at the office, and give workers more time with their families. It can help businesses cut costs by reducing office space requirements. A number of companies, including many of the Big 5 accounting firms, have introduced the concept of “hoteling.” Employees are not assigned specific office space, but are registered daily and given available space. Employees who have instant access to information from anywhere at anytime can provide customers with the best possible service. The technical staff is no longer required to travel to the office to troubleshoot an application problem. These benefits can give a business a decisive advantage in its ability to hire and keep employees as well as improve customer satisfaction. Remote users need the applications they have become accustomed to using in the office, including checking and exchanging e-mail, accessing host computers, uploading and downloading files, and accessing corporate databases and corporate applications. Remote users can either dial in to their Internet service provider or connect to their corporate networks to gain access to all Internet services. Telecommuting affects the telecommuter, the manager, the company, and the environment. A properly planned telecommuting program can maximize the benefits for each while minimizing any disadvantages. In post-mortem studies conducted concerning successful programs versus those that failed, the key ingredient was found to be sufficient planning before instituting telecommuting. Although employees may have been working from home on occasion, formalizing the process protected each party and set the proper expectations. The first step of the planning process is understanding the benefits and disadvantages of telecommuting. Identifying each facilitates proper guidelines and procedures. Telecommuting involves individual employees and companies. Thus, each telecommuting program is unique because of company culture, type of business, work tasks to be performed, and many other factors. The following benefits and disadvantages are based on 6
AU1253_ch01_Frame Page 7 Saturday, October 26, 2002 4:18 PM
Fundamentals of Remote Access general findings from other telecommuting programs. Specific programs may or may not experience all advantages or disadvantages. EMPLOYEE BENEFITS Telecommuters benefit from a telecommuting program in many ways. These benefits are stated as reasons for establishing the arrangement. The benefits are not always quantifiable and may be an emotional, “feel better” reasoning; studies have shown positive results in employee moral, work productivity, and overall quality. Lower Commuting Time. This is an obvious benefit. Studies have shown that the average worker spends at least one hour commuting one way each day for an average total of two hours per day. If there are approximately 250 work days per year, the average worker spends 500 hours, or 12.5 work weeks in transit annually. If half of those hours were eliminated by telecommuting, the employee could work an additional six weeks per year. Studies have shown that telecommuters typically work the hours at home that would have been spent commuting.
Besides the benefit of additional work time, the telecommuter benefits from less wear and tear on the automobile, lower monthly gasoline costs, lower insurance costs, less chance of accidents, and cleaner air. The telecommuter misses the daily stress-filled grind of the commute and, therefore, can enter the workday more relaxed. Other studies have shown that a more relaxed person is more productive and works better. The benefits to the individual telecommuter vary depending on the amount of time telecommuting and the distance traveled. The measurements for these benefits are both tangible and intangible: lower commuting expenses, greater available work time, and an overall feeling of less stress. Family Focus. For many commuters, the normal eight-hour workday typically turns into twelve hours away from home and family. After the commute time, sitting in traffic, and extra hours at the office, the working person cannot spend as much time with the family as desired. Also, the workday is scheduled during the “activity hours” of the family, so that, by the time the commuter arrives home, the children are off to bed and the spouse is too tired to appreciate any quality time.
As early as 1977, 38 percent of working men and 43 percent of working women reported trouble with work and home conflicts. Flexible work schedules help people manage their family and work lives. Telecommuting permits the person to eliminate the extra hours commuting, shift work schedule around family time such as when the children return from school or the other spouse returns from work, and enjoy quality time with the family when it is most appropriate. The increased family cohesiveness and morale is the measurable factor of this benefit. 7
AU1253_ch01_Frame Page 8 Saturday, October 26, 2002 4:18 PM
INTRODUCTION TO REMOTE ACCESS Sense of Control and Freedom. Many telecommuters report the feeling of a sense of control over their time. Rather than being interrupted by impromptu meetings and frequent phone calls, the telecommuter controls his or her work schedule. The telecommuter determines the start and stop times, whether the work period is one contiguous time block or split among various blocks of the day, and whether to start in the early morning or work well into the night.
Scientists have studied the circadian rhythm — the natural activity cycle lasting 24 hours — of individuals and have found that not all humans work most effectively between 9:00 a.m. and 5:00 p.m. Energy levels rise and fall according to this rhythm. For some, the best or highest level of energy is during the morning hours. For others it is during the afternoon, and still others have the most energy during evening hours. The telecommuter can take advantage of the natural rhythm to be most productive. Productivity literature suggests that workers determine their times of highest energy, tackle the toughest part of their jobs during those times, and use the lower energy times for mundane, lower activity tasks. The telecommuter obtains a greater sense of freedom because he or she is not under the scrutiny of the manager. While at work, a worker is less likely to run an errand in the middle of the day, although that may be the only time possible to do the errand. While the worker is running the errand, he or she has a sense of urgency and stress to return to the workplace as quickly as possible. The telecommuter’s schedule is flexible and can accommodate the errand run without the added stress. For example, a trip to the automobile registration office (always stressful, regardless) can be completed without the added pressure of having to return to the office on a schedule. The sense of control and freedom provides the telecommuter with a sense of being a trusted and valued employee. No longer is the manager watching over the employee to make sure the work is accomplished. The work program is switched from a time-based measurement (e.g., the worker has spent 40 hours in the office this week; therefore, the work requirement has been met) to a project/task-based measurement (e.g., project A was finished within the deadline). The telecommuter gains an additional advantage with a project-based work schedule. The project has been broken into milestones to be met with the requisite reviews. As each milestone is met, the telecommuter sees the progression to the ultimate goal: the completed project. Meeting the milestones provides the telecommuter with a feeling of satisfaction and accomplishment. It is puzzling that administrators have not switched to this style of management, even for those who work in the office. Control Over Communications. Telecommuters gain control over their communications. Because of modern technology, telecommuters select the 8
AU1253_ch01_Frame Page 9 Saturday, October 26, 2002 4:18 PM
Fundamentals of Remote Access time and style of communicating. Voice mail and e-mail communications can be affected during the telecommuters’ working schedules, which may be different from the schedules of other workers, who typically work more regular 9 to 5 schedules. The ability to retrieve and process e-mail from any place at any time lets the telecommuter maintain productivity. By attaching spreadsheets, word processing documents, and reports, they can be as effective as office-bound colleagues. The flexibility of today’s LAN-based email systems lets the telecommuter work in a remote or mobile mode. Essentially, remote mode means that the person need not be connected to the LAN server continuously but can work offline preparing, replying to, and otherwise processing messages. Voice mail is very similar to e-mail. The remote worker can access the voice mail system either at the office via phone or via call forwarding to the home line. If the message is stored on the office voice mail system, the person can reply to the messages, send new ones, and forward others as if in the office. Because the voice system is employing messaging, the recipient need not be there to receive the message and can process it at his or her convenience. The time-shifting ability of messaging permits the telecommuter to respond to others at his or her convenience rather than always being “on call.” Fewer Interruptions. Telecommuters suffer fewer interruptions to work flow than do commuters. Fewer people are around to cause interruptions, such as casual conversations in halls and offices. Although the telecommuter can be interrupted by the occasional telephone ringing at home, the number of calls is usually diminished. The telecommuter gains greater spans of time that can be devoted to concentration. As a result, critical idea development is not hindered and can be thought through to completion. Groupware. The telecommuter may be out of colleagues’ sight, but they need not be out of their reach. Work flow and other groupware products permit the remote worker to participate. Using the e-mail infrastructure for information transport, the work flow software passes tasks to the telecommuter. After completing the tasks, the worker presses the “send” button, directing the software to wrap the results, and places it into the e-mail stream. Calendars and schedules can be synchronized in similar fashions. Changes to calendars, requests for meeting rooms and other equipment, and searching for free time can result in a message sent via e-mail. As a result, the telecommuter can be scheduled for meetings just as any officebound colleague. Ad hoc or “spur-of-the-moment” meetings can accommodate telecommuters through audio- or video-conferencing. Because the telecommuter can be so well connected through the various communication technologies, he or she remains in the communication loops that are necessary to stay productive. 9
AU1253_ch01_Frame Page 10 Saturday, October 26, 2002 4:18 PM
INTRODUCTION TO REMOTE ACCESS MANAGERS’ AND EMPLOYERS’ BENEFITS Just as the telecommuter benefits from telecommuting, the manager gains by having clearly defined projects, established milestones, and set work expectations. Employee Recruiting. Employees’ focuses have changed from a “Whatever is good for the company is good for me” mentality to one of “Whatever is good for me is good for the company.” Employees with outstanding reputations and excellent skill sets may be recruited by a company, but the employee may not want to move to the company’s location. Rather than lose the recruit’s skills, companies have begun to offer telecommuting as a benefit. The employee would work from home with regularly planned visits to the company site. Companies have seen this arrangement work successfully with consultants and so have instituted it with employees as well. Employee Retention. As the adage goes, “Good workers are hard to come by.” Managers find it hard to assemble teams of quality workers to meet project objectives. Several factors make it difficult to keep such a team together once it has been developed. The dual-income family causes a team member to move because the spouse’s job changed. The introduction of a child into a family causes shifts in work patterns to either part-time or flextime. Company location moves may require employees moving, which could result in some employees staying behind. Regardless of the reason, the manager may continue to keep the group together by instituting telecommuting. Increased Documented Communications. Because the opportunity for meeting face-to-face with a telecommuter is less, managers must use other forms of communication. In many cases, the manager will use e-mail. Its use provides a history trail of directives, discussions, and other information flow. The documented nature helps in clarity of ideas, lowers miscommunications, and aids in settling any disputes. Productivity. Managers shift from time-based management to projectbased management. Rather than counting the hours employees are present, the manager can more easily see the progress toward completion dates by seeing the milestones that are or are not met. Adjustments to work projects can be done sooner, keeping the project more on track. As a result, more projects are completed on time, more planning and handling of issues are done proactively, and less “fire fighting” or crisis management needs to be performed. Overall, the group’s productivity increases. Lower Absenteeism. Managers have reported that sick days taken by telecommuters are lower than the number taken by commuting employees. Several hypotheses have been proposed to explain this phenomenon. Some thoughts include less stress, less contact with infectious people, and the fact that work time is broken into short periods during rehabilitative times. Another reason is that some people work at home even when not 10
AU1253_ch01_Frame Page 11 Saturday, October 26, 2002 4:18 PM
Fundamentals of Remote Access feeling their best but when they otherwise would not have gone to work that day because of the illness. Clean Air and Environmental Regulations. Companies are being forced to meet certain regulatory guidelines in order to positively affect the environment. The automobile, especially the idling car stuck in traffic, has become the number one cause of pollution today. By eliminating the need for cars, pollution should decrease. Office Space Reduction. Companies are lowering their need for office space by instituting telecommuting. The telecommuting employee may work from home either full time or part time. If the employee works from home full time, the company would no longer need to supply office space for that employee. In those cases, the company might reserve some office space for those times when a telecommuting employee reports to the office.
Other companies employ hoteling, a program of sharing office spaces and desks between employees for part-time telecommuters. Two part-time telecommuters might share the same desk on opposite days. For example, one telecommuter might use the desk Mondays and Wednesdays, while the other telecommuter uses the desk Tuesdays and Thursdays. Friday is left open for the times when one of them needs to report to the office for an extra day. Each telecommuter is responsible for clearing the office of personal items at the end of the work day. SUMMARY Telecommuting provides many benefits to the telecommuter and his or her organization. Aside from enjoying shortened commute times, the telecommuter is free to structure his or her day according to peak work hours. The lowered stress levels and fewer interruptions increase the worker’s productivity. The less formal surroundings put the worker at ease. Managers benefit because work objectives are stated as milestones rather than time estimates. The communications between manager and employee are more formal because face-to-face meetings happen less frequently. The clearer communication channels help all aspects of projects. Telecommuting is heavily dependent on communication with others. The technologies available today permit people to work in remote locations without losing contact. Voice mail, fax, e-mail, and pagers keep people constantly in tune with events happening elsewhere. Electronic online services make information gathering easier. E-mail provides the highway to transport the information. Because communication is the lifeblood of the telecommuter, the enterprise infrastructure must be engineered to meet the needs of the telecommuter. Voice mail should be flexible enough to forward calls and messages to the telecommuter’s home. E-mail should 11
AU1253_ch01_Frame Page 12 Saturday, October 26, 2002 4:18 PM
INTRODUCTION TO REMOTE ACCESS have a remote or mobile mode so that continuous connections to the office local area network are not required. Connection mediums may range from analog, dial-up lines to ISDN or direct connections, depending on work requirements. Telecommuting as a practice is growing at a rapid rate. It may become the office of the future. For those experiencing and enjoying telecommuting, it is the most desirable solution.
12
AU1253_ch02_Frame Page 13 Saturday, October 26, 2002 4:19 PM
Chapter 2
Designing a Remote Access Solution Naaman Mustafa Thomas R. Peltier
Obviously, providing a remote access solution has many benefits for the employer as well as the employee. The problem most companies run into when deploying a remote access solution is the lack of planning — not technical planning but business planning. Many companies just charge ahead with a technological solution without looking at what their employees really need in a solution and how to best accommodate those needs. DEFINING REQUIREMENTS The most common cause of a failed solution is the lack of defined requirements. It may be possible to develop a remote access solution, deploy it, and have the users of the system sing praises to the IT department that brought them such a wonderful solution — but the chances of success are slim unless the users are involved in the process from the start. The first step in developing a remote access solution is gathering the requirements the system must meet in order to be successful. Without this step, how will the success or failure of the project be measured? This is also a great time to get the user population involved in the process. Keeping the users involved provides a sense that their needs are being listened to and met and will make the whole process work more smoothly. Breaking down users into functional groups will provide a framework for defining the requirements of each group. Each group of users may have different requirements for a remote access solution. For instance, Sales and Marketing will need access to e-mail, internal product information, and product ordering information. Senior executives may only need
0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
13
AU1253_ch02_Frame Page 14 Saturday, October 26, 2002 4:19 PM
INTRODUCTION TO REMOTE ACCESS access to e-mail and calendaring functions, while IT staff may need access to everything. Once the needs of each group have been defined, a complete list of systems and applications that each group needs to access should be compiled. From here, we can look at the various solutions to provide access to these systems and applications. Generally, there is not a single solution that will fit all needs, and a combination of systems must be deployed to meet the stated requirements. An effective way of keeping track of these requirements is to build a chart outlining the business, functional, and technical requirements of each group. First, start by interviewing the groups and gathering information about what they need to do their jobs; the information obtained will be the business requirements (i.e., this is what is needed to make the business end run). These requirements should look similar to “Our group needs to be able to enter new customer orders and track them through to completion.” From these business requirements, a set of functional requirements can be constructed. For example, being able to enter new customer orders defined as a functional requirement could mean “Access to order entry system on server ORDENT.” After compiling the functional requirements, it is time to tackle the technical requirements. It is the technical requirements that will define a useful and secure remote access solution. The technical requirement for the previous example could look like “TCP/IP access to server ORDENT must allow TCP ports 1100–1110 for users from the Sales and Marketing groups.” From this statement we can see if any firewall changes are needed, determine access control policies, and define who is allowed to access these systems. Only now are we ready to start designing a solution, but first we need to know what options are available to the designer. CONNECTIVITY OPTIONS Today there are a variety of connectivity options that need to be considered when designing a remote access solution. These options range from the ancient and slow dial-up modem lines to high-speed asymmetric digital subscriber line (ADSL) and cable modems. All of these means of access fit specific needs and should have a place in a comprehensive solution. Analog connections are provided through dial-up phone lines and are the most common connections for remote access to local area networks (LANs), wide area networks (WANs), and the Internet. Analog lines can carry digital data traffic at speeds up to 56 kbps. On the positive side, this kind of connection is inexpensive and easy to set up. On the negative side, it is relatively slow. 14
AU1253_ch02_Frame Page 15 Saturday, October 26, 2002 4:19 PM
Designing a Remote Access Solution ISDN supports video, audio, voice, and data over a single connection. It comes in various sizes; the more common end-user option is called Basic Rate Interface (BRI) and has two 64 kbps B (Bearer) channels and one 16 kbps D (Data or Delta) channel. Some access equipment allows users to combine the two B channels to achieve 128 kbps throughput. This form of connection is normally used to connect homes, schools, and small businesses. It is high speed and relatively low cost compared to leased services, but it is not available everywhere; and it is billed on a usage-based system so heavy users may incur large expenses. Switched 56 allows digital calls to be placed on demand between various locations and provides connections at 56 kbps. This form of connection is usually available where ISDN is not; however, the big negative to switched 56 is its cost. Leased services are permanent high-speed connections that provide various bandwidths: 56 kbps; Fractional T-1, 64k bps; T-1, 1.544 Mbps; and T-3, 45 Mbps. Leased services are commonly used to connect various enterprise network sites and small branch offices to large regional offices. These are premier services and are extremely expensive, and the cost is distance sensitive. Frame relay, a method for sending packets over private and public networks, provides bandwidths of 32 kbps to up to 45 Mbps. Frame relay is used to connect branch offices and remote facilities to the enterprise network. These services are generally less expensive than leased-line services and are more flexible in their sizing and billing arrangements. ADSL is a technology that was driven by the telephone companies to compete with the cable industry to provide video services. It offers downstream speeds of up to 6 Mbps and upstream rates of up to 640 kbps. This service provides high-speed Internet access at low costs, but it is not available everywhere; and significant technological hurdles exist with regard to deployment in some areas. Cable modem services have entered the picture with the advent of digital cable. The service can be provided directly over the existing cable infrastructure and offers speeds comparable to ADSL. This service provides high-speed Internet access and is generally available wherever digital cable television is offered. REMOTE ACCESS METHODS Several remote access methods are available today. The predominant methods are terminal servers, application specific, remote control, remote node, and a combination of several of these methods. Each of these methods differs significantly from the others and offers certain advantages that lend themselves to certain applications. 15
AU1253_ch02_Frame Page 16 Saturday, October 26, 2002 4:19 PM
INTRODUCTION TO REMOTE ACCESS
Exhibit 1.
Remote Access Methods: Terminal Servers
Using e-mail no longer constitutes complete access for the remote user. Today’s typical remote user may be in a hotel room across the continent and needs to update a spreadsheet that is stored on a file server or needs to extract some sales figures from a corporate database. Which of the remote access methods would help accomplish these goals? The following subsections examine these access methods and discuss the pros and cons of each. Terminal Servers Terminal servers provide remote network connections for remote users who need to access multi-user systems like UNIX, DEC VAX, and mainframes (see Exhibit 1). A terminal server is a device that connects to a network and has one or more RS-232 serial ports. Users connected to one of the serial ports become a terminal on the network. A modem pool can ‘front end’ the terminal server to allow many users to access the terminal server and, therefore, the network at the same time. Terminal servers support a limited suite of protocols, namely Telnet. Remote users require a dumb terminal, like VT100, or workstations with Terminal Emulation software. Security is a great concern with terminal servers. Because these devices are on the corporate network and have access to the outside world via modem banks, strong authentication is necessary. Strong authentication means more than just the traditional user ID and password. If these techniques are used, it is recommended that they be supplemented with another layer of security such as callback or some form of token ID. Although this method does not support a multitude of protocols, it still represents a gateway to the corporate network. A hacker with a dumb terminal, who breaks in through the terminal server security, will most likely be able to break into one of the corporate computer systems and possibly gain superuser privileges. 16
AU1253_ch02_Frame Page 17 Saturday, October 26, 2002 4:19 PM
Designing a Remote Access Solution
Exhibit 2.
Remote Access Methods: Dedicated Application
Pros: • Easy to manage • Inexpensive — emulation software is available on most desktops Cons: • Does not support graphic user interface (GUI) • No access to LAN resources Security issues: • Requires strong authentication Dedicated Application With this method of remote access, the user connects to an application running on a server on the network (see Exhibit 2). The remote workstation is equipped with the application communication software that allows users to dial into the application server and gain access to the application. Most e-mail systems and database management products come equipped with dedicated dial-in capabilities. The problem with dedicated application access is precisely that it is dedicated. Users do not gain access to any network resources other than those provided by the specific application. If users want to do anything else on the network, they will have to hang up and dial in again. Security is dependent on the application, and not all applications implement security equally well. Pros: • Generally easy to set up 17
AU1253_ch02_Frame Page 18 Saturday, October 26, 2002 4:19 PM
INTRODUCTION TO REMOTE ACCESS
Exhibit 3.
Remote Access Methods: Remote Control
Cons: • Allows access to one application only • Requires a dedicated server • Requires a separate client on remote workstation Security issues: • Difficult to integrate with site security REMOTE CONTROL This technology allows a user to connect to a workstation on the corporate network and control the workstation from a remote location, such as home or a hotel (see Exhibit 3). The office workstation is typically called the host and the off-site machine the remote. Applications are executed on the host workstation; only keyboard, mouse, and screen information are transferred between the remote and host workstation. The remote communication is accomplished through two software components: a viewer running on the remote machine and a host running on the office machine. Remote control access provides remote users with access to the network resources in exactly the same way they access the resources at the office. In this environment, each workstation is set up with its own dial-in port, making it difficult to manage in a centralized way. This method of access poses several security challenges. Without special precautions, anyone at the office can view the screens on the host computer or interfere with the running of the application if the screen is not blanked out and the keyboard is not disabled. One of the major drawbacks of this method is that the modem that is attached to the host system must be left in autoanswer mode. This will represent an additional gateway to the network, which can be targeted and exploited by hackers. 18
AU1253_ch02_Frame Page 19 Saturday, October 26, 2002 4:19 PM
Designing a Remote Access Solution Because the software is installed and managed (most likely by the user) on the host machine, it is impossible to enforce security policies in a consistent manner. Additionally, if the user disconnects without logging out of the system, the next dial-in user can effectively appropriate the previous user log-in status. Pros: • Good when executables cannot reside on remote workstations • Provides transparency of access Cons: • Inefficient; requires dedicated workstation, modem, and phone line for each user • Difficult to manage • Not suited for graphic-intensive applications Security issues: • • • •
Sensitive information may be displayed on host screen Anyone can interfere with host keyboard Modem on host must be left in auto-answer mode Impossible to enforce policies
REMOTE NODE With this method, the remote user connects from a workstation or laptop and accesses the network through a remote access server, as if the remote computer was a local workstation on the network (see Exhibit 4). Users can communicate with the network using protocols such as TCP/IP, IPX, AppleTalk, etc., and have access to the network resources such as file servers, hosts, and printers.
Exhibit 4.
Remote Access Methods: Remote Node 19
AU1253_ch02_Frame Page 20 Saturday, October 26, 2002 4:19 PM
INTRODUCTION TO REMOTE ACCESS Remote node access is the most natural form of all remote access methods and is the preferred technique for a wide variety of applications. Client/server applications can be a good fit for remote node, especially if the traffic generated across the link is minimal. When using remote node, application clients must be installed, maintained, and run on the remote workstation. All network traffic is passed through the link to the remote workstation. The link can range from a phone line, ISDN, ADSL, or cable modem. Because communication over these remote links may be slower than when physically connected to the network, performance of applications generating high-volume traffic may suffer greatly depending on the access method. Pros: • • • •
Can support access to many platforms Provides true extension of the network Good for remote users who do not have office workstations Provides access to all network resources
Cons: • Clients must be installed and maintained on remote workstations • Not well suited for data-intensive applications Security issues: • Requires strong authentication REMOTE CONTROL OVER REMOTE ACCESS In the remote control over remote node method, the remote user first establishes a remote node connection to the network through a remote access server as described previously (see Exhibit 5). Once connected, the
Exhibit 5. 20
Remote Access Methods: Remote Control over Remote Node
AU1253_ch02_Frame Page 21 Saturday, October 26, 2002 4:19 PM
Designing a Remote Access Solution remote user initiates the remote control program to take over a machine on the network that is running the remote control host software. With this method, remote access administrators only have to manage one centralized gateway rather than multiple distributed workstations. By consolidating access points into a single gateway, these resources become shared. Network integrity can be maintained by providing an appropriate level of security on the remote access server. Most remote access servers provide several levels of security and can work in conjunction with thirdparty security and authentication devices. All accesses through the remote access server are centrally logged. Pros: • Manageable; centralized management • Efficient; shared resources (modems and phone lines) • Can be integrated with third-party authentication Cons: • Not suitable for graphic-intensive applications Security issues: • Host screen should be blanked out • Host keyboard should be disabled INTEGRATED SOLUTION This method incorporates a combination of the previous methods such as remote node, remote control, and terminal servers, in one box (see Exhibit 6). The remote user can then access a wide variety of client/server, conventional, and legacy applications.
Exhibit 6.
Remote Access Methods: Integrated Solution 21
AU1253_ch02_Frame Page 22 Saturday, October 26, 2002 4:19 PM
INTRODUCTION TO REMOTE ACCESS Administrators can configure applications to run locally on the network or remotely on the client. Remote users can transparently launch multiple applications, running both locally and remotely. They can also switch between methods without having to worry about where and how the applications run. With this approach, remote access user operation is easy; once the user is set up as a remote user, he or she should be able to connect to, select, and launch the applications without having to worry about what method (remote control, remote node, or terminal server) is used. Pros: • One interface to access all network resources • Well suited for environments requiring host, file servers, and corporate applications access • Centralized management Cons: • Difficult to set up Security issues: • Requires a strong authentication INTERNET-BASED REMOTE ACCESS Currently, most corporate remote access is done by dialing directly into a corporate remote access server (see Exhibit 7). This creates a huge long-distance expense, particularly for a high number of users. Some organizations, however, are taking advantage of their existing connection to the Internet and allowing remote users and branch offices to remotely access the corporate network over the Internet. The remote users simply dial into their local Internet service provider (ISP) and initiate a connection to their corporate network.
Exhibit 7. 22
Internet-Based Remote Access
AU1253_ch02_Frame Page 23 Saturday, October 26, 2002 4:19 PM
Designing a Remote Access Solution
Exhibit 8.
Internet-Based Remote Access: Issues/Solutions
Internet-Based Remote Access Issues/Solutions Organizations planning to allow their users to access the network over the Internet must be prepared to deal with several challenges before allowing this type of access (see Exhibit 8). The two major challenges are: 1. Protecting the network against unauthorized or unwanted access. Firewalls are commonly used to authenticate legitimate Internet users. A strong authentication mechanism should be used in this case. Traditional passwords can be easily sniffed off the Internet and used to penetrate the corporate network. Address filtering is not effective because most ISPs assign dynamic addresses to their subscribers. Even with static IP addresses, IP spoofing is a scheme that is commonly used by hackers to attack and penetrate networks protected by a packet filtering routers or firewalls. 2. Guaranteeing the integrity and confidentiality of the information being sent over the Internet. Encryption is the only means available today that enables information to be securely transmitted from one computer to another over a public network. Encryption of data over public networks is implemented through a mechanism called tunneling. Tunneling works as follows: packets are encrypted, wrapped with another IP header, and then sent over the Internet. The receiving end unwraps and decrypts the packets to yield the original IP packet and sends it to its final destination. Many firewall vendors are offering firewall-tofirewall or a client-to-firewall encryption (or tunneling) solution. Most firewall vendors are using encryption methods that are Internet Protocol Security (IPSec) compliant, which enables their firewall to communicate with any other firewall that is IPSec compliant. There are other tunneling solutions that use tunnel end-point servers (sometimes referred to as crypto servers), which create virtual private tunnels between the remote location and the enterprise network, protecting data transmitted across the public Internet (see Exhibit 9). These solutions 23
AU1253_ch02_Frame Page 24 Saturday, October 26, 2002 4:19 PM
INTRODUCTION TO REMOTE ACCESS
Exhibit 9.
Issues/ Solutions: Private Tunnels or Sleeves
also offer clients that can be installed on home workstations or laptops and allow users to securely access the corporate network from remote locations. The Internet provides us the ability to log on to the Internet from a local ISP in the user’s local area and then gain access to the company data via the Internet. This obviously saves long-distance access charges, but can expose company proprietary information to the world if a solution is not designed carefully. Internet access adds an alternate method to gain access. Security The best security you can have for your system is a well-thought-out security policy procedure that is consistently enforced. The proper setup and deployment of passwords should ensure that they expire after a period of time, and certain secure log-off procedures should be enforced. These measures are all part of providing security to business-critical information. Remote Access Security: Goals When developing a security strategy for the enterprise remote access, it is important to remember that remote access security must be stronger than the general network security. Remote access provides a gateway to hackers and uninvited guests to probe and attack the network and poses special risks to an organization. Although security needs are different for every organization, remote access security should at least meet the following objectives: • Allow access to legitimate users only • Be easy to administer and flexible to meet the needs of all users • Be largely transparent to the user Remote Access Security: Basic Approaches There are three areas that need to be secured when implementing remote access security: 24
AU1253_ch02_Frame Page 25 Saturday, October 26, 2002 4:19 PM
Designing a Remote Access Solution 1. Positively authenticate the users to ensure that only authorized users get access to the network. 2. Protect communication links from eavesdroppers to preserve the integrity and confidentiality of transmitted data. 3. Protect the network resources from unauthorized access by restricting users to authorized access of the resources. Each of these three areas must be individually protected to secure the entire process, and each requires different techniques. User Authentication Passwords. Typically, a user is prompted for a username and a password to get connected to the network. However, password protection is very easy to defeat:
• Users choose obvious passwords. • Passwords can sometimes be discovered through social engineering. • Passwords are sometimes sent in the clear over a communication link. Point-to-Point Protocol (PPP)-based remote access has two password authentication techniques. 1. Password Authentication Protocol (PAP) — the user’s name and password are simply transmitted in the clear to the server, and the server verifies the information stored in its database. The password on the database is stored in encrypted format. 2. Challenge Handshake Authentication Protocol (CHAP) — the server sends the client a random key (the challenge). The client uses the challenge to encrypt the password supplied by the user and returns the encrypted password to the server. The server looks up the user name in the database to extract the corresponding password, encrypts it using the same key, and compares the results to the user’s response. The password is stored in plain text on the database. To provide a comfortable level of security, traditional passwords should only be used to authenticate users when complemented with other security methods like callback or caller ID. Callback. In this process, the users dial into the remote access server and authenticate with traditional usernames and passwords. The server automatically terminates the connection and calls the authenticated user back at a predetermined phone number. This method is reliable but does not address the needs of the mobile user. Caller ID. When an incoming call is received, the remote access server checks the phone number against an approved list. If the numbers match,
25
AU1253_ch02_Frame Page 26 Saturday, October 26, 2002 4:19 PM
INTRODUCTION TO REMOTE ACCESS the user gets connected to the network. This method is secure, but again does not address the mobile user’s needs. Dynamic Passwords. Here, the user carries and uses a password generator (smart card) along with a personal identification number (PIN) that is known only to the user and can be used to gain access to the network. This method enhances the user authentication possibility substantially, and it is difficult to defeat; however, it does require a third-party product and can be expensive. Biometrics. Biometric authentication systems use physical characteristics of an individual to authenticate the individual. This method is less mature than smart cards but has gained acceptance over the past few years.
Protecting Transmitted Data There has been a dramatic increase of new products designed to provide secure communications over public and private networks. These products let security administrators control access of remote users to the corporate network and allow users to secure the transfer of vital information over public networks. These products are based on end-to-end encryption between two firewalls, two crypto servers, a remote user and firewall, or a remote user and crypto server. Because firewall vendors have their own standard for firewall-to-firewall tunnels, implementations from different vendors traditionally have not been interoperable. Today, however, firewall vendors are supporting IPSec, a common standard that allows interoperation of firewall-to-firewall tunnels from different vendors. By definition, tunnels are established between trusted end systems, and packets are authenticated (initiated from a trusted system). Tunnel end-point servers or crypto servers allow organizations to create secure virtual private networks (VPNs) that link their headquarters with regional and branch offices. They can also be used to link their customers and vendors, thus permitting sensitive data to flow between trusted parties in total confidentiality. Crypto servers can be used in conjunction with any firewall. They usually come with packet filtering and are able to perform both user-based and address-based authentication. Firewall and crypto server vendors offer clients that run on remote laptops or workstations and allow users to create secure tunnels between the desktop and the corporate network over open networks like the Internet. Microsoft has developed Point-to-Point-Tunneling Protocol (PPTP), a new technology that supports VPNs and enables remote users to access the corporate network securely across the Internet. Another product, Layer 26
AU1253_ch02_Frame Page 27 Saturday, October 26, 2002 4:19 PM
Designing a Remote Access Solution Two Forwarding (L2F), created by Cisco Systems, is designed to tunnel protocols like PPP and Serial Line Internet Protocol (SLIP) over the Internet. Protecting Network Resources Every node on a network has an address (IP address). These addresses can be used to implement security measures to prevent unauthorized users from gaining access to the network and control access of authorized users to the various network resources. It works by programming into the central site access equipment or an attached router a list of remote node addresses that can connect to the network. For each node, access restrictions such as services that can be used and the destination addresses that can be accessed from the node can be included. Application-level firewalls provide enhanced packet filtering and better access control mechanisms to servers and applications. ADMINISTRATION SYSTEMS Managing remote access users in large organizations with multiple remote access systems requires a centralized administration system to store and maintain all relevant security and access parameters in one central location. There are two standards-based security administration systems that can be used to manage remote access security: 1. Terminal Access Concentrator Access Control Server (TACACS) — this is a simple query/response protocol that allows servers to obtain centrally maintained security information. 2. Remote Authentication Dial-In User Service (RADIUS) — this is a more robust system that allows remote access servers to obtain user profiles that include authentication and access restriction information. SERVER FEATURES When evaluating remote access security server features, it is important to ensure that the server has the ability to provide audit trails or some reporting facility. After performing a risk analysis to ensure that the established controls meet an organization’s needs, it may be a smart idea to implement callback or caller ID. Most organizations have found it effective to institute an account lockout after a specified number of failed log-in attempts. Just as in the mainframe environment, there should be a log-out or locking of the system after a period of inactivity. For some employees or contract personnel, it may be advantageous to restrict access to certain periods of time or days of the week. Finally, it may be important to ensure that the server that is selected can support third-party authentication and standardsbased administration systems. 27
AU1253_ch02_Frame Page 28 Saturday, October 26, 2002 4:19 PM
INTRODUCTION TO REMOTE ACCESS REMOTE ACCESS POLICY After a risk analysis, the starting point for any set of controls is the implementation of a remote access security policy. There are a number of concerns that must be addressed when developing a security policy. The first objective to be considered in the implementation of remote access controls is who should have such access. Once the business reasons for access have been outlined, it will be necessary to establish a method for requesting such access and what the approval process will be. If the employee needs dual access — from the office and from home — then who will pay for the additional hardware and software required for this access? Consideration should also be given to how the hardware and software are to be installed and maintained. Other issues to consider when reviewing remote access include how training will be provided and by whom. If there are problems, how will support be provided? Will there be a need for 24/7 support? What services will be made available for the remote access users, and what sites will be considered to be off limits? For the organization-provided Internet user, it may be necessary to establish ground rules regarding what types of sites are forbidden and if monitoring of users’ activities will be done. It is strongly recommended that the monitoring of users’ activities be reviewed in the risk analysis process and controls be implemented if required. Another issue to consider is the installation of virus scanning capabilities at remote sites. SUMMARY Remote access for users is a fact of life these days. Although enabling tools continue to evolve, there is still a need to move forward with processing in all organizations. By understanding the issues and the current hardware, software, and policies available today, every organization can venture into the remote access environment in a controlled and monitored manner.
28
AU1253_ch03_Frame Page 29 Saturday, October 26, 2002 4:21 PM
Chapter 3
Remote Access Functions Nathan J. Muller Gerald L. Bahr
A crystal ball tells us that we are somewhere in the middle of the information age. With not only the ability but the need to have ready access to all sorts of information from anywhere on the globe, we have come to expect that we will have ready availability to any information that we need, day or night. Whether we are in the office, telecommuting, or temporarily mobile, we naturally expect to have access to the resources necessary for us to do our jobs efficiently and accurately. This chapter will discuss two different approaches — remote node and remote control — with variations on remote control for accessing data, whether we are temporarily mobile or hardly ever seen in the office, building on the resources of Microsoft Windows NT 4.0. The remote local area network (LAN) access market is considered by many industry analysts to be the next major networking frontier. Almost every major company has remote access capability to support the productivity requirements of an increasingly decentralized work force. The most common job functions that require remote access are sales, marketing, administration, management, finance, and accounting. According to International Data Corp., most remote users want to be able to access electronic mail and transfer text files. Almost half of all remote users want to transfer graphics files or need access to online services. Only a few years ago, the most common approach to remote access was remote control, in which a user dialed into a PC at the office. The office PC then logged into a file server where the needed information was stored. The remote PC takes control of the office PC’s monitor and keyboard, allowing the remote user to view and manipulate information, execute commands, and exchange files. Because it requires two PCs for every remote user, remote control can be an expensive and inefficient solution to set up and manage, especially when multiple users require remote access simultaneously. 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
29
AU1253_ch03_Frame Page 30 Saturday, October 26, 2002 4:21 PM
INTRODUCTION TO REMOTE ACCESS A new class of products has emerged — remote node. Whereas remote control establishes a connection between two PCs and usually relies on dial-up connections by modem, remote node relies on a remote access server that is set up and maintained at a central location. Many remote users, all at different locations, can thus share the same resources. Remote node connections to the remote access server can be established by dial-up bridges or routers or modems. Dial-up bridges and routers serve branch offices; modems are typically used by mobile workers and telecommuters. TWO APPROACHES: REMOTE NODE VERSUS REMOTE CONTROL Until recently, remote control was the remote access method of choice. However, with the introduction of powerful, portable notebook computers, affordable fast modems, bridges and routers, more advanced compression algorithms, and client/server applications, remote node is gaining popularity. With remote node, multiple PCs at different locations dial into the headquarters’ server, which enables them to operate as though directly attached to the corporate LAN. The remote node approach lets the remote client act just like another computer on the network. All files that are accessed by the remote client are transferred across the line. The responsiveness that the remote client experiences depends on the size of the file and speed of the line. The remote control approach has two variations. These two variations use a computer as the “server” located at the central site to provide all the computational power and ability to communicate with all local resources. Remote control sends only key strokes from the remote client to the server, and screen updates from the server come across the line to the remote client. This can easily increase the responsiveness to the remote client by two to four times or more than that of the remote node approach. Both the remote node and remote control hardware configuration and topology are essentially the same. What makes the difference in operation is the software on the Windows NT Access Server. Each of them has advantages and disadvantages. Remote Control: Two Variations Variation 1. Software is loaded on a dedicated “server” computer running Windows NT. This software supports someone calling in and taking control of that computer. Literally, anything that can be done from the local keyboard can be done from the remote client. This method requires a dedicated computer for each simultaneous caller. If remote clients are using different operating systems, you will most likely need to have different telephone lines directed to a specific server supporting that operating system.
30
AU1253_ch03_Frame Page 31 Saturday, October 26, 2002 4:21 PM
Remote Access Functions Variation 2. This variation of remote control runs software that allows many simultaneous users (primarily determined by the applications being accessed and the configuration of the computer) to call into the same computer. Each remote client runs in its own environment within Windows NT; thus each remote user looks like a separate entity on the operating system and the network.
Since neither one of these methods requires serious computing power on the remote client side (all computational work is done on the server), the user might get by with a 286 running DOS or Windows 3.1 or a 386 or higher class machine running Windows 3.1, Windows 3.11, Windows 95, or Windows NT 4.0 Workstation. This can allow some companies to take advantage of the capital investment that has not been depreciated yet. Advantages: • Client workstations generally do not require upgrades very often. • Deploying a new application is simplified because it is handled at the central office. • Upgrades are centrally administered. • Even though the application is running on the central server, users can normally still load or save files to local drives, print to locally attached printers, cut and paste information between a remote and a local application, or drag and drop to copy files in the background. • The look and feel of the applications is the same on the road as in the office. • The remote application performs as fast as it would when running directly on the LAN. • Users have access to the same database, along with all other productivity applications with which they are familiar. • Large databases are left intact; they do not have to be segmented. • Sensitive information is not replicated to laptops; it can remain within the secured boundaries of the LAN. • Remote workstations, which lack sufficient processing power, are able to run workgroup applications on-line from almost anywhere. Disadvantages: • • • • • • •
Normally there is a large up-front cost. It does not fit well into small systems. If a server fails, all of the users on that server are not serviceable. It is potentially a large network traffic generator. It may need to be placed on its own network segment. It requires a powerful computer for the server. The purchase of additional software for the server is necessary.
31
AU1253_ch03_Frame Page 32 Saturday, October 26, 2002 4:21 PM
INTRODUCTION TO REMOTE ACCESS • Some applications, like e-mail, are more difficult to use in the off-line mode, because remote control does not automatically download the files needed to work off-line. • If the single session option is selected, it might require different telephone numbers for each remote client operating system. • Off-line work is more difficult, because files are not available on the local workstation. • It may require more support lines because on-line time may be longer (some off-line functions are not supported). Remote Node With the introduction of LANs the philosophy of shared wiring, high data transmission rates, and local computing (smart devices) came into being. This approach uses the LAN wiring system to download executable files as well as large image and database files to the local desktop computer. Remote node access mirrors this same approach. Since you must transfer all files across the modem line (those used to gain access), you must have all of your applications loaded on the remote client. Even with the applications loaded locally, the user may get discouraged with the responsiveness of the system if the file accessed is more than 50 to 100 kB. Advantages: • There is a smaller up-front cost. • The look and feel (visual) is the same as if locally connected to the network. • It might be possible to use an older, less costly computer as the server. • It is packaged with Windows NT. • All commands, either command line or Windows, work just the same as in the office. Disadvantages: • Replication with several large databases takes too long and consumes a lot of disk space on the client system. • To make replication more effective, large databases may have to be segmented into smaller databases. This can dramatically complicate the management of these databases. • Because of the replication architecture, laptops carry sensitive corporate information. If your laptop is lost or stolen, security breaches can (and often do) occur. • Could generate some serious network traffic, depending on the number of users per server. • Remote users often get discouraged waiting for large files to load. Both remote control and remote nodes have been developed to support remote users. The one that is best for you depends on your computing 32
AU1253_ch03_Frame Page 33 Saturday, October 26, 2002 4:21 PM
Remote Access Functions environment and the method you use to provide the most features, functionality, ease of use, and security. Remote Control: A Software Solution Remote control is essentially a software solution. Special remote control software is required to run on two computers: the remote system and the host system. The remote system can be a branch office PC, a home PC, or a portable computer whose location changes daily. The host system can be any computer attached to the LAN that is configured for remote access. With remote control, mobile workers using laptops or branch office workers using workstations take control of PCs on the corporate network. All the user’s keystrokes and mouse movements are sent to the corporate PC, and the image on that screen is forwarded back to the laptop for display. It is as if the user were sitting in front of a network-attached PC. Remote users do not need copies of programs on their computers, because the programs actually run on LAN-attached workstations at the corporate headquarters. The remote control method offers several advantages: • It enhances the performance of applications that do not require a graphic user interface (GUI). These applications are usually not designed for the client/server architecture and are centrally processed. Applications such as database queries can take advantage of the host’s processing power without being dependent on the relatively limited power of the remote system. • Remote control access maintains corporate investments in older and slower workstations, portable PCs, and modems. Because remote control does not require local processing, it is not necessary to equip every remote user with powerful computers, high-capacity disk drives, and fast modems. • There is no need for additional software licensing because the remote system does not require any additional application software. All processing takes place on the host system. At the same time, remote control has certain disadvantages, including the following: • Performance is usually poor when using graphics-based applications such as Microsoft Windows, spreadsheet packages, or imaging applications because of the time it takes for images and screens to be transmitted over dial-up lines. • Remote users cannot access network services as if they were directly connected to the LAN and are often required to learn new methods of accessing network services through the host system. Implementing remote control poses technical challenges. The host system must be running so the remote user can take advantage of the 33
AU1253_ch03_Frame Page 34 Saturday, October 26, 2002 4:21 PM
INTRODUCTION TO REMOTE ACCESS application software that resides in it. If the host system has been turned off or experiences a problem, the remote user is unable to work. With all remote access methods, security is a concern. When using remote control, the host system’s monitor displays all the information that is being processed remotely, allowing the casual observer to view all screen activity, including e-mail and confidential information. The remote user can only access and run e-mail or other applications while connected to the host system through a dial-up line. All work must be done over the dial-up line, which can translate into high usage charges, especially if large file transfers are involved. Even with these limitations, for remote data entry and small file transfers, the remote control method can be an effective and economical solution. Remote Node: A Client/Server Approach Industry trends toward client/server applications and GUI-based applications are driving the demand for remote node solutions. The remote node architecture is similar to a client/server application architecture. The remote system acts as a client, and the communications server provides access to the desired server. Applications or portions of the applications are processed on the remote system. Only network data, such as e-mail, is transmitted over the line. Because remote node access is transparent, it is an ideal access method for client/server-based applications. Remote node permits users to dial into the network and receive LAN access as if they were locally attached. Although access is slower, a user can still access a file server directly instead of having to transfer the file to a local drive, which is required with the remote control method. To edit a document on a network drive, for example, a remote node user simply opens it instead of first transferring the document to a local drive. This makes remote node much easier to use than remote control. The remote system performs client functions while the home officebased servers perform true server functions. This allows remote users to take advantage of the remote processing power to implement graphical Windows applications. Whereas remote control entails connecting directly to the host system, the remote node connects to a remote access server. When connected to the corporate network, network resources appear to be local, as if the remote user was directly attached to the LAN. Advantages: • Performance is better with this method than with the remote control method when using graphics and Windows-based applications because screen images are not transmitted over the line. 34
AU1253_ch03_Frame Page 35 Saturday, October 26, 2002 4:21 PM
Remote Access Functions • Remote users do not need retraining to access network resources or to use remote applications. Users are linked to the computer and the network as if they were directly connected to the LAN. • Remote access servers support modem pooling and hunt groups, allowing the network manager to support only one telephone number for multiple dial-in users. • Remote user productivity does not depend on the connection to the corporate/branch office. Applications are resident on the remote system and can be run independently. Because user productivity is not totally dependent on the remote connection, usage-based line charges can be minimized. For example, when accessing e-mail remotely, the remote user is not required to maintain an open telephone line connection to the corporate/branch office while reviewing messages. The user can establish the connection to download messages, disconnect the line, then read messages offline at a more convenient time. This offers an opportunity to cut down on connect time, which translates into reduced costs. Disadvantages: • Remote node requires additional application software licensing for each remote user because applications run independently on each remote system. • Remote node requires an investment in more powerful remote computers, higher-capacity disk drives, and higher-speed modems, bridges, or routers. Because remote node users access the network as if they were locally attached, unwanted intruders are able to navigate the network without learning complex access procedures. REMOTE ACCESS SERVERS Remote access servers typically reside at the headquarter’s location and in effect enable remote users to become fully functioning nodes on the corporate LAN. Servers feature an expandable number of WAN ports to allow access by multiple users. A variety of protocols are usually supported. In multivendor, multiplatform networking environments, some remote users may be dialing in with different computers (e.g., Apple PowerBooks, Disk Operating System–based notebooks, and UNIX-based laptops). Each user may also be using a different communications protocol. Remote access servers should be capable of supporting a wide range of protocols so users can access the network directly using TCP/IP, Internetwork Packet eXchange, AppleTalk, NetBIOS, NetBEUI, DECnet, VINES, and Xerox Network System. 35
AU1253_ch03_Frame Page 36 Saturday, October 26, 2002 4:21 PM
INTRODUCTION TO REMOTE ACCESS Faster Connections The choice of protocol is often as important as the choice of remote access method. Novell’s IPX, for example, can perform poorly over low-speed dial-up lines. IPX requires every data packet to be acknowledged before the next one is sent. This “send and wait” characteristic of IPX translates into 200 milliseconds of dead time between packets. One solution to this problem is to integrate the new breed of V.90 modems into the remote access server. Connections over 33.6 kbps are achievable 95 percent of the time. With compression, these speeds are fast enough for IPX. Another solution is to use TCP/IP over the V.90 connection, because most remote access servers already support this protocol stack. Unlike IPX, which must wait for packet acknowledgments before sending more packets, TCP/IP can keep sending packets while waiting for acknowledgments from the receiver. Although some TCP/IP vendors perform better than others over a V.90 connection, the use of TCP/IP can still minimize dead time during transmissions. Dial-Up Bridges and Routers Remote dial-up bridges and routers establish a dial-up link with a similar dial-up bridge or router at the central site (see Exhibit 1), enabling multiple PCs attached to a remote workgroup LAN to appear as though they were attached to the centralized LAN. These devices — which perform bridging or routing, as appropriate for the protocol being used — usually establish Branch Office LAN
Branch Office LAN
Leased Line Connections
Dial-up Connection Bridge/Router
Corporate LAN
Exhibit 1. 36
Dial-Up Bridges and Routers
AU1253_ch03_Frame Page 37 Saturday, October 26, 2002 4:21 PM
Remote Access Functions dial-up links over switched digital 56 kbps or Integrated Services Digital Network Basic Rate Interface (basic rate interface) circuits. ISDN is the preferred type of link, because the device can take advantage of the D channel to quickly set up and tear down connections. Remote Dial-Up Bridges and Routers Bridges and routers have internal tables containing the hardware addresses of all nodes detected on the network. If a workstation needs to access a server resident on a distant LAN, the bridge or router recognizes that the destination address is remote, sets up the call on the ISDN D channel, provides the workstation with the required bandwidth on one or two B channels, then terminates the connection using the D channel. The call setup and tear-down procedures take only a few milliseconds, which makes the entire process transparent to the user. This may be the optimal solution for small workgroups that need to access another LAN occasionally for large file transfers, but it cannot economically justify a full-time leased-line connection. Hybrid Solutions for Resource Pooling Network administrators can offer both modes of operation — remote node and remote control — to their users and let them decide which one is most appropriate to their needs and environments. For this there are hybrid remote access solutions that integrate remote control, remote node, and other communications services in a single multiprocessor server. A fully loaded system can run a wide range of communication services concurrently including remote node, remote control dial-in, dial-out, host computer gateway, facsimile, e-mail, and bulletin board services. Such products ship with all necessary hardware and software fully installed, configured, and tested. In essence, such servers provide the means for resource pooling, allowing communications resources to be shared and allocated by need. This approach reduces the requirement for hardware resources, such as modems, telephone lines, and communications ports, as they are shared among all users and are not allocated on a one-to-one basis. Each communication service executes on a separate application processor, exchanging data packets over the server’s high-speed bus. Multiple processors run concurrently, transferring and exchanging data packets over the bus. This provides a unified gateway to remote offices, telecommuters, mobile users, dial-in customers, host computers, and outside online services. Such servers typically support from two to sixty-four lines. Ports can be dynamically assigned as needed for dial-in or dial-out functions. A variety of connections are usually supported as well, including dial-up and leased lines, X.25, frame relay, Integrated Services Digital Network, and RS-232. 37
AU1253_ch03_Frame Page 38 Saturday, October 26, 2002 4:21 PM
INTRODUCTION TO REMOTE ACCESS Several security levels are available. They include dial-back and restricted port access, in addition to requiring valid user IDs and passwords. The security can be customized to meet specific network requirements, including disabling security. Some vendors even include error recovery software in their products, which greatly contributes to the fault tolerance of their systems. An auto-reboot feature, for example, provides unattended recovery from software “hangs” and other failures.
38
AU1253_ch04_Frame Page 39 Saturday, October 26, 2002 4:22 PM
Chapter 4
Extranets: Borderless Internet/Intranet Networking Duane E. Sharp
The rapid growth of the Internet offers new opportunities and challenges for information technology professionals. Rising to meet these challenges, by addressing and resolving the inherent problems of integrating two similar but different technological resources, can provide significant, tangible benefits to an enterprise. The Internet is rapidly becoming a useful business medium — a global extension of corporate networks, which enables employees to mine its vast information resources. Corporations are realizing the business opportunities and competitive advantages available through the integration of the Internet and internal corporate intranets. The objective of borderless Internet/intranet networking is to integrate internal corporate networks with the Internet, in a seamless manner, creating a new network facility known as an extranet. Although some intranets are still in the preliminary stages of development, relegated to one or two departments and non-mission-critical users, many user organizations with mature intranets are now connected to the Internet and operate the two networks as if the components were a single network, without borders. BENEFITS OF BORDERLESS NETWORKS There are a variety of reasons why intranet/Internet connections are important to an organization. Properly configured, they can increase and enhance employee productivity, providing extensive and vast resources for employees to access and increasing their capability to communicate globally. The end result can be a better return on IT investment. For example, as more and more information and services are added to the Internet, its resources can be used to make business decisions more quickly, to access vast amounts of information from a variety of sources, 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
39
AU1253_ch04_Frame Page 40 Saturday, October 26, 2002 4:22 PM
INTRODUCTION TO REMOTE ACCESS and to communicate globally. For conducting competitive research, for example, the World Wide Web offers resources that can significantly enhance this activity and contribute to its effectiveness. Employees need to access and share information and services (such as e-mail) that reside on the corporate intranet — and many often need access from remote locations. Because of its reach and low cost, the Internet provides an ideal medium to achieve both of these communications objectives. In addition, organizations often need to connect multiple sites as well as customers, business partners, and outside contractors. The Internet allows organizations to use public networks to connect these sites at a much lower cost than using dedicated, private lines. Sites can be combined into subnetworks, often referred to as virtual private networks (VPNs), which use the Internet and run on top of their existing enterprise networks. Organizations using the Internet have the potential to gain several competitive and operational advantages for the following reasons: • It provides an economical backbone for enterprise networks. • Closer contact is maintained with employees, customers, and suppliers. • Employees have access to a vast universe of Internet information. Potential Problems of Integrated Networks The relative immaturity of the Internet poses a number of technical problems in this integration process, mostly involving protocol discrepancies or mismatches. These discrepancies can impede the implementation of network interconnection, and they need to be resolved to ensure the full utilization of the integrated network. The most important mismatches between the Internet and intranets are in four critical areas: security, management, performance, and overall business models. Organizations need a solution that enables them to connect their intranets to the Internet while resolving the problems in these critical areas. An effective solution must provide the following characteristics: • Effective management and control of user access to Internet and corporate intranet resources • Enhanced networking performance • Enhanced security with single-point-of-management capability • A business model consistent with corporate objectives The problems in these critical areas and potential solutions are described in detail in the following sections. Security Security is one of the key concerns of Internet users. This includes security of data as well as security of commercial transactions such as electronic funds transfers (EFT). 40
AU1253_ch04_Frame Page 41 Saturday, October 26, 2002 4:22 PM
Extranets: Borderless Internet/Intranet Networking To understand the nature of the security issue, it is important to recall the origins of the Internet. It originally was designed to allow communication among university and government research groups. Today, however, the Internet is an open, public network, accessible by millions of users and vulnerable to a variety of external attacks. Much of the Internet’s core technology is based on open UNIX systems, which do not have built-in network security, making the Internet an insecure network requiring new, innovative, and specially designed security techniques. When an organization connects its network to the Internet, it risks putting confidential internal information within reach of millions of people outside the organization. International Data Corporation (IDC) reports that Carnegie Mellon University’s Computer Emergency Response Team (CERT) found an increase in enterprise security violations growing from only 130 in 1990 to 2300 in 1994. Other studies reveal an ever-increasing number of security problems, as well as accelerated research and development efforts on security techniques involving data encryption. Management The Internet is an extremely complex network with thousands of heterogeneous, geographically dispersed resources. Today, the Internet includes more than 100,000 individual computer networks owned by governments, universities, non-profit groups, and companies. Each organization manages its own Internet resources independently; no single entity is responsible for managing the Internet, and no network management tools are built in. It is effectively a free-form global communications resource. Local area networks (LANs), on the other hand, have been designed for the corporate environment, with a variety of management tools that allow administrators to manage LANs from a central location. When an organization connects its private network/intranet to the Internet, it must manage not only its own internal resources and people, but also Internet resources and people external to the organization, a process that greatly complicates network management. Performance Data rates on the Internet — a measure of how fast information can be accessed, transferred, and otherwise manipulated — are generally slow compared to the data rates of private corporate intranets, which offer significantly better levels of security, higher performance, and quality of service. LANs, for example, typically have bandwidths ranging from 10 to 100 Mbps. The bandwidth of Internet access links ranges from 128 kbps to 10 Mbps. As corporations begin to rely more on the Internet for day-to-day business needs, the speed of their Internet access links will increase. Already some companies have Internet access at speeds of up to 45 Mbps, but this is primarily at large corporations at this time. 41
AU1253_ch04_Frame Page 42 Saturday, October 26, 2002 4:22 PM
INTRODUCTION TO REMOTE ACCESS The Internet Business Model The Internet started as a free and open network with tacit agreement among users that access would not be restricted, there would be no charge for its use, and free speech would not be abrogated. With these tenets as the basis for a working Internet environment, the Internet became a communications frontier, with few rules of the road. By contrast, the corporate business network calls for secure, controlled access that requires users to play by the rules, pay for specified services, and justify their use of the network. ANALYZING SOLUTIONS With these four unresolved problem areas to make borderless networking meet the requirements of the corporate world, organizations need solutions that reconcile mismatches between private networks/intranets and the Internet and that resolve issues in the critical areas of network management and security. Although there are several vendor-provided solutions to these problems, most of them have been implemented in Web browsers or servers under the control of the Internet service provider (ISP). However, from a technical and administrative perspective, it is far more effective to implement the solution at the shared border between the private network/intranet and the Internet than at the browser or server level. Placing border management control at the Internet/intranet border enables organizations to achieve several important advantages: • It increases the reach of network management utilities to manage both intranet and Internet. • It monitors and manages all network access. • It implements performance accelerators at the border to reconcile performance mismatches. Maintaining Security Border security in an integrated network must be provided in two directions: inbound and outbound. Inbound security protects the private network/ intranet from unauthorized access from the Internet. Outbound security manages access privileges to Internet resources by internal users. For example, an organization may want to prohibit access to certain types of Internet sites. The borderless network solution must incorporate standard Internet firewall security architectures, typically defined by a three-tier model incorporating filters and other network security technologies called proxies. One type of filter used to achieve the appropriate level of security is the packet filter. This filter uses a network device called a router, which filters 42
AU1253_ch04_Frame Page 43 Saturday, October 26, 2002 4:22 PM
Extranets: Borderless Internet/Intranet Networking information coming to and from the network. The packet filter checks each packet against access controls and locks out unknown source packets. Two types of proxies that are used to ensure a secure environment are circuit-level and application-level proxies. Circuit-level proxies provide a general virtual circuit relay between the Internet and intranet desktop applications. Application-level proxies relay all data between the Internet and intranet desktop applications. They intercept all traffic and apply content-based semantic access controls prior to relaying the data. Security should be flexible and easily adaptable to the security policies of the organization, which may change frequently for a variety of reasons — acquisitions and mergers, expansion, or downsizing. Most important, the security technology should not degrade performance or impede user productivity. For maximum effectiveness, the security system should provide multiple levels of access control for inbound and outbound access and should include the following characteristics: • Content control to allow organizations to control access to network files and documents • Host control to determine which hosts can be accessed • Application-level control to determine which applications can be accessed The network administrator should have the capability to tailor each of these levels to specific users and user groups. The security system also should provide graded authentication services in which different levels of authorization are granted, depending on the user’s entry location such as from a local workstation, the Internet, or dial-up connection. The authentication mechanism should support leading authentication standards for virtual networks and electronic commerce. These include Point-to-Point Tunneling Protocol (PPTP), which provides security for remote users who are accessing network/intranet resources from a serial connection to the Internet. End-to-end information encryption, using leading encryption standards, is a firm requirement of the security technology in an integrated network. This is particularly important for the virtual private networks referenced previously and for online transactions such as electronic commerce. Facilitating Network Management and Increasing User Productivity Information systems professionals involved in integrated network development and implementation must meet some difficult challenges. They must manage rapidly growing enterprise networks with more users, more applications, and more data; and they have to do so with ever-shrinking IS budgets. To complicate matters, networks are continually changing as organizations evolve to keep pace with today’s dynamic business environment. 43
AU1253_ch04_Frame Page 44 Saturday, October 26, 2002 4:22 PM
INTRODUCTION TO REMOTE ACCESS The issues addressed in this chapter illustrate how the expansion of enterprise networks into wide area networks, which include the Internet, dramatically increase network complexity and complicate network management. However, the overall benefits to be derived from an effective, wellplanned network integration are worth the effort. Although the World Wide Web delivers a universe of information to user desktops, the exploding popularity of the Web can reduce overall performance, impacting productivity as employees wait for important data to be downloaded or, as surveys indicate, spend time visiting the nonbusiness resources of the Internet. Internet delays and productivity issues must be mitigated if the Internet is to find its place as a viable business medium. This can be accomplished in several ways: by managing user bandwidth, by improving the quality of available information, and by accelerating information delivery, while at the same time controlling the cost of computing resources and network access. Accelerating Performance One of the less-desirable effects of the growth of the Internet is the increasing use of images and other large files, resulting in heavy traffic volumes and degrading Internet performance. It is essential for an Internet/intranet/ network connectivity solution to use state-of-the-art acceleration technology to offset the performance disparity between the Internet and private networks/intranets. One technique that can be used to accelerate performance is proxy caching. This technique moves frequently accessed Internet information, such as Web pages, from the Internet to the Internet/intranet/network border, bringing it much closer to the users who need it. The effect of this transfer of information is to minimize traffic and reduce the number of node-to-node hops between users and data, which can boost performance dramatically. Adding more intelligence to proxy caching can further reduce delays. For example, a hierarchical caching system in which each cache knows the content of all other caches can direct the client to the nearest cache where the data is stored. Multiple-level access control is another factor that improves performance by eliminating traffic due to the use of unauthorized or unessential applications or traffic due to users surfing nonproductive Web sites. Virtual Private Networks (VPNs) Virtual private networks (VPNs) allow organizations to use the Internet as a backbone for their enterprise networks. To implement flexible and secure VPNs, the border connection solution must meet the following requirements: 44
AU1253_ch04_Frame Page 45 Saturday, October 26, 2002 4:22 PM
Extranets: Borderless Internet/Intranet Networking • Hide intranet topology from non-VPN users to prevent unauthorized users from breaking into the intranet • Configure multiple VPNs on a single enterprise network • Control who participates in each VPN • Secure data sent over the public network • Support existing infrastructures Because organizations have a significant investment in their current information systems and networks, it is important for any border solution to leverage that investment. To ensure that this occurs, the connectivity solution needs to accommodate the following operating systems, protocols, and application software: • Desktop operating systems: Windows 2000, Windows NT Workstation, Macintosh OsX, UNIX, and NC workstations • Network operating systems: Novell, Windows NT or 2000 Server, and UNIX • Network transport protocols, including TCP/IP and IPX/SPX • Web browsers: Netscape Navigator and Microsoft Internet Explorer • Existing applications and scripts: WinSock, CGI, PERL, and Visual Basic An effective network border solution should allow network administrators to gather information from a central location, on user IDs, resources, break-in attempts, security holes, data accessed, performance bottlenecks, and underutilized resources.
MAJOR NETWORK VENDOR PROVIDES BORDERLESS SOLUTION One of the major network vendors, with a large market share of network operating systems, has launched BorderManager, a software product that derives its name from the border area between the private corporate network and the public Internet. Novell’s BorderManager is an integrated family of directory-based network services that centrally manage, secure, and accelerate user access to information at every network border. BorderManager uses the functionality of Novell Directory Services (NDS) to provide common access control to all private network/intranet and Internet resources and services, a feature that makes network security easier to manage and control. In addition, it simplifies access by permitting users to access all network services through a single log-in. This product works in concert with existing networking products — including Novell and non-Novell technologies — to deliver an effective border solution between internal network resources and the Internet and to create an effective extranet. 45
AU1253_ch04_Frame Page 46 Saturday, October 26, 2002 4:22 PM
INTRODUCTION TO REMOTE ACCESS THE CHALLENGE OF THE EXTRANET The rapid growth of the Internet — some have likened it to the similar exponential growth of telephones in the early part of this century — offers new opportunities and challenges for information systems professionals. Rising to meet these challenges, by addressing and resolving the inherent problems of integrating two similar but different technological resources, can provide significant, tangible benefits to their organizations.
46
AU1253_ch05_Frame Page 47 Saturday, October 26, 2002 4:23 PM
Chapter 5
Implementing and Supporting Extranets Phillip Q. Maier
Extranets have been around as long as the first rudimentary LAN-to-LAN networks began connecting two different business entities together to form WANs. In its basic form, an extranet is the interconnection of two previous separate LANs or WANs with origins from different business entities. This term emerged to differentiate between the previous definitions of external “Internet” connection and just a company’s internal intranet. Exhibit 1 depicts an extranet as a Venn diagram, where the intersection of two (or more) nets form the extranet. The network in this intersection was previously part of the “intranet” and has now been made accessible to external parties. Under this design, one of the simplest definitions comes from R.H. Baker: “An extranet is an intranet that is open to selective access by outside parties.” The critical security concept of the extranet is the new network area — previously excluded from external access — now made available to some external party or group. The critical security issue evolves from the potential vulnerability of allowing more than the intended party, or allowing more access than was intended originally for the extranet. These critical
Exhibit 1.
0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
Extranet Venn Diagram 47
AU1253_ch05_Frame Page 48 Saturday, October 26, 2002 4:23 PM
INTRODUCTION TO REMOTE ACCESS areas will be addressed in this chapter, from basic extranet setup to more complex methods and some of the ongoing support issues. The rapid adoption of the extranet will change how a business looks at its security practices, as the old paradigm of a hard outer security shell for a business LAN environment has now been disassembled or breached with a hole to support the need for extranets. In many cases, the age-old firewall will remain in place, but it will have to be modified to allow this “hole” for the extranet to enable access to some degree for internal resources that have now been deemed part of the extranet. Recognizing the growth of extranets as a common part of doing business today is important, and therefore the business enterprise must be ready with architectures, policy, and approaches to handle the introduction of extranets into its environment. A few of the considerations are the requirements-versus-security balance, policy issues, and risk assessments, as well as implementation and maintenance costs. From a requirements-versus-security balance standpoint, the issue is the initial claim by business that extranets are an immediate need and absolutely must be established if one is to remain competitive. However, from a security standpoint, such a drastic change to the environment, which may not have had any form of an extranet in place, may well be throwing their financial data assets out the door with the first implementation of an extranet. Therefore, care must be taken from a security perspective and put in balance with the claimed business need for an extranet implementation. One of the first areas of review and (possibly) update is the inner company’s security policy. This policy most likely was not written with extranets in mind and thus may need modification if a common security philosophy is to be established regarding how a company can securely implement extranets. However, the policy review does not stop with one company’s review of its own policy, but also includes connecting the company or companies on the outside. In the case of strategic business relationships that will be ongoing, it is important that both parties fully understand each other’s responsibilities for the extranet, what traffic they will and will not pass over the joined link — what degree of access will occur over this link and by whom. Part of any company’s policy on extranets must include an initial requirement for a security risk assessment, the main question being, What additional levels of risk or network vulnerability will be introduced with the implementation of the proposed extranet? A performance assessment should be conducted, as well as a vulnerability assessment, to assist in the design of the extranet and to ensure that the proposed architecture not only addresses the security risk but that it also will meet performance 48
AU1253_ch05_Frame Page 49 Saturday, October 26, 2002 4:23 PM
Implementing and Supporting Extranets expectations. Some of the issues to be addressed in a combined security and performance assessment should be: • Data classification/value of data • Data location(s) in the network • Internal user access requirements to extranet components (internal access design) • Data accessibility by time of day (for estimating support costs) • Protocol, access services used to enter extranet (network design implications) • Degree of exposure by transmission mechanism (Internet, private net, wireless transmission) • End-user environment (dial-up, Internet) • Number of users, total/expectation for concurrent user access (line sizing) • Growth rate of user base (for estimating administrative costs) • CONUS (continental U.S.), international access (encryption implications) The risk and performance assessment would, of course, be followed by a risk mitigation plan, which comes in the form of selecting an acceptable extranet architecture and identifying the costs. The cost aspect of this plan is, of course, one of the critical drivers in the business decision to implement an extranet. Is the cost of implementing and maintaining the extranet (in a secure manner) less than the benefit gained by putting the extranet in place? This must include the costs associated with implementing it securely; otherwise, the full costs will not be realistically reflected. Finally, the member company implementing the extranet must have a clear set of architectures that best mitigate the identified vulnerabilities, at the least cost, without introducing an unacceptable degree of risk into its computing environment. The following section reviews various extranet architectures, each with differing costs and degrees of risk to the environment. EXTRANET ARCHITECTURES Router-Based Extranet Architecture The earliest extranet implementations were created with network routers that have the capability to be programmed with rudimentary “access control lists” or rules. These rules were implemented based solely on TCP/IP addresses. A rule could be written to allow external user A access to a given computer B, where B may have been previously unreachable due to some form of private enterprise network firewall (and in the early days, this firewall may have been a router as well). Exhibit 2 depicts this very basic extranet. A more realistic rule can be written, where all computers in an “outside network” are allowed to access computer B in a company network, thus forming an extranet. This is depicted in Exhibit 3. 49
AU1253_ch05_Frame Page 50 Saturday, October 26, 2002 4:23 PM
INTRODUCTION TO REMOTE ACCESS
Exhibit 2.
Exhibit 3.
Basic Extranet with Router
More Realistic Extranet
As network security architectures matured, routers as the sole network access control devices were replaced by more specific security mechanisms. Routers were originally intended as network devices —not as security mechanisms — and lost functionality as more and more security rules were added to them. Additionally, the security rules that were introduced were based on TCP/IP addresses, which were found to be subject to spoofing/ masquerading and thus deemed ineffective in positively identifying the real external device being granted access. Therefore, routers alone do not provide an entirely secure extranet implementation; however, when used in conjunction with one of the following extranet architectures, routers can be a component to add some degree of security, but only when used in conjunction with other network security devices. Application Gateway Firewalls As network security architectures matured, the introduction of application layer gateway firewalls, a software tool on a dedicated machine, usually dual 50
AU1253_ch05_Frame Page 51 Saturday, October 26, 2002 4:23 PM
Implementing and Supporting Extranets
Exhibit 4.
Extranet Using an Application Layer Gateway Firewall
homed (two network interfaces, one internal, one external), became the more accepted external protection tool. These software tools have the ability to not only perform router-type functions with access control rules, but also provide user authentication services on a per-user basis. This user authentication can take the form of an internal user authentication list, or an external authentication call to token-based authentication services, such as the ACE SecureID™ system. Exhibit 4 depicts this type of architecture set-up to support an extranet using an application layer gateway firewall to enable authenticated users inward access to an enterprise in a controlled manner. In addition to supporting access control by IP address and user, some gateways have the additional capability of restricting access by specific TCP/IP service port, such as port 80, HTTP, so that the extranet users can access only the internal resource on the specific application port, and not expose the internal machine to any greater vulnerability than necessary. Follow-on application layer gateway implementations emerged to provide varying additional degrees of extranet connectivity and security. One such method is the implementation of a proxy mechanism from an outside network to a portion of an internal company network. Normally, a proxy performs control and address translation for access from an intranet to the external Internet. These types of proxies normally reside on the firewall, and all user access to the Internet is directed through the proxy. The proxy has the ability to exert access control over who in the intranet is allowed external access, as well as where they can go on the Internet. The proxy also provides address translation, such that the access packet going to the Internet is stripped of the user’s original internal address, and only the external gateway address of the enterprise is seen on the packet as it traverses the Internet. Exhibit 5 depicts these proxy functions. The proxy provides both security and network address functionality, although the entire process can be used in its reverse to provide an extranet 51
AU1253_ch05_Frame Page 52 Saturday, October 26, 2002 4:23 PM
INTRODUCTION TO REMOTE ACCESS
Exhibit 5.
Exhibit 6.
Outbound Proxy Architecture
Reserve Proxy Extranet Architecture
architecture, due to its ability to provide access rules over who can use the proxy and where these proxy users are allowed to go, or what resources they can access. Exhibit 6 depicts a reverse proxy extranet architecture. Today, most proxies are set up for HTTP or HTTP-S access, although application layer gateway proxies exist for most popular Internet access services (telnet, ftp, sql, etc.). One of the major issues with proxy servers, however, is the amount of cycle time or machine overhead it takes to manage many concurrent proxy sessions through a single gateway. With highly scalable hardware and optimized proxy software, it can be carried to potentially handle high user demands but the system architecture must be specifically designed for high loads to be able to meet user response expectations, while still providing the security of an authenticated proxy architecture. On the inward proxy depicted in Exhibit 6, the proxy can be configured to only allow access to a single internal resource on a given TCP/IP port. Further protection can be added to this reverse proxy architecture by putting the target internal resource behind a router with specific 52
AU1253_ch05_Frame Page 53 Saturday, October 26, 2002 4:23 PM
Implementing and Supporting Extranets
Exhibit 7.
Extranet with Authenticating Web Server
access control rules, limiting the portion on the company intranet that inbound proxies can reach, which can ensure limited access on the intranet; should the internal machine ever be compromised, it cannot be used as a ‘jumping off point’ into the rest of company intranet. A somewhat hybrid architecture extranet, where some firewall controls are put in place but the external user is not granted direct inward access to an enterprise’s internal domain, has been evolving and put in place as a more popular extranet implementation. In this architecture, the external user is granted access to an external resource (something outside of the enterprise firewall), but still on the property of the enterprise. This external resource is subsequently granted access to one or more internal resources through the enterprise firewall. This architecture is based on minimizing the full external access to the intranet while still making intranet-based data available to external users. The most popular implementation is to place an authenticating Web server outside the firewall and program it to make the data queries to an internal resource on the enterprise intranet, over a specific port and via a specific firewall rule, allowing only that one external resource to have access to the one internal resource, thus reducing the external exposure of the intranet. Exhibit 7 depicts this type of extranet. Issues with this type of architecture include reliance on a single-user interface that can be safely placed outside the enterprise firewall, which makes it vulnerable to attack. Additionally, there is the issue of whether tight enough access rules can be placed on the access method between the external user interface resource (the Web server in this example) and the internal resources that it needs access to on the protected enterprise intranet. If these two issues can be safely addressed, this form of extranet can be very useful for an enterprise extranet, with a high volume or varied user base, and a large intranet-based data repository. 53
AU1253_ch05_Frame Page 54 Saturday, October 26, 2002 4:23 PM
INTRODUCTION TO REMOTE ACCESS
Exhibit 8.
VPN Architectures
The user front end has been deployed as a Web server, usually secure sockets layer (SSL) — enabled to ensure data integrity and protection by encrypting the data as it passes over an external SSL link. Access to this external server is also associated with some form of user authentication, either a static ID and password over the SSL link or, more recently, with client digital certificates, where each individual accessing the SSL-enabled site is issued his own unique digital certificate from an acknowledged certificate authority, thereby validating his identity. Each client maintains its own digital certificate, with the Web server having some record of the public-key portion of the client’s digital certificate, either directly in the Web server internally, or accessible from a stand-alone directory server (usually LDAP reachable). The most recent entrant in the extranet architecture arena is the virtual private network (VPN). This architecture is based on a software tunnel established between some external entity, either client or external network, and a gateway VPN server. Exhibit 8 depicts both types of VPN architectures. External network A has a VPN server at its border, which encrypts all traffic targeted for company network C; this would be a gateway-to-gateway VPN. Or, external client B may have client VPN software on his workstation, which would enable him to establish a single VPN tunnel from his workstation over the external network to company C’s VPN server. Although both server-to-server VPN and client-to-server VPN architectures are offered in the industry today, it is this author’s experience that the more popular extranet architecture is the client-to-server VPN architecture, as it offers the most flexibility for the most diverse audience of external users. This flexibility, however, does add to the complexity of the implementation, as it can potentially involve a large number of external desktops, all with differing configurations. The benefits of VPNs include the ability to safely traverse external public networks, with some assurance of data integrity and 54
AU1253_ch05_Frame Page 55 Saturday, October 26, 2002 4:23 PM
Implementing and Supporting Extranets authentication as part of the VPN implementation. This architecture shows the most promise to meet the needs of extranets and cost savings for a world hungry for connectivity over public/external networks, although it still has some growing pains to endure before reaching full product maturity. An emerging standard for VPNs is coming out of the ITEF IPSec implementation, which draws a roadmap for the next-generation TCP/IP security protocol. Under this protocol, standards are being drafted that will enable differing devices to securely communicate under a pre-agreed security protocol, including key exchange for encryption and standardized authentication. Today, there are IPSec-compliant products on the market; however, the standard is still evolving and tests are being conducted to evaluate differing vendor compatibilities with each under the IPSec standards. One of the leading initiatives to evaluate this compliance is the Automotive Network Exchange (ANX) tests, intended to establish a large extranet environment between the core automotive manufacturers and their vendors. In the meantime, there are a wide variety of VPN product vendors on the market — some touting IPSec compliance and others with proprietary implementations, with IPSec in their future product roadmap, choosing to wait until the standard stabilizes. The recommendation is to select either a vendor offering IPSec if it has some degree of maturity within its own product line or one that is planning on adopting the standard; IPSec appears to be a viable standard once it fully matures. Regardless of which VPN solution is being considered for implementing secure extranets, a few technical considerations must be understood and planned for before selecting and implementing a VPN extranet architecture. Scalability. Similar to proxy servers, VPN servers incur a fair amount of
processing overhead that consumes processing resources as high levels of concurrent VPN sessions pass through a single server. It is important to attempt to estimate one’s projected user base and current access to appropriately size a VPN server. Some servers are established on lower-level processors for smaller environments and should not be implemented where high concurrent access rates are expected, although there is some benefit to physical load balancing, spreading the access among multiple servers. However, there is also concern about implementing too many servers to easily manage. Finding a balance between installing a single large server and creating a single point of failure — versus implementing many smaller servers — creates an administrative nightmare. Multihomed Intranets and Address Translation. In large intranet environments, many operate under a split DNS (domain naming structure), where intranet addresses are not “advertised” to the external networks, and external addresses are kept external, so as not to flood the internal network. 55
AU1253_ch05_Frame Page 56 Saturday, October 26, 2002 4:23 PM
INTRODUCTION TO REMOTE ACCESS
Exhibit 9.
Traffic Patterns for Multihomed Intranet with a Single VPN Gateway
Additionally, many larger intranet environments have multiple gateways to external networks. If one of the gateways is established with a VPN gateway and an external client makes a connection to the internal intranet, it is important that the tunnel comes in through the appropriate VPN gateway, but also that the return traffic goes back out through that same gateway so that it gets re-encrypted and properly returned to the external VPN client. Exhibit 9 depicts the correct traffic patterns for a multi-homed intranet with a single VPN gateway and an external VPN client. VPN-Based Access Control. Many forms of gateway VPN servers offer the ability to restrict user access to a company intranet based on access groupings. This is especially important when intranets are being established for a diverse set of external users, and it is important to minimize user access to the intranet. This type of access control is, of course, critical in establishing secure extranets, which further highlights the importance of understanding VPN access control capabilities. User Authentication. Multiple options exist for user authentication, although the recommended option is to select a high-level authentication method (e.g., one-time passwords) or a time-synchronized password method. Under the IPSec standard, client-side digital certificates are evolving as a standard for high-level authentication. Unfortunately, initial implementations of client-side digital certificates for user authentication are entirely software based, eliminating the second-factor authentication, the “something the user physically has” in their possession. The return to true two-factor authentication under digital certificates will not really occur until physical smart cards become part of the authentication architecture. (Smart cards are credit card-type tokens that have a physically embedded chip, which can be electronically read and written to, either with a portion of the client’s digital certificate or the encryption algorithm used to unlock the digital certificate.) 56
AU1253_ch05_Frame Page 57 Saturday, October 26, 2002 4:23 PM
Implementing and Supporting Extranets IPSec Interoperability. Ultimately, the IPSec standard will stabilize, and all vendors following the established standard will allow different vendors’ VPN products to interoperate. Under this environment, a company can implement a vendor’s VPN server, and their acknowledged clients can purchase and use an IPSec-compliant client to gain access to the company intranet once they are authorized.
SUMMARY Secure extranets are becoming the external network of choice in today’s business world. There are multiple implementation options, as depicted in this chapter, each with varying degrees of risk and implementation complexity. Each implementation must be evaluated against a business case, using the recommended risk and performance analysis outline. The basic router-controlled extranets are only recommended for the least valuable data environments, while the more sophisticated VPN extranet architectures appear to be the future for extranets, especially when the IPSec standard matures and gains industry adoption.
57
AU1253_ch05_Frame Page 58 Saturday, October 26, 2002 4:23 PM
AU1253_ch06_Frame Page 59 Saturday, October 26, 2002 4:25 PM
Chapter 6
Providing Access to External Databases Gilbert Held
Over recent years, an industry has arisen of more than 100 firms providing access to computer-based information. Some information providers, such as Dow Jones, provide access to a wide range of financial information; others specialize in a narrow field of information, such as library book purchases, home construction permits, and department store sales. Thus, the first step in developing an effective external information access strategy is to define an organization’s external information needs. The next step is to select the appropriate external database sources. DEFINING DATA NEEDS In evaluating the data needs, the database manager should distinguish between user requests for information and for data. In this context, information is derived or formatted from raw data, and data is the raw element from which information is derived. Some users may need raw data that is not available internally; others may need only the derivations or formatted versions of data elements that are readily available internally. New raw data elements should be acquired; however, information alone does not justify its purchase. Instead, if possible, existing data elements should be formulated to meet requests for information. For example, demographic reports are often aggregated into information as statistics are summarized and listed in categories (e.g., men or women of 25 to 49 years of age). If internal users decide they need more finite data concerning age brackets, their organization can comply by reformatting its existing data. SELECTING EXTERNAL SOURCES Although it may appear easy to decide which databases must be accessed to obtain required external information, providing this access in a costeffective manner can be difficult. Several information providers may offer access to required information. One information access provider may offer significant economic advantages over others. Many employees are unaware 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
59
AU1253_ch06_Frame Page 60 Saturday, October 26, 2002 4:25 PM
INTRODUCTION TO REMOTE ACCESS of this and select an information provider without researching sources. In addition, there may be significant differences in the manner in which the providers offer access to external database information. This fact can profoundly affect the ability of organizational personnel to work with the information they require. When developing a list of external databases, the database manager will probably receive employee requests in the form of trademark or servicemark names. Those names may not represent the actual type of information organizational employees need to access, nor do they necessarily reveal whether equivalent information can be obtained from another information access provider. Thus, the trademark or servicemark name should be converted into a descriptive statement of the employee’s information access requirement. For example, an employee may request access to Dow Jones Information Services but, after questioning the employee, the database manager might determine that he or she actually needs access to a very limited amount of financial information, such as the relationship between German marks and U.S. dollars over the past five years. This should be the database manager’s external database access requirement. Specifically saying what is needed helps the manager locate alternative information access providers and avoid paying for unnecessary information. After defining the necessary content of external databases, the database manager should try to locate alternative information providers. In doing so, the manager should note the method or methods by which information can be accessed. This is the third step in developing an effective strategy for accessing external database information. INFORMATION ACCESS METHODS Data communications is just one of several methods for accessing external databases that the database manager should consider. Other methods include optical and magnetic media distributed as part of a subscription service, as well as conventional printed media. Even when considering the use of data communications, the database manager should look at several access methods. Some information access providers can be reached only through a direct-dial modem call. Such providers may not have a national toll-free number, and the database manager must include the cost of long-distance telephone communications, as well as the cost of accessing information, when evaluating these providers. Other providers that support modem access may be connected to such value-added carrier X.25–based packet transmission networks as SprintNet or BT Tymnet. Using those networks to access the resources of an information access provider can involve half 60
AU1253_ch06_Frame Page 61 Saturday, October 26, 2002 4:25 PM
Providing Access to External Databases Exhibit 1.
Database Access Methods
Communications Facilities • Direct-Dial by means of a modem • Access through a value-added carrier • Access through the Internet
Mail, subscription service • Printed media • Magnetic media • Optical media
or less of the cost of a conventional long-distance call made over the public, switched telephone network (the only cost being local phone connection time, plus any network fees). Within the past two years, several information access providers have established connections to the Internet, providing a third communications method for accessing external information. In addition, thousands of anonymous File Transfer Protocol sites provide free access to a wealth of information, ranging from economic data from the Federal Reserve Bank of Boston to weather data provided by NASA. Exhibit 1 lists database access methods that the database manager should consider before selecting a database or group of databases to support organizational information requirements. The relative access cost should be considered in negotiating contracts with information access providers. UPDATE FREQUENCY The key advantage of communications access over subscription access to external database information is in update frequency. When users access an external database through data communications, they can obtain immediate information updates to the database they are accessing. (Of course, it is important to note the time that elapses between real-world changes and a service’s database updates.) Database information received from a mailed subscription service, on the other hand, can be considerably aged. For example, it may take the information provider a week or more to master a CD-ROM disk, duplicate it, and mail new disks to subscribers. If updates are furnished on a monthly basis, users can be working with information that is five weeks old when they are just about to receive their next CD-ROM disk. For certain applications, the frequency with which information being accessed is updated can be very important. However, for other applications, a monthly, quarterly, or semiannual update is more than acceptable. Thus, the database manager must consider the update frequency when considering using a particular database access method. 61
AU1253_ch06_Frame Page 62 Saturday, October 26, 2002 4:25 PM
INTRODUCTION TO REMOTE ACCESS DATABASE ACCESS COST Determining the type of external information that must be accessed involves considering alternative information providers. The database manager should review the information provided by external database vendors, along with their access or subscription fees, to determine the cost associated with each database. The one-time cost associated with any required hardware must also be considered; for example, the cost associated with a subscription to a database provided on CD-ROM disks includes the cost of a CD-ROM reader if one is not currently available. Similarly, if an employee requires access to a dial-in information access provider and does not have a modem, the cost of the modem should be considered. ECONOMIZING ON MULTIPLE ACCESS REQUIREMENTS The database manager can consider several techniques when more than one employee needs access to an external database. A local area network (LAN) can provide shared access to transmission and data storage facilities. The manager can negotiate usage-based contracts that reduce the cost of database access as access increases. Because many organizations have LANs, this focuses on LAN solutions. The first method to consider is accessing an external database over the switched telephone network. The conventional method for providing this access is to install a separate telephone line and modem for each user requiring use of the switched telephone network. Doing so can result in a one-time cost of $100 to $500 for a modem and appropriate communications software, as well as a monthly business line telephone charge of $50 or more, not including the cost of long-distance charges. Companies that have LANs can handle their various uses for the switched telephone network by connecting an asynchronous communications server to a group of modems called a modem pool. Exhibit 2 illustrates an Ethernet bus-based LAN in which each network user can access a modem from a five-modem pool. A workstation user can use any available modem and the business line that connects it to the switched telephone network. LAN ACCESS TO A MODEM POOL The cost of an asynchronous communications server, including required hardware and software, is approximately $3000 for a Novell NetWare-based network. Assuming the cost of each modem is $300, the total hardware and software cost to establish a five-modem pool is approximately $400. Assuming each business telephone line costs $50 per month, the monthly cost for the modem pool illustrated in Exhibit 2 is $250. If modems cost $300, communication software costs $100, and a business line costs $50 per 62
AU1253_ch06_Frame Page 63 Saturday, October 26, 2002 4:25 PM
Providing Access to External Databases
Station N
Asynchronous Communications Server
Station 1
Modem
Modem
Switched Telephone
Exhibit 2.
Ethernet-Based LAN Access
month, the cost of providing ten employees individual modems, communications software, and business telephone lines is a one-time expenditure of $4000 and a monthly recurring cost of $500. Of course, all ten employees with individual modems can simultaneously access the external database, whereas only five could simultaneously access modems in a five-modem modem pool. In most organizations, only a few employees usually access modems simultaneously. Thus, a 2:1 ratio of employees to modems in a modem pool is generally sufficient, and because a company saves each month on business lines by using a modem pool, the infrequent inconvenience of an employee not being able to access a modem immediately must be compared to this savings. Purchasing fax modems can provide users additional capabilities that further justify costs. A method to reduce the cost of accessing external database information on subscription-based optical and magnetic media products involves adding a conventional or optical disk to the file server that enables multiple LAN users to access information. The following example illustrates the economics of disk access sharing. A database is available on a CD-ROM disk for $300 per year; a site license for a LAN costs $1000. If CD-ROM readers cost $400 and a Novell NetWare-compliant CD-ROM reader and software cost $1000, the cost of providing ten employees with individual CD-ROM readers 63
AU1253_ch06_Frame Page 64 Saturday, October 26, 2002 4:25 PM
INTRODUCTION TO REMOTE ACCESS and individual subscriptions to the database runs $7000 for the first year and $3000 for subsequent years. In comparison, the use of a CD-ROM reader on a network costs $2000 for the first year and $1000 for subsequent years. Both of these access techniques require a LAN, though neither by itself usually justifies the cost of establishing a network. They can, however, be used with other organizational requirements, such as sending e-mail and sharing files, to justify the establishment of a network. SUMMARY The database manager must consider many factors in developing a costeffective strategy for providing employees access to external databases. First, the manager must determine employee requirements and alternative database providers. Using this information, the manager must consider different database access methods, matching each method against the frequency of database update that the employee requires. Once one or more access methods are identified, the manager should consider the cost associated with each access method. The database manager should conduct this study with the network administrator because the use of an existing LAN can considerably reduce the cost associated with using the switched telephone network or sharing access to a database stored on a CD-ROM disk.
64
AU1253_ch07_Frame Page 65 Saturday, October 26, 2002 4:25 PM
Chapter 7
Remote LAN Access Technology Michael Van Patten
Now that it is common for executives and professionals to travel with portable computers, it is necessary to maintain remote communications with an organization’s computer networks. Downsizing of mainframe computers has led to large local area networks (LANs) throughout both the public and the private sectors. These LANs contain the information databases that facilitate the execution of the organization’s strategy and tactics. Quick and easy access for mobile users is a requirement as they try to connect to their corporate networks from hotels and airports. This access must also be secure from unwanted intruders and hackers who might try to break the integrity of the system. Remote dial-in access allows mobile users to continue working while traveling outside their office environment. REMOTE ACCESS METHODS There are two major modes of remote LAN access — remote control and remote node (see Exhibit 1). Remote control and remote node have distinct differences in their communication activity and application performance. Only one mode can be used by a remote user at one time. Remote access can be performed several other ways, including LAN-to-LAN access, remote routing, and border routing. However, only remote control and remote node methods and products are discussed in this chapter. Remote Control Access With remote control access, the remote user connects to a workstation on the LAN and takes control of its operation. The software on the remote system sends keyboard commands to the workstation, and the remote system receives screen images from the workstation. The LAN actually communicates to the local workstation while the remote control software communicates to the remote system. All the actual processing is performed 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
65
AU1253_ch07_Frame Page 66 Saturday, October 26, 2002 4:25 PM
INTRODUCTION TO REMOTE ACCESS
Exhibit 1.
Remote Access Methods
on the local LAN workstation. Only the resulting screen image is transmitted to the remote computer. Generally, this type of access occurs through a modem on the workstation over the telephone line to a modem on the remote system. However, this communication can occur over the LAN, either to another local workstation or through a communications server that has a modem connecting to the remote system through the telephone line. Modems. Today, modem technology is characterized by rapidly increasing speed and rapidly decreasing prices. The past standards of 14.4 kbps and 28.8 kbps have been replaced by faster technologies. The most popular modems today operate at 33.6 kbps or 56 kbps. Dedicated lines such as T1 handle speeds of 1.544 Mbps.
REMOTE NODE ACCESS The second method of remote LAN access is called a remote node connection. A remote system connects to the LAN through a communications server and directly communicates to the LAN with a LAN node address. The remote user can access data files, use the LAN print servers, and call up LAN-based applications. Actual network packets are transmitted to the remote computer as if it were locally connected. The LAN views the remote system as a node like any other local node on the network. 66
AU1253_ch07_Frame Page 67 Saturday, October 26, 2002 4:25 PM
Remote LAN Access Technology APPLICATIONS Personal productivity tools were the first applications to revolutionize the computing world. These tools include word processors, spreadsheets, databases, and presentation generators. As computer users connect their systems through networks, they need to perform more than just personal applications. Many of these newer applications are considered group productivity applications, or groupware. Electronic Mail Electronic mail, or e-mail, was the first successful major group application. This application allows users to communicate more often and to more people. E-mail delivers messages faster than any other methodology. E-mail users can organize their communications better, reply to requests immediately if desired, and forward information more easily than through conventional written correspondence. There are three methods to obtain e-mail remotely: through remote control access, through remote node access, or through an e-mail server (see Exhibit 2).
Exhibit 2.
E-Mail Connections
67
AU1253_ch07_Frame Page 68 Saturday, October 26, 2002 4:25 PM
INTRODUCTION TO REMOTE ACCESS Remote Control E-Mail Access. Through the use of remote control, a remote user can connect to the LAN and have the controlled workstation log into the LAN and execute the e-mail application. The user can read the e-mail by sending keyboard commands to the controlled workstation. E-mail is often more than just text, however. When e-mail contains multimedia objects, network performance can be slowed considerably. Remote Node E-Mail Access. The second method of obtaining e-mail from a remote system is through remote node access. The remote system connects to the communications server on the LAN and logs on. Then the remote system executes the LAN-based e-mail application through the telephone connection. Using commands in the e-mail application, the remote user can download any e-mail messages waiting to be read. In addition, the remote user can write e-mail messages and send them back through the telephone line to the LAN for storage. E-Mail Server Access. A third method of obtaining e-mail remotely is through an e-mail server. The remote system dials directly into a dedicated e-mail server. The server verifies the user, immediately downloads any unread E-mail messages to the remote system, accepts any new e-mail from the remote user, and then hangs up to minimize telephone line charges.
Newer e-mail clients are beginning to offer a slight variation on this method, retrieving only the header information from each message. This option gives the user the capability of determining which messages to retrieve, which to delete without reading, and which to save for later retrieval (presumably after the user is connected locally). This approach can save considerable amounts of time, especially when messages contain large attachments. FIELD FORCE AUTOMATION Another application being implemented across many types of organizations is field force automation. Typically, field personnel are outfitted with a portable (laptop or notebook) computer with a modem, customer tracking or order entry application software, communications software, and communications servers at the office. IDC (Framingham, Massachusetts) performed a survey of more than 400 mid-size U.S. organizations that had implemented field force automation and found that 60 percent of those companies had met or exceeded their expected goals. Their measurable results included reduced order processing time, increased revenues and profits, improved revenue per employee, and faster competitive feedback. The average cost of automating a salesperson was less than 1 percent of the person’s average salary and overhead. 68
AU1253_ch07_Frame Page 69 Saturday, October 26, 2002 4:25 PM
Remote LAN Access Technology Dial-In Transportation There are several popular methods of accessing LANs remotely. The most common is over standard telephone lines. Another is through digital telephone lines, or integrated services digital network (ISDN). A third is using wireless technology. Standard Telephone Line Access. Because most telephone lines are analog, the largest number of remote access users need modems to translate their digital computer signals. Modem technology has advanced rapidly over the past several years. The most popular modems sold today are V.90, which runs at 56 kbps. In a poll of 51 large corporations regarding their current remote access systems, Forrester Research Inc. found that the users complained of slow data response times and troublesome modems. These problems are now being solved by newer modem technologies. ISDN. Suppliers of integrated services digital network equipment are becoming almost as numerous as modem suppliers. Although a single ISDN channel has a speed of 64 kbps, some products provide two channels for one connection at 128 kbps and, with 4:1 compression, can theoretically obtain 512 kbps. The biggest problem with ISDN is that it is not available everywhere. Wireless Technology. Two types of remote wireless connections are available today, and a third is right around the corner. The two current services include Ardis, a joint venture of IBM and Motorola, and RAM Mobile Data network, backed by BellSouth.
RAM Mobile provides a wireless service across the United States in about 7000 metropolitan areas. Ardis has a broader coverage of more than 10,700 towns and cities. Ardis currently offers speeds of 4.8 kbps, and RAM operates at 8 kbps. Generally, most of the LAN-based remote access servers will be connected through standard dial-in telephone lines for now. However, some larger users have optional ISDN connections installed in some areas of the country. Dial-Out Connections The much-discussed information superhighway will require many on- and off-ramps for everyone to share in this resource. Through dial-out remote access products and common protocols, every workstation can have access to the highway. Various applications can be accessed by workstations, including large commercial online services such as CompuServe, America Online, and 69
AU1253_ch07_Frame Page 70 Saturday, October 26, 2002 4:25 PM
INTRODUCTION TO REMOTE ACCESS
Exhibit 3.
Modem Pooling
Prodigy. These services provide access to news, financial data, weather information, and special-interest forums. Still others access national e-mail applications such as MCI Mail, AT&T Mail, and the Internet. The most popular access method to the Internet is Point-to-Point Protocol (PPP). This protocol offers Internet access through use of an Internet service provider (ISP). Modem Pooling. Many of the integrated remote access servers now have shared dial-out — or modem pooling — capabilities. Modem pooling, as illustrated in Exhibit 3, allows the workstations on the network to share the same modems that are used for incoming access. These modems, attached or enclosed in the server, are managed by the server software and accessed through requests from the LAN workstations. Any of the authorized workstations can then gain access to a shared modem when needed.
Any workstation on the LAN can be loaded with a program that connects it to a modem attached to the server. This virtual connection made between the LAN workstation and the remote access server uses one of a few standard methodologies. Interrupt 14 is the most common methodology. Others include Interrupt 6B and NASI. Many commercial programs support these connection standards, including Symantec’s Procomm and WRQ’s Reflections. These programs run at the workstation and are configured to emulate various terminal types. Through these configurations, the workstation can emulate terminal types such as DEC VT100, IBM 3270, or a standard ANSI terminal. Terminal 70
AU1253_ch07_Frame Page 71 Saturday, October 26, 2002 4:25 PM
Remote LAN Access Technology emulation is required so that host-based applications can be properly displayed at the LAN workstation through the modem pool. Although dial-out is not always required by every organization, it is a great economical feature to have in a remote access or communication server. Many workstations might have their own modem attached, but with client/server networks, only that workstation can use the modem. Besides the extra cost for the additional modems, there is also the cost of all the additional telephone lines required. Modem pooling is a highly effective means of controlling communications costs. SECURITY OPTIONS Although each LAN operating system has its own security system, most of the remote access software and server products have additional security functions. There are several options to be considered, including encryption, dial-back, audit logs, and authentication. Encryption and Dial-Back Password encryption and dial-back methods are the most common security methods used by today’s products. Dial-back allows remote users to call in, enter a password, hang up, and wait for the remote access device to verify their access and then call them back. This technique prevents intruders who have learned someone’s password from calling in from a different location. Passwords are usually encrypted so that eavesdroppers cannot intercept the call and record the password for their own use later. Data encryption standard (DES) is the most popular method for password encryption. Audit Logs and Authentication There are several authentication protocols including Kerberos, Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), remote authentication dial-in user service (RADIUS), and others. These systems can check various incoming items to verify their authenticity. Recording each access and all its transactions in an audit report can monitor any illegal access activity that might occur. Of course, there is a trade-off between the amount of security that is used and the ease of access desired. The more layers of security that are added, the more difficult the access. SUMMARY As communications technology continues to improve and costs continue to drop, more people will adapt their activities around these tools for increasing productivity. In the 1960s, only large institutions could afford mainframe computers. In the 1970s, most medium-size companies 71
AU1253_ch07_Frame Page 72 Saturday, October 26, 2002 4:25 PM
INTRODUCTION TO REMOTE ACCESS acquired minicomputers. In the 1980s, most organizations acquired some type of computer equipment, ranging from mainframes to personal computers. By the early 1990s, most organizations networked their computers to share data and programs. Now, most organizations allow remote computers to access their networks. There are many remote access server options to consider, including: • Which networking technology — Ethernet or Token Ring? • Which network operating system or protocol — NetWare, Windows NT, TCP/IP, or other? • Which access method — remote control or remote node? Another important decision is the remote access connection required. Choices include ISDN, wireless, or standard asynchronous. If an asynchronous link is chosen, then the user must select either an internal or external modem and the speed of modem desired. The level of security must also be considered and compared with the ease of access needed. Finally, it is important to ensure that the network operating system has tested and approved the chosen products. The easier the products are for workers to use, the more likely it is that their productivity will increase. If remote users can plug their computers into a telephone jack, turn on the machine, click on an icon or enter a command, and quickly see the network’s logon prompt (just like at the office), they will use the system. The more people at all levels using the network, the more informed and productive everyone from field force personnel to the organization’s management will be.
72
AU1253_ch08_Frame Page 73 Saturday, October 26, 2002 4:26 PM
Unit 2
Technology
AU1253_ch08_Frame Page 74 Saturday, October 26, 2002 4:26 PM
AU1253_ch08_Frame Page 75 Saturday, October 26, 2002 4:26 PM
Chapter 8
Communication Servers Denise M. Jones
The benefits communication servers offer to the networking world, including branch office integration, deployment of enterprise-wide and Internet e-mail, and the acceptance of mobile forces, have been leaked to the masses. IS managers around the world are being barraged with requests for connections, connections, connections. This chapter will provide an overview of the latest technologies communication servers are utilizing to satisfy this demand for enterprise-wide connectivity and provide guidelines for matching the most cost-effective access method with each dial-up scenario. WHO IS CLAMORING FOR CONNECTIONS? Communication servers enable people to change the way they do business, giving them the flexibility to review e-mail, place orders, send faxes, edit files, run reports, and get real-time information from anywhere, at any time of day. There are three basic types of network users who require the functions performed by a communication server. Telecommuters Telecommuters are at-home employees who generally connect to the network from the same location each session. Their most significant problems are updating work documents and sharing those documents with others, accessing e-mail, and producing correspondence and presentations. They can often work without the network, but make occasional connections to access network files and resources. Telecommuters also need access to printers, fax machines, and e-mail systems. Traveling Sales Force Traveling sales people need many of the telecommuters’ capabilities, including access to e-mail and network files, but instead of always connecting from the same location, they often move around from hotels to airports to regional offices. Sales people connect to check inventories, enter or 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
75
AU1253_ch08_Frame Page 76 Saturday, October 26, 2002 4:26 PM
TECHNOLOGY check on the status of an order, update customer accounts, and perform other functions that require access to large databases that can’t be copied to a notebook hard drive. Roving Executives Roving executives want to stay in touch with their organizations and be informed about ongoing project status and general operations. They often perform many of the same tasks listed for the telecommuter or traveling salesperson, such as updating work documents or changing presentation, but their main priority during a dial-up session is sending or answering email or scheduling information with other employees. THE METHODS OF CONNECTING When you consider the growing numbers of users requiring network communication services, the goal of maintaining any sort of coherent computing environment is clearly a challenge. Keeping workers up-to-date requires more than just a laptop and a modem. Those who frequently work from home or on the road know that a digital lifeline to the office is necessary to stay current. There are numerous approaches to dial-in remote communications, but all techniques fall under two fundamental classes: remote control or remote node. REMOTE CONTROL With the remote control approach, a modem-equipped PC on a network runs remote control software, such as Symantec’s PC Anywhere. This PC is referred to as the host. Exhibit 1 provides an illustration of a typical remote control scenario. At the remote site — which could be a hotel room, your home, or a client’s office — the employee uses a modem-equipped laptop or desktop PC running the client portion of the remote control software to dial up the remote control host. The software allows utilization of the host PC as if the user were sitting at its keyboard by transmitting keystrokes across the modem link and putting them into the keyboard buffer of the host PC. A remote control setup is a typical solution for users of large databases, accounting applications, and other shared files on the network. For these situations, the realistic approach is to leave the applications where they are and provide access to remote clients. Because the actual volume of data in a remote control session is relatively low (only keyboard, video, and mouse movement updates), response time is good. In addition to above-average performance, security remains intact, data stays on the host or network and can be backed up centrally, and multiuser applications work as they should. However, you do pay for this sometimes spectacular connection. 76
AU1253_ch08_Frame Page 77 Saturday, October 26, 2002 4:26 PM
Exhibit 1. Typical Remote Control Scenario
Communication Servers
77
AU1253_ch08_Frame Page 78 Saturday, October 26, 2002 4:26 PM
TECHNOLOGY Two machines are required for a remote control process, and a modem link must be maintained during the entire dial-up session. Installing a remote control solution is simple if setup involves only one host PC and not an entire network. However, this approach causes security problems if the user leaves the host PC turned on and logged onto the network. Most commercial applications implement some security, but it is only effective if the user enables the security function. Centralized solutions that put security and access under tighter controls usually do not involve individual users’ desktop PCs. Instead, they depend on separate systems designed for remote control access. Vendors like Cubix provide multiprocessor (asymmetrical) systems that can be tailored to the needs of the organization by combining several dial-in hosts, modems, and remote access software into a single chassis. Due to the requirement for two PCs to perform remote control, implementing this method of remote access has often been considered expensive. Companies like Citrix are working to change the economic feasibility of remote control by introducing software that allows multiple remote control users to share the same host. Although this divide-and-conquer theory sounds appealing, these PCs require substantial memory (64 Mb or more) and a Pentium processor to equal the performance of a standard one-to-one connection. Citrix’s unique twist on remote control has been coined remote application. Citrix developed a presentation layer protocol called the Intelligent Console Architecture (ICA) that allows an application’s user interface to execute on the client side while the application itself executes on the MetaFrame server. On the server side, processes run applications for remote users. These processes are set up to monitor either a specific network protocol such as IPX, TCP/IP, or NetBEUI, or to monitor serial ports on the server. When users connect, they log into the MetaFrame server as WindowsNT users and control one instance of an application on a processor. Client PCs in a Citrix MetaFrame environment can be anything from a relatively low-powered PC to a simple Windows terminal (Wyse Technology, Inc., Tektronix, Inc., Network Computing Devices, Inc., and others build terminals for Windows applications) or even a Web browser. The MetaFrame Remote Application Manager allows low-powered clients and clients running over low-speed links the ability to utilize the processing power of a Citrix MetaFrame server to run 16- and 32-b Windows applications. Despite the fact that Citrix can run 16-b Windows applications, it is not recommended. Win16 applications run in WOW mode (Win16 on Win32) under MetaFrame. This causes 16-b applications to consume more system resources. This advice is also applicable to some DOS applications. 78
AU1253_ch08_Frame Page 79 Saturday, October 26, 2002 4:26 PM
Communication Servers REMOTE NODE Although remote control technology has made significant improvements in performance and management techniques, the advent of client/server computing has brought remote node to the forefront of communication server technology. Remote node is comprised of a remote bridge or router, referred to as a remote access server, which allows the remote PC to become a full-fledged node on the network. Data packets issuing from the remote PC travel across the modem link, where a remote access server using remote node software forwards the packets on to the local area network (LAN). Any packets from the LAN bound for the remote PC are also forwarded across the dial-up modem link by the remote access server. Exhibit 2 provides an illustration of a remote node scenario. Remote node establishes a link to a remote disk drive or printer much in the same way a LAN rerouter adds LAN-based devices to a PC. The drives are connected to the remote PC only by a temporary connection. In the case of a LAN, the connection is the LAN cabling and interface cards. In a remote node scenario, the connection is via modem, T1 line, or ISDN connection, to name a few options. It is convenient to have access to another disk drive containing data that is not available on the local drive of the remote PC. But the amount of information you can access is limited by the bandwidth of the remote connection. On a LAN operating at 10 Mbps, the access speed is acceptable. However, a 56 kbps modem connection will be, at best, 50 times slower than a LAN. It is easy to see that remote node access is useful for retrieving small files, but not for running applications from the host machine. Remote node is appropriate when applications can be executed on the remote PC and relatively small amounts of data are transferred between the network and the client. Sending mail messages, accessing client/server databases such as Lotus Notes, or retrieving a document from the LAN can be handled easily with a remote node connection. For example, because word processing documents are relatively small, users can expect decent performance running Microsoft Word on the remote PC and retrieving files from the network. If, however, the user did not have Microsoft Word loaded on his or her laptop or remote desktop PC, all the executable and supporting files would need to be transferred across the modem line as the application is running. Performance will be terrible, and users may be tempted to contact members of the IS staff or help desk to find out what went wrong. A variety of remote access servers exists to deliver remote node connections to a corporate network. Some products are software only, such as 79
AU1253_ch08_Frame Page 80 Saturday, October 26, 2002 4:26 PM
Exhibit 2. Remote Node Scenario
TECHNOLOGY
80
AU1253_ch08_Frame Page 81 Saturday, October 26, 2002 4:26 PM
Communication Servers Microsoft RAS, and require only the addition of a third-party multiport device to provide a LAN port on the host side of the connection. Other servers come in the shape of small appliances, like the Intel LANRover (formerly Shiva). These devices come with integrated remote node server software, unlimited number of client licenses, six- or twelve-port configurations, and integrated modems. COMBINING CONNECTIONS Both remote control and remote node technologies provide advantages and disadvantages in each dial-up scenario. Corporations have begun to deploy combinations of remote node and remote control technologies as they grapple with the escalating needs of their burgeoning remote client community. This mix creates confusion, cost, and technical-support administrative overhead. • Doling out and managing communication resources has become an arduous task. • Network administrators must create and enforce remote access usage policies. • Users are expected to adhere to policies they often do not understand. • Optimal usage of communication server resources is never realized. • Unnecessary costs take place because of a disregard for or lack of understanding of the technologies involved in providing enterprisewide network connectivity. CREATING AND ENFORCING REMOTE ACCESS COMMUNICATION POLICIES System administrators are tasked with creating remote access policy. The simplest type of policy allows remote node access for one set of users and remote control privileges for another. More sophisticated situations include granting remote node and remote control access based on the application type, time of day, and communication speed required. Manually enforcing such a policy is a time-consuming and often impossible task. The users of communication server resources are often nontechnical, widely dispersed, and cannot be forced to comply with corporate policies. Network administrators’ plates are full without having the task of policing their remote client community. Remote clients often do not understand that violation of what may seem to be an arbitrary policy can have serious consequences for all users. The breaking of any remote communication policy can produce very unpredictable, but usually negative results. Long delays in accessing information, needless phone charges, and increased labor costs are just a few examples.
81
AU1253_ch08_Frame Page 82 Saturday, October 26, 2002 4:26 PM
TECHNOLOGY Exhibit 3.
Time Required for Tasks after Installation for 100 Remote Clients
2 or more hours training each remote client 4 or more hours in help-desk support for each remote client An equal number of hours of general network administration time
200 hours 400 hours 600 hours 1200 hours or more
ADMINISTRATION COSTS CAN BE STAGGERING The hidden costs of remote access communication policy administration will far exceed initial product costs. For example, network administrators at a medium-sized company trying to support 100 remote clients might spend considerable time within the first three months of a communication server installation, as indicated in Exhibit 3. In addition, incorrect technology choices made by the remote clients will create dissatisfied employees, waste many hours of labor, incur unnecessary phone charges, and add significant cost to the users’ projects. Add another 100 users, and costs would double. ADHERENCE TO REMOTE ACCESS COMMUNICATION POLICY The remote client who adheres to a typical remote access communication policy fumbles with different technologies under various circumstances. For example, he or she may access e-mail by remote node and use a remote control session for a custom sales application. The decision as to which connection method is most appropriate is often unclear to nontechnical users. Without a set of automated guidelines, nontechnical users are left to ponder the following questions: • If I want to enter an order, should I use remote node or remote control for the best performance? • If the file I need is 300 kb in size, which remote access method should I use? Remote node or remote control? • If I want to look at my e-mail, through which company phone number should I connect? • How do I use an application that I have at work but do not have loaded on my laptop? • If I want to do a quick look-up of a large spreadsheet file, should I use remote node? The questions associated with remote-access communication methods go on and on. Each question may generate a help desk call, or the remote client may find out the answer to his question the hard way. Either technique to problem solving is burdensome and costly.
82
AU1253_ch08_Frame Page 83 Saturday, October 26, 2002 4:26 PM
Communication Servers SUMMARY After installing any communication service, network administrators should create an internal beta group for testing. These behind-the-scenes guinea pigs will help weed out the majority of user problems before the system goes completely on-line. Use the comments that are gathered during these beta tests to outline useful tips for future user training sessions. It is vital that everyone be aware of and capable of using these new network communication services. If user education is ignored, chances are that a communication server will become a cost-intensive, nonproductive application on the network.
83
AU1253_ch08_Frame Page 84 Saturday, October 26, 2002 4:26 PM
AU1253_ch09_Frame Page 85 Saturday, October 26, 2002 4:27 PM
Chapter 9
Virtual Private Networking Matthew Wallace James S. Tiller
Virtual networking has its origins in the concept of the virtual office during its evolution in the early 1990s. The virtual office represents a temporary logical grouping of individuals, regardless of their location or position in the organization, to work on a specific project. Thus, this project concept is also commonly referred to as an organization without boundaries. The earliest methods used to support the communications requirements of the virtual organization were voice, fax, and electronic mail. By the mid1990s, a new type of local area network (LAN) known as a virtual LAN was developed in part to support the dynamic assignment of personnel to virtual organizations. A second method of providing communications support for virtual organizations, referred to as virtual networking, represents the transmission of data between two locations on a mesh structured network that is so large it can be considered to represent a network without boundaries. That network is the Internet, and almost all references to virtual networking either implicitly or explicitly reference transmission over the Internet. THE BENEFITS OF VIRTUAL PRIVATE NETWORKING The business world has found the Internet. The technology many companies have relied upon is becoming obsolete at a frenzied pace, as IS managers and networking professionals struggle to keep up with the pace of technology. New products and opportunities are emerging constantly. One of the most promising cost-cutting technologies available is that of virtual private networking, or VPN technology. Managers have been slow to turn to virtual private networking, either because they are unsure of the technology or unaware of the benefits they can reap. The path to using VPNs to benefit an organization includes understanding the business case for VPN deployment, learning the basics of the technology, and knowing a path for deployment. 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
85
AU1253_ch09_Frame Page 86 Saturday, October 26, 2002 4:27 PM
TECHNOLOGY Understanding why VPN technology is so useful begins with understanding how networks are being used. The local network being the base unit of all networking, many companies with diverse physical locations find themselves needing to tie their local networks together, resulting in the widearea networking common for companies with national and international presence. The cost of this networking can be exorbitant, because many companies require the lines to be private. A DS-1 connection to the Internet can be relatively inexpensive, but a DS-1 connection from San Francisco to New York can be very costly. When you start crossing the Atlantic, the costs skyrocket again. Frame relay was one solution that allowed local network connections and relatively inexpensive Private Virtual Circuits (PVCs) connect each company site through a shared frame relay mesh. Because of the lack of privacy, frame relay ultimately has proved unacceptable to many companies needing wide-area connectivity. Network security experts are quick to warn against trusting the infrastructure your frame relay circuits cross, as they can become vulnerable to redirection, and more commonly, packet sniffing. It is essentially these security concerns that have brought about the need for a wide-area solution, one that has a cost comparable to a local connection and privacy gained by private point-topoint lines. Many companies with strong security needs, those involved in transferring financial data or other highly sensitive information, may find even traditional point-to-point lines too untrustworthy for their applications. The second need for VPN exists for companies with high remote access needs. Traveling sales people, officeless employees, telecommuters, or anyone needing access to the “LAN back home” often incurred exorbitant costs connecting via traditional dial-in setups. The cost of 800 numbers or even prepaid calling cards could run to hundreds or thousands of dollars for each employee with heavy remote access requirements. For those telecommuting from outside the local calling area, which is the norm, companies were forced to turn to private lines to avoid long-distance costs. An unfulfilled need existed for inexpensive remote access. Ideally, a company could provide an employee with an inexpensive dial-up Internet account, and the employee would access the company’s LAN via the shared Internet. Security concerns were again at the forefront of reasons why this was unfeasible. Any company trading in the exchange of sensitive information about their products, plans, or customers could find themselves victims of industrial espionage. One frequently unmentioned benefit of VPN use is that it allows access to servers on illegal addressing space, which are blocks of IP addresses that are unusable on the Internet, even across a WAN. Many companies now utilize these unroutable addresses. Using VPNs (those in tunnel mode, as will be explained later in this chapter), the real addresses are hidden and the traffic crossing the Internet is legal. VPNs still give a remote user 86
AU1253_ch09_Frame Page 87 Saturday, October 26, 2002 4:27 PM
Virtual Private Networking direct access to machines, without needing to expose those machines to the Internet with addresses anyone can reach. By keeping servers unrouted and letting all access a VPN, there is no need for address translation to expose those addresses to the Internet. VPN technology was created in response to these needs. It allows a connection from anywhere; dial-up account, leased line, or frame relay can connect back to a primary network safely, regardless of what networks the information had to transit to get there, via the use of strong encryption. By employing real-time encryption, the traffic from LAN to LAN or user to LAN could be encrypted, sent across an untrusted network, and arrive safely at the destination to be decrypted. Data intercepted or monitored in transit would be useless without the secret keys necessary to decrypt the traffic. WHAT ARE THE IMPLEMENTATIONS OF VPNs? The implementations of VPNs vary widely. In an effort to offer a more complete solution to their customers, many firewall vendors have offered VPN capability as a feature, either standard or as an additional module. The two varieties of VPNs found on firewalls are firewall-to-firewall tunnels and user-to-firewall tunnels. These allow the two internal networks behind firewalls to communicate or a user to get safe access to machines behind a firewall, respectively. A full survey of companies offering VPN-capable firewalls would be quite extensive. Some of the leaders in VPNs include Raptor Systems with their Eagle and Eagle Remote firewalls, Check Point Software with the popular Firewall-1 product, and Trusted Information Systems and their Gauntlet firewall. They vary in the encryption types offered and their respective performances. Any consideration of VPN technology should include an examination of hardware VPN technology. One of the limitations of firewall-based encryption for VPNs is speed. Only so much traffic can be encrypted by a software package. For business needs that exceed those bandwidth requirements, companies producing hardware-based encryption have come forward. The use of hardware-based encryption allows much higher throughput, without taxing a company’s Internet firewall. Custom hardware tuned for encryption operations allows much higher rates of encryption. Some of the vendors pursuing this market include RedCreek and its Ravlin line, and VPNet and its hardware encryption products. The trend of the market is toward integration of products. Hardware-based VPN companies are partnering with firewall vendors and router manufacturers. A good example of this is VPNet’s private-label OEM agreement with Bay Networks, allowing a single vendor to service more needs of its customers. 87
AU1253_ch09_Frame Page 88 Saturday, October 26, 2002 4:27 PM
TECHNOLOGY Digital Equipment’s Alta Vista Tunnel is available, either integrated into its firewall or as a standalone product. This is useful when companies have firewall solutions in place without VPN support, or with VPN support that does not stack up to their needs. There are a few key features to watch for when differentiating between VPN choices. First, make certain that the solution you select supports your application with its technology. A provider of financial data may only need to keep a stream of data private for a few seconds. After that, it is public knowledge; that few seconds of privacy can be protected with less powerful encryption. On the other hand, a bank transmitting information about accounts or any application transferring credit card numbers may need to rely upon its encryption for a nearly indefinite period of time. Weaker ciphers, such as DES, are fine for applications not requiring long-term security, but rising computer capabilities combined with decreasing computer costs make the longevity of such ciphers questionable in applications requiring long-term security. An application requiring months or years of privacy for its transmitted information calls for a strong cipher like Triple DES or IDEA. In selecting a VPN product, it is critical to match capabilities with needs. One important feature to look for is called “dynamic rekeying.” Keys are used by a cipher to encrypt data. When a VPN is dynamically rekeyed, the new keys to be used in the tunnel are sent across the tunnel. Then the encryption resynchronizes using the new keys. If a VPN is rekeyed every 60 seconds, it means that even if an attacker compromises a key to read the encrypted data, only 60 seconds worth of data is available. What is critical, though, is that the VPN product exchanges the new encryption keys asymmetrically. If an attacker simply uses the tunnel to pass a new key, then once one tunnel is compromised after the data has been recorded, decrypting the succeeding key is trivial, regardless of the number of iterations. However, if the keys used are asymmetric, using a public key/private key pair, then a new public/private set can be used each time to exchange the actual keys for encryption. This is typical of public key encryption: asymmetrical encryption is used to establish a symmetrical key for the bulk data encryption, because the symmetrical encryption is much faster. Make sure not only that a VPN product rekeys dynamically, but that it exchanges the new keys for encryption with an algorithm that keeps the new keys secure even if the previous key set is calculated. Another difference in tunnels is the distinction between tunnel mode VPNs and transport mode VPNs. All IP packets have both a header (containing information about source and destination, size of the packet, and a number of relevant network flags) and a datagram, which is the payload of information used by the application. In transport mode, a tunnel only encrypts the datagram, i.e., the payload, of a packet, leaving its 88
AU1253_ch09_Frame Page 89 Saturday, October 26, 2002 4:27 PM
Virtual Private Networking header information visible in transit. In tunnel mode, a VPN takes the entire packet and encrypts it, and assigns it a new shell for transmission between the two VPN endpoints, whether those are firewalls or hardwarebased VPN machines. Virtual private networking, as a technology, is coming of age. The IPSEC standard allows different products to communicate cross-platform, allowing companies an easier way to secure communications with their business partners. The increased concern over network security and the availability of encryption at fast network speeds makes VPN an increasingly appealing option for remote access and business communication. The evaluator of VPN products should bear in mind the strengths of technology already deployed in a company. If your company is Cisco-savvy, then its VPN features might appeal. If a company already uses a certain firewall brand, then adding on its VPN solution may be the easiest way. Because no one company has yet established itself as a VPN leader, there are trade-offs to be made. The key issues are performance, ease of use, cost, and integration. Hardware stand-alone solutions excel in performance, but are only now beginning to integrate. The firewall solutions, using either SWIPE (software IP encryption) or the more interoperable IPSec, tend to be easier to set up when a company is already using a firewall, but offer much less in terms of performance. RISK VERSUS REWARD ON THE CUTTING EDGE There was a time when VPN was synonymous with compromise. Like many useful technologies, seamless integration was not available. Some of the complaints about VPN solutions from times past were low reliability, slow connections, and lack of knowledge. The last of those objections was certainly the obstacle. In an industry where up to 70 percent of CTOs and IT managers have reported that their most significant challenge was in keeping up with their personnel needs, it is little wonder that technical expertise familiar with VPN was even more difficult to find. As the technology has become more widely deployed and the need for VPNs recognized, the blending of technology has helped solve the problem. As VPN capability joined the feature set of firewalls and routers, the industry has become familiar with what to expect, and with the next generation of software and hardware, the ability to implement the technology is more commonly within reach. VPN is now supported by Cisco routers, bringing availability on some of the industry’s most ubiquitous networking devices. The other factor is the consolidation of networking technologies. Many companies are striving to provide one-stop shopping for customers, especially in the security products market. Consolidation of access control, firewalls, network monitoring, VPNs, virus detection, content filtering, 89
AU1253_ch09_Frame Page 90 Saturday, October 26, 2002 4:27 PM
TECHNOLOGY authentication servers, and other products are the trend, and likely to continue. The consolidated offerings are allowing vendors to add useful features to familiar products. Anyone using firewalls and investigating the use of VPNs should check with their vendor regarding vendor-supported products, as most major firewalls either directly incorporate the technology or have partners who provide it. The bottom line of the risk versus reward discussion is that the technology has left its infancy behind. It is no longer in development. It is now in the integration stage. Vendors, consultants, and partners may be ready to help you benefit from the technology. With the amazing benefits and added security, VPNs are not just something to add or a product to buy, but something destined to become part of the networking paradigm. They are an improvement that will become the standard, rather than the exception. PITFALLS DURING DEPLOYMENT Deployment of VPNs within a company is subject to a few common pitfalls. The first is selection of appropriate technology. Be certain to clearly define your needs in terms of bandwidth and interoperability among business locations, mobile users, and business partners. Consider the capacities of the staff that would manage the VPN solution, including supporting end users who might have their company dial-up accounts replaced by generic internet dial-ups. This first area is the one in which technical consultants are most likely to be useful. Virtual private networking has reached the state where a decent engineer can manage the VPN capabilities of firewalls or stand-alone devices, with perhaps a little technical support from the vendor. However, matching a company’s needs against the available product choices is a task for someone specialized in the arena of network security. This might be a good chance though for a savvy IT professional to solicit a thorough security audit or evaluation, while using the benefits of VPNs as a cost justification. It is important to be aware of the technical capacity of your end user, and be aware of how much support they will require from you, and how much your vendor will support your end users, if at all. Much as with initial installations of company firewalls onto existing Internet connections, some users need assistance to make the change. Most nontechnical users will need assistance to alter their network stacks on their individual machines if client software is used. The transition period can be significant with a large installation, and require as much as 30 percent more working hours to maintain in a networking-intensive company. A consideration that must be kept in mind is compatibility with existing applications. Not all VPNs will pass any type of traffic. Some are valid only for TCP connections, and not tunneling UDP or ICMP traffic. UDP is used by 90
AU1253_ch09_Frame Page 91 Saturday, October 26, 2002 4:27 PM
Virtual Private Networking a number of applications, including DNS and SNMP. This may or may not be important, depending on what type of remote access is needed. This leads to the final point: recognizing maintenance issues. There is a higher cost for using VPN technology. Using encryption to replace the simpler security of private lines, or to make obsolete a company modem pool, has upsides and downsides; but with careful planning, the transition can be smooth. The savings will far outweigh the additional costs of remote user access or private lines. The actual security of a company as a whole can actually significantly benefit from VPN use, as most experts agree that good encryption is a more reliable defense that relying on telecom company privacy. All security measures can be thought of as raising the bar a potential intruder needs to cross to circumvent security. To a determined intruder or concerted attack, properly deployed encryption can be a much greater deterrent than a private communications infrastructure — especially considering that the security of that infrastructure is in someone else’s hands, not your company’s. PART OF A BIGGER SECURITY PICTURE One fact that deserves mention is that virtual private networking is only a part of a complete security scheme. The real point of using a VPN is to protect the link between two secure endpoints. If your endpoints have weaknesses, then the tunneling cannot do anything to protect them. Keep in mind that a VPN is not a license to freely trust the other end, especially one you do not directly control. If one side of an unfiltered VPN is compromised, then the other side can be as well, with the VPN allowing direct access. This can be especially important with business-to-business VPNs, when one company connects to another. One way of keeping access restricted is to terminate the VPN just outside a firewall, where eavesdropping on the traffic can no longer occur, but before the firewall applies its rules. With firewall-to-firewall tunnels, most products allow you to filter services. One company may allow FTP through a tunnel with a partner company, but not permit telnet when that company has no reason to telnet to them. The most important thing to keep in mind is that a VPN is only as secure as its weakest point, especially when the VPN is not filtered between the trusted networks. Just because a user is authenticated and encrypted with the use of VPN software does not mean he or she should have unlimited access. Always explicitly deny any traffic you do not need to allow. Normal network auditing tools should be applied through VPNs when possible. If you employ some sort of attack detection software, such as Internet Security System’s SafeSuite, or Dan Farmer’s SATAN, try using the software 91
AU1253_ch09_Frame Page 92 Saturday, October 26, 2002 4:27 PM
TECHNOLOGY from one side of the VPN to the other to simulate a compromise. Do not exempt anyone from other security measures, such as authenticating on a particular machine with passwords or one-time passwords. With client-toserver VPNs, this is usually less of a concern. Client software usually requires authentication to open the tunnel; but taking into account that a large portion of network violations are reported to occur by insiders, consider physical access to workstations with VPN access when deploying. Carefully contemplate the fact that when you provide one person with full VPN access to a secured network, anyone who has physical access to that machine has access to the secured network as well. SUMMARY Virtual private networking is an avenue to both savings and security. It allows a lower cost access for remote access and connection of remote sites. It provides a new level of data security by preventing monitoring by third parties, thus prohibiting loss of valuable data. In the future, as the security market continues to consolidate, expect more VPN capabilities to be integrated into all types of products. Savings and opportunities are available now, though, with VPN deployment through the use of VPN-capable firewalls or independent software and hardware solutions. Consideration for VPN Implementation The benefits of VPN technology can be realized in varying degrees depending on the application and the requirements to which it has been applied. Considering the incredible growth in technology, the advantages will only increase. Nevertheless, the understandable concerns with performance, reliability, scalability, and implementation issues must be investigated. System Requirements The first step is determining the foreseeable amount of traffic and its patterns to ascertain the adjacent system requirements or augmentations. If existing equipment is providing all or a portion of the service the VPN is replacing, the costs can be compared to discover initial savings in the framework of money, performance, or functionality. Security Policy It will be necessary to determine if the VPN technology and its planned implementation meet the current security policy. In case the security policy does not address the area of remote access, or in the event a policy or remote access does not exist, a policy must address the security requirements of the organization and its relationship with the service provided by VPN technology. 92
AU1253_ch09_Frame Page 93 Saturday, October 26, 2002 4:27 PM
Virtual Private Networking Application Performance As previously discussed, performance is the primary reason VPN technology is not the solution for many organizations. It will be necessary to determine the speed at which an application can execute the essential processes. This is related to the type of data within the VPN. Live traffic or user sessions are incredibly sensitive to any latency in the communication. Pilot tests and load simulation should be considered strongly prior to largescale VPN deployment or replacement of existing services and equipment. Data replication or transient activity that is not associated with human or application time sensitivity is a candidate for VPN connectivity. The application’s resistance to latency must be measured to determine the minimum requirements for the VPN. This is not to convey that VPNs are only good for replication traffic and cannot support user applications. It is necessary to determine the application needs and verify the requirements to properly gauge the performance provisioning of the VPN. The performance “window” will allow the proper selection of equipment to meet the needs of the proposed solution; otherwise, the equipment and application may present poor results compared to the expected or planned results. Or, more importantly, the acquired equipment is underworked or does not scale in the direction needed for a particular organization’s growth path. Each of these results in poor investment realization and makes it much more difficult to persuade management to use VPN again. Training User and administrator training are important parts of the implementation process. It is necessary to evaluate a vendor’s product from the standpoint of the users, as well as evaluating the other attributes of the product. In the event the user experience is poor, it will reach management and ultimately weigh heavily on the administrators and security practitioners. It is necessary to understand the user intervention that is required in the everyday process of application use. Comprehending the user knowledge requirements will allow for the creation of a training curriculum that best represents what the users are required to accomplish to operate the VPN per the security policy.
93
AU1253_ch09_Frame Page 94 Saturday, October 26, 2002 4:27 PM
AU1253_ch10_Frame Page 95 Saturday, October 26, 2002 4:28 PM
Chapter 10
Overview of Traditional Carrier Virtual Private Networks Nathan J. Muller James S. Tiller
Carrier-provided networks that function like private networks are referred to as virtual private networks (VPNs). By relying more on VPNs, corporations minimize the operating costs and staffing requirements associated with private networks. In addition, they gain the advantages of dealing with a single carrier instead of with the multiple carriers and vendors required for a typical private network. This relieves organizations of the costs associated with staffing, maintenance, and inventory without sacrificing control, service quality, and configuration flexibility. AT&T introduced the first VPN service in 1985. Its Software Defined Network (SDN) was offered as an inexpensive alternative to private lines. Since then, VPNs have added more functionality and expanded globally. Today, the Big Three carriers — AT&T (SDN), MCI (Vnet), and Sprint (VPN Service) — each offer VPNs. In the case of AT&T, various services including high-speed data and cellular calls may be combined under one service umbrella, expanding opportunities for cost savings within a single discount plan. THE CARRIER-BASED VPN CONCEPT VPNs let users create their own private networks by drawing on the intelligence embedded in the carrier’s network. This intelligence is actually derived from software programs residing in various switch points throughout the network. Services and features are defined in software, giving users greater flexibility in configuring their networks than is possible with hardware-based services. In fact, an entire network can be reconfigured by changing a few parameters in a network database. 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
95
AU1253_ch10_Frame Page 96 Saturday, October 26, 2002 4:28 PM
TECHNOLOGY The intelligence inherent in VPNs lets network managers control many operating parameters and features within their communications environments. For example, the flexible-routing feature allows the network manager to reroute calls to alternate locations when a node experiences an outage or during peak-hour traffic congestion. This feature is also used to extend customer service business hours across multiple time zones. The location-screening feature lets network managers define a list of numbers that cannot be called from a given VPN location. This helps contain call costs by disallowing certain types of outbound calls. Originating call screening is a feature that gives network managers the means to create caller groups and screening groups. Caller groups identify individual users who have similar call restrictions, and screening groups identify particular telephone numbers that are allowed or blocked for each caller. Time intervals are also used as a call-screening mechanism, allowing or blocking calls according to time-of-day and day-of-week parameters. With a feature called NNX sharing, VPN customers reuse NNXs (i.e., exchange numbers) at different network locations to set up their sevendigit on-net numbering plans. This provides dialing consistency across multiple corporate locations. Another feature, partitioned database management, lets corporations add subsidiaries to the VPN network while providing for flexible, autonomous management when required by the subsidiaries to address local needs. The VPN can even transparently interface with the company’s private network or with the private network of a strategic partner. In this case, the VPN caller is not aware that the dialed number is a VPN or private network location, because the numbering plan is uniform across both networks. VPNs provide several other useful features, including automatic number identification (ANI) data, which is matched to information in a database containing the computer and telecommunications assets assigned to each employee, for example. When a call comes through to the corporate help desk, the ANI data is sent to a host, where it is matched with the employee’s file. The help desk operator then has all relevant data available immediately to assist the caller in resolving the problem. MAKING THE BUSINESS CASE FOR VPNS An increasing number of companies are finding VPNs to be a practical alternative method for obtaining private network functionality without the overhead associated with acquiring and managing dedicated private lines. There are several other advantages to opting for a VPN, including:
96
AU1253_ch10_Frame Page 97 Saturday, October 26, 2002 4:28 PM
Overview of Traditional Carrier Virtual Private Networks • The ability to assign access codes and corresponding class-of-service restrictions to users; these codes are used for internal billing, to limit the potential for misuse of the telecommunications system, and to facilitate overall communications management. • The ability to consolidate billing, resulting in only one bill for the entire network. • The ability to tie small remote locations to the corporate network economically, instead of using expensive dial-up facilities. • The ability to meet a variety of needs (e.g., switched voice and data, travel cards, toll-free service, and international and cellular calls) using a single carrier. • The availability of a variety of access methods, including switched and dedicated access, 700 and 800 dial access, and remote calling card access. • The availability of digit translation capabilities that permit corporations to build global networks using a single carrier. Digit translation services perform seven-to-ten-digit, ten-to-seven-digit, and seven-to-seven-digit translations and convert domestic telephone numbers to international direct distance dialed (IDDD) numbers through ten-to-IDDD and sevento-IDDD translation. • The ability to have the carrier monitor network performance and reroute around failures and points of congestion. • The ability to have the carrier control network maintenance and management, reducing the need for high-priced in-house technical personnel, diagnostic tools, and spares inventory. • The ability to configure the network flexibly, through on-site management terminals that enable users to meet bandwidth application needs and control costs. • The ability to access enhanced transmission facilities, with speeds ranging from 56 kbps to 384 kbps and 1.536 Mbps, and plan for emerging broadband services. • The ability to combine network-services pricing typically based on distance and usage with pricing for other services to qualify for further volume discounts. • The ability to customize dialing plans to streamline corporate operations. A dealership network, for example, assigns a unique four-digit code for the parts department. Then, to call any dealership across the country to find a part, a user simply dials the telephone number prefix of that location. The intelligence embedded in the virtual network at the carriers’ serving offices also gives users more flexibility in selecting equipment. Private branch exchanges (PBXs) from various vendors connect to a VPN service provider’s point of presence (POP) through various local access
97
AU1253_ch10_Frame Page 98 Saturday, October 26, 2002 4:28 PM
TECHNOLOGY arrangements. The private network exists as a separate entity on the VPN service provider’s backbone network, with the service provider assuming responsibility for translating digits from a customer-specific numbering plan to the service provider’s own numbering plan, and vice versa. All routing and any failures are transparent to the customer and, consequently, to each individual user on the network. BILLING OPTIONS One of the most attractive aspects of VPN services is customized billing. Typically, users select from among the following billing options: • The main account accrues all discounts under the program. In some cases, even the use of wireless voice and data messaging services qualifies for the volume discount. • Discounts are assigned to each location according to its prorated share of traffic. • A portion of the discounts is assigned to each location based on its prorated share of traffic, with a specified percentage assigned to the headquarters location. • Usage and access rates are billed to each location, or subsidiaries are billed separately from main accounts. Billing information and customized reports are accessed at customer premises terminals or provided by the carrier on diskette, microfiche, magnetic tape, tape cassette, or CD-ROM as well as in paper form. A name substitution feature allows authorization codes, billing groups, telephone numbers, master account numbers, dialed numbers, originating numbers, and credit card numbers to be substituted with the names of individuals, resulting in a virtually numberless bill for internal distribution. This prevents sensitive information from falling into inappropriate hands. AT&T, MCI, and Sprint all offer rebilling capabilities that use a percentage or flat-rate formula to mark up or discount internal telephone bills. Billing information is even summarized in graphical reports, such as bar and pie charts. Carrier-provided software is available that allows users to work with call detail and billing information to generate reports in a variety of formats. Some software even illustrates calling patterns with maps. Electronic invoicing also is available. AT&T, for example, provides this capability by linking its SDN Billing Advantage with EDIView, its EDI offering. NETWORK MANAGEMENT Each of the major VPN service providers offers various management and reporting capabilities through a network management database that enables users to perform numerous tasks without carrier involvement. 98
AU1253_ch10_Frame Page 99 Saturday, October 26, 2002 4:28 PM
Overview of Traditional Carrier Virtual Private Networks The network management database contains information about the network configuration, usage, equipment inventory, and call restrictions. On gaining access to the database, the telecommunications manager sets up, changes, and deletes authorization codes and approves the use of capabilities such as international dialing by caller, workgroup, or department. The manager also redirects calls from one VPN site to another to allow, for example, calls to an East Coast sales office to be answered by the West Coast sales office after the East Coast office closes for the day. Once the manager is satisfied with the changes, they are uploaded to the carrier’s network database and take effect within minutes. Telecommunications managers access call detail and network usage summaries, which are used to identify network traffic trends and assess network performance. In addition to being able to download traffic statistics about dedicated VPN trunk groups, users receive five-, ten-, and fifteen-minute trunk group usage statistics an hour after they occur; these statistics are then used to monitor network performance and carry out traffic engineering tasks. Usage is broken down and summarized in a variety of ways, such as by location, type of service, and time of day. This information is used to spot exceptional traffic patterns that may indicate either abuse or the need for service reconfiguration. Through a network management station, the carrier provides network alarms and traffic status alerts for VPN locations using dedicated access facilities. These alarms indicate potential service outages (e.g., conditions that impair traffic and could lead to service disruption). Alert messages are routed to customers in accordance with preprogrammed priority levels, ensuring that critical faults are reviewed first. The system furnishes the customer with data on the specific type of alarm, direction, location, and priority level, along with details about the cause of the alarm (e.g., signal loss, upstream failed signal, or frame slippage). The availability of such detail permits customers to isolate faults immediately. In addition, telecommunications managers can request access-line status information and schedule transmission tests with the carrier. The network management database describes common network problems in detail and offers specific advice on how to resolve them. The manager submits service orders and trouble reports to the carrier electronically through the management station. Telecommunications managers can also test network designs and add new corporate locations to the VPN. ACCESS ARRANGEMENTS A variety of access arrangements available from the VPN service providers is targeted for specific levels of traffic, including a single-voice frequency channel, 24-voice channels through a DS1 link, and 44-voice channels through a T1 link equipped with bit-compression multiplexers, in addition 99
AU1253_ch10_Frame Page 100 Saturday, October 26, 2002 4:28 PM
TECHNOLOGY to a capability that splits a DS1 link into its component DS0s at the VPN serving office for connection to off-net services. The same DS1 link is used for a variety of applications, from 800 service to videoconferencing, thereby reducing access costs. Depending on the carrier, there may be optional cellular and messaging links to the VPN as well. Even phone card users can dial into the VPN, with specific calling privileges defined for each card. All of a company’s usage can be tied into a single invoicing structure, regardless of access method. The architecture of the VPN makes use of software-defined intelligence residing in strategic points of the network. AT&T’s SDN, for example, consists of a network action point (ACP) connected to the PBX through dedicated or switched lines. The ACPs connect with the carrier’s network control point (NCP), where the customer’s seven-digit on-net number is converted to the appropriate code for routing through the virtual network. Instead of charging for multiple local access lines to support different usage-based services, the carriers allow users to consolidate multiple services over a single T1 access line. A user who needs only 384 kbps for a data application, for example, fills the unused portion of the access pipe with 18 channels of voice traffic to justify the cost of the access line. At the carrier’s cross-connect system, the dedicated 384-kbps channel and 18 switched channels are split out from the incoming DS1 signal. The 384-kbps DS0 bundle is then routed to its destination, whereas the voice channels are handed off to the carrier’s Class 4 switch, which distributes the voice channels to the appropriate service. DATA NETWORKING OVER THE VPN Although obtaining economical voice traffic has traditionally been the primary motivation behind the move to VPN service, a variety of low-speed and high-speed VPN data services are available as well. Low-Speed Data Services AT&T has been especially aggressive in offering its SDN customers the means to access a wide array of AT&T EasyLink messaging services. The offering, AT&T SDN EasyLink Solutions, enables customers to use their SDN networks to connect directly to electronic messaging features from AT&T EasyLink Services, including electronic mail, shared folders, text-to-fax (MailFAX), electronic data interchange, Telex, and a variety of information services. High-Speed Data Services VPNs also are capable of supporting such bandwidth-intensive applications as LAN interconnection, image transfers, and videoconferencing. These services are offered under AT&T’s SDDN, MCI’s Virtual Private Data Service (VPDS), and Sprint’s VPN Premiere. AT&T’s SDDN, for example, 100
AU1253_ch10_Frame Page 101 Saturday, October 26, 2002 4:28 PM
Overview of Traditional Carrier Virtual Private Networks offers high-speed data networking in conjunction with SDN’s advanced callhandling capabilities. SDDN shares the network capabilities of ACCUNET switched digital services (SDS) for reliable transport of data at rates of 56 kbps and higher. (Low-speed data is transported over SDN using dial-up modems or PBX data connections.) SDN supports low-speed dial-up modem connections and higher-speed connections through a PBX, T1 multiplexer, or D4 channel bank. AT&T’s SDDN offering supports 56- and 64-kbps service, 64-kbps clear channel, and 384-kbps and 1.536 Mbps connections utilizing the ISDN PRI. These high transmission speeds are achieved by stacking contiguous 64K-bps clear channels. Users take full advantage of virtual networking by combining and routing their voice and data traffic in a single T1 access line to the SDN/SDDN network. Users access SDDN with dataphone digital service (DDS) lines for data transmission at rates of up to 56 kbps using dial-up modems or digital service units (DSUs) with an optional auto-dial or redial capability; alternatively, access is obtained through AT&T ACCUNET T1.5 lines. Customer premises equipment (CPE) (e.g., intelligent multiplexers and PBXs) interprets ISDN PRI messages for call setup, detection of facility failures, and reinitiation of call setup in response to abnormal call disconnects. Real-time restoration is achieved within seconds of a service disruption so that critical data applications remain operational; SDDN also supports SDN network management capabilities such as call screening, flexible routing, periodic traffic reports, and customer-initiated testing. SDDN is well suited for applications that: • Have high-speed or high-volume data transmission requirements. • Have a time window for completion (e.g., applications performed during the night, morning, or other specified time periods). • Benefit from bandwidth-on-demand and usage-based pricing (e.g., applications active for a limited duration, used infrequently, or required for unscheduled events). • Have restoration requirements (e.g., critical applications that must remain operational in the event of a network failure). Such applications are currently protected through a dial backup capability or spare bandwidth and alternate routing in a T1 multiplexer network. • Have multiple endpoint destinations (e.g., applications requiring serial or nonsimultaneous communications between an originating point and several endpoints). • Benefit from networking flexibility (e.g., applications with traffic patterns that demonstrate daily or seasonal variations or that change drastically as the network grows). SDDN eliminates the time and expense required to install additional private lines. Specific applications that benefit from SDDN include remote job entry (RJE) and network job entry (NJE), computer-aided design/computeraided engineering (CAD/CAE) and medical imaging, distributed and shared 101
AU1253_ch10_Frame Page 102 Saturday, October 26, 2002 4:28 PM
TECHNOLOGY computing, LAN interconnection, high-speed mainframe communications, PC-to-host and PC-to-PC transfer, peak traffic overflow and private line backup, videoconferencing, and Group IV facsimile. Performance Objectives VPN performance standards for data are comparable to private line services through the use of high-quality digital transport and an automatic restoration capability. With AT&T’s SDDN, for example, performance is measured in terms of network interface availability, network reliability, post dialing delay, call blocking, restoration, and service availability. Network Interface Availability. For SDDN connections, an availability number indicates the percentage of time that all SDDN components are usable for customer applications. The target SDDN network interface-to-network interface (NI-to-NI) availability is 99.9 percent and includes ACCUNET T1.5 or DDS access links. Without the service restoration feature, the availability figure drops to 99.75 percent. Network Reliability. Network reliability for SDDN is a measure of line transmission performance given in terms of error-free seconds (EFS) and severe errored seconds (SES). An EFS is a second with no bit errors, and an SES is a second with more than one error per 1000 b.
Reliability objectives for EFS and SES are, respectively, 99.9 percent and 30 SES per day between AT&T serving offices (SO-to-SO), and 99.75 percent and 38 SES per day between network interfaces (NI-to-NI). Post Dialing Delay (PDD). Post dialing delay refers to the amount of time from call initiation to call setup and is measured at the originating network interface. The SDDN objective is a four-second average post dialing delay, with 95 percent of all calls receiving network response within six seconds. Call Blocking. Call blocking is the probability that an unsuccessful call
attempt is due to network congestion. The target blocking is 1 percent during peak busy hours and 0.5 percent with planned improvements, with less than one call per 200 attempts blocked during peak traffic hours. Restoration. The SDDN restoration objective for an NI-to-NI connection is less than 20 seconds for an estimated 99 percent of all restoration attempts. The stated restoration performance may not be guaranteed, however, in the event of a catastrophic or widespread network failure. The stated objective includes time spent in detection, redialing, and call setup stages in the SDDN network and CPE. A maximum of six seconds is allocated to CPE for failure detection and redialing an SDDN connection in response to a disconnect message.
102
AU1253_ch10_Frame Page 103 Saturday, October 26, 2002 4:28 PM
Overview of Traditional Carrier Virtual Private Networks Service Availability. Service availability objectives are improved with the use of diverse access arrangements. The Split Access Flexible Egress Routing (SAFER) capability, available with AT&T 4ESS software, allows origination and distribution of calls between two toll switches, which minimizes the vulnerability to access link and nodal failures.
Local VPN Service A new development in the VPN market is the emergence of local services. Verizon, for example, is offering a local VPN service in the mid-Atlantic region under the name of Verizon All@once Virtual Private Network Solutions (VPNS). VPNS service allows companies to manage their local and intraLATA calls and save money on interLATA calls using Verizon’s public network as if it were their own private network. With VPNS, customers can do such things as access their voice network remotely, make business calls from the road or home at business rates, originate calls from remote locations and bill them to the office, and block calls to certain telephone numbers or regions. Uniform pricing and billing plans are also arranged for all of the customer’s locations to reduce the administrative costs involved with reviewing billing statements, even if each location uses a different carrier. Verizon’s service lets large business customers configure components of the public network like a customized private network without the expense of dedicated lines or equipment. Until now, services of this kind could not be used for local calls because they were offered through long-distance companies. Verizon’s service, however, is used for local calls and also works with the customer’s existing long distance services. The VPNS service also is compatible with Centrex services, PBX systems, or other CPE. Once Verizon has achieved regulatory approval to deliver interLATA long-distance services, the company plans to expand the VPNS service to include in-region and out-of-region long-distance service. As an integral part of its All@once approach for large businesses, Verizon consults with companies to assess their communications needs and analyze their local calling patterns to design a solution that optimizes use of the public network. Verizon estimates that 25 to 75 percent of local phone traffic could be on a local VPN, where it could be subject to the lower rates that make VPNs attractive to users. IPSec VPNS VPNs are making a huge impact on the way communications are viewed. They are also providing ample fodder for administrators and managers to have seemingly endless discussions about various applications. On one
103
AU1253_ch10_Frame Page 104 Saturday, October 26, 2002 4:28 PM
TECHNOLOGY side are the possible money savings, and the other are implementation issues. There are several areas of serious concern: • • • •
Performance Interoperability Scalability Flexibility
Performance. Performance of data flow is typically the most common concern, and IPSec is very processor intensive. The performance costs of IPSec are the encryption being performed, integrity checking, packet handling based on policies, and forwarding, all of which become apparent in the form of latency and reduced throughput. IPSec VPNs over the Internet increase the latency in the communication that conspires with the processing costs to discourage VPN as a solution for transport-sensitive applications. Process time for authentication, key management, and integrity verification will produce delay issues with SA establishment, authentication, and IPSec SA maintenance. Each of these results in poor initialization response and, ultimately, disgruntled users.
The application of existing hardware encryption technology to IPSec vendor products has allowed these solutions to be considered more closely by prospective clients wishing to seize the monetary savings associated with the technology. The creation of a key and its subsequent use in the encryption process can be offloaded onto a dedicated processor that is designed specifically for these operations. Until the application of hardware encryption for IPSec, all data was managed through software computation that was also responsible for many other operations that may have been running on the gateway. Hardware encryption has released IPSec VPN technology into the realm of viable communication solutions. Unfortunately, the client operating system participating in a VPN is still responsible for the IPSec process. Publicly available mobile systems that provide hardware-based encryption for IPSec communications are becoming available but are some time away from being standard issue for remote users. Interoperability. Interoperability is a current issue that will soon become antiquated as vendors recognize the need to become fully IPSec compliant — or consumers will not implement their product based simply on its incompatibility. Shared secret and ISAKMP key management protocols are typically allowing multi-vendor interoperability. As Certificate Authorities and the technology that supports them become fully adopted technology, they will only add to the cross-platform integration. However, complex and large VPNs will not be manageable using different vendor products in the near future. Given the complexity, recent introduction of the IPSec standard, 104
AU1253_ch10_Frame Page 105 Saturday, October 26, 2002 4:28 PM
Overview of Traditional Carrier Virtual Private Networks and various interpretations of that standard, time to complete interoperability seems great. Scalability. Scalability is obtained by the addition of equipment and bandwidth. Some vendors have created products focused on remote access for roaming users, while others have concentrated on network-tonetwork connectivity without much attention to remote users. The current ability to scale the solution will be directly related to the service required. The standard supporting the technology allows for great flexibility in the addition of services. It will be more common to find limitations in equipment configurations than in the standard as it pertains to growth capabilities. Scalability ushers in a wave of varying issues, including:
• Authentication • Management • Performance Authentication can be provided by a number of processes, although the primary focus has been on Remote Access Dial-In User Security (RADIUS), Certificates, and forms of two-factor authentication. Each of these can be applied to several supporting databases. RADIUS is supported by nearly every common authenticating system from Microsoft Windows NT to NetWare’s NDS. Authentication, when implemented properly, should not become a scalability issue for many implementations, because the goal is to integrate the process with existing or planned enterprise authenticating services. A more interesting aspect of IPSec vendor implementations and the scalability issues that might arise is management. As detailed earlier, certain implementations do not scale, due to the shear physics of shared secrets and manual key management. In the event of the addition of equipment or increased bandwidth to support remote applications, the management will need to take multiplicity into consideration. Currently, VPN management of remote users and networks leaves a great deal to be desired. As vendors and organizations become more acquainted with what can be accomplished, sophisticated management capabilities will become increasingly available. Performance is an obvious issue when considering the increase of an implementation. Typically, performance is the driving reason, followed by support for increased numbers. Both of these issues are volatile and interrelated with the hardware technology driving the implementation. Performance capabilities can be controlled by the limitation of supported SAs on a particular system — a direct limitation in scalability. A type of requested encryption might not be available on the encryption processor currently available. Forcing the calculation of encryption onto the operating system ultimately limits the performance. A limitation may resonate in the form of 105
AU1253_ch10_Frame Page 106 Saturday, October 26, 2002 4:28 PM
TECHNOLOGY added equipment to accomplish the link between the IPSec equipment and the authenticating database. When users authenticate, the granularity of control over the capabilities of that user may be directly related to the form of authentication. The desired form of authentication may have limitations in various environments due to restrictions in various types of authenticating databases. Upgrade issues, service pack variations, user limitations, and protocol requirements also combine to limit growth of the solution. CONCLUSION VPNs permit the creation of networks that combine the advantages of both private facilities and public services, drawing on the intelligence embedded in the carrier’s network. With services and features defined in software and implemented through out-of-band signaling methods, users have greater flexibility in configuring their networks from on-premises terminals and management systems than is possible with services implemented with manual patch panels and hardwired equipment. These capabilities make VPNs attractive for data as well as for voice — for regional, national, and international corporate locations — and portend success for VPNs long into the future.
106
AU1253_ch11_Frame Page 107 Saturday, October 26, 2002 4:29 PM
Chapter 11
VPN Design Approaches Gilbert Held James S. Tiller
USE OF THE INTERNET AS A VIRTUAL NETWORK The first use of the Internet as a virtual network allowed traveling personnel to access the corporate network via dialing the transmission facility of an Internet service provider (ISP). Since many ISPs now offer unlimited dial access for a flat rate of $20 per month, the use of the Internet can be economically rewarding even when compared to the low cost of long-distance service. For example, even at 10 cents per minute, an hour of access per day for a traveling corporate employee would result in a communications bill of $6 per day or $132 per month based on 22 working days in the month. Thus, a flat rate of $20 per month for unlimited Internet access could result in significant savings when the Internet is used as a transmission facility to access a corporate computer connected to that network. Although virtual networking on an individual basis can provide hundreds of dollars of savings, when used as a mechanism to replace or supplement private networks, the resulting cost savings can rapidly escalate to the point where they are truly appealing. To illustrate how the use of the Internet as a virtual network to interconnect corporate locations can result in significant economic savings, an example of the use of the Internet is given here. Exhibit 1 illustrates the use of the Internet to connect three geographically separated corporate locations. In examining Exhibit 1, note that each corporate location is shown connected to the Internet via an ISP. Most ISPs have access points in major metropolitan areas and will charge approximately $1000 per month for a T1 line connection. This type of transmission facility was originally developed to support the transmission of 24 digitized voice conversations, and it is now used with T1 multiplexers and routers to mix digitized voice and data or to simply transmit data onto the 1.544-Mbps operating rate of the circuit. In the example shown in Exhibit 1, one assumes that each corporate location 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
107
AU1253_ch11_Frame Page 108 Saturday, October 26, 2002 4:29 PM
TECHNOLOGY
Exhibit 1.
Using the Internet to Interconnect Separate Locations
uses a T1 connection to the Internet via an ISP to interconnect their local area networks (LANs) via the Internet. From an economic perspective, one can compare the cost of using the Internet to the cost of connecting the three locations shown in Exhibit 1 via two T1 lines. In doing so, first assume that each location is 500 miles distant from the next location, resulting in 1000 T1 circuit miles being required to interconnect the three locations. Although the cost of T1 circuits can vary based on their total mileage, the use of a multiyear contract, and other factors, a monthly cost of $3 per mile provides a reasonable approximation of the cost to include local loop access fees. Thus, interconnecting the three locations shown in Exhibit 1 via a private network consisting of two leased T1 circuits would cost $3000, based on a distance of 500 miles between locations. Note that this cost equals the cost associated with connecting three locations via T1 lines to the Internet, based on the reasonable assumption that each location is in a major metropolitan area. Now assume that the locations shown in Exhibit 1 represent Seattle, New York City, and Miami. In this example, the circuit mileage would increase to approximately 3500 miles. At a monthly cost of $3 per circuit mile, the use of two T1 circuits to interconnect the three locations via a private network would increase to 3500 * 3, or $10,500. Now assume that 108
AU1253_ch11_Frame Page 109 Saturday, October 26, 2002 4:29 PM
VPN Design Approaches
Exhibit 2. Comparing Private Network Router Port Requirements and Reliability
each location is interconnected to the others via the Internet. The cost to connect each location would still be $1000 per month since each location represents a major metropolitan area. Thus, the cost associated with using the Internet would remain fixed at $3000 per month, but the potential monthly savings would now become $7500. The preceding example illustrates a key concept associated with the use of the Internet as a virtual network for interconnecting geographically separated corporate locations. As the distance between locations increases, the potential savings increases. Equipment Cost Another savings that can be considered when the Internet is used to connect corporate locations concerns the use of router ports. In Exhibit 1, only three serial router ports are required to provide three locations with the ability to communicate with each other. Now assume the number of corporate locations increased to four. Then, four routers with one serial port per router would be required to enable communications between any location via the Internet. In comparison, one could connect four locations on a private network with four leased lines, as shown in the left portion of Exhibit 2. In doing so, each router would require two serial ports. Since router ports can easily cost $1000 or more, the use of a private routerbased network to interconnect a large number of geographically separated organizational locations can result in a router cost considerably exceeding that used to provide a similar networking capability via the Internet. Reliability Issues Another benefit that can be obtained from the use of the Internet is reliability. Once data reaches an ISP, it is transferred onto a mesh structured backbone that contains redundant circuits that provide alternate paths between 109
AU1253_ch11_Frame Page 110 Saturday, October 26, 2002 4:29 PM
TECHNOLOGY ISPs. Thus, the failure of a circuit on the Internet backbone is normally transparent to user operations as routers used by ISPs have the ability to select alternate routers. In comparison, additional circuits and router ports would be required to provide a mesh structured private network facility. The right portion of Exhibit 2 illustrates how four routers each would require three serial ports to support a mesh structure topology that could be used to easily route data around circuit failures. However, this level of reliability would be extremely costly as it would require the installation of additional circuits and router ports for each router in the network. Having an appreciation for the advantages associated with the use of the Internet as a virtual network to interconnect geographically separated organizational locations, one can focus on two key issues that may restrict the ability of an organization to use this method of virtual networking — network predictability and security. Network Predictability Currently, the Internet can be classified as an unpredictable network. That is, there is currently no assurance that data transmitted from one location will not be adversely affected by network traffic in such a manner that packets are received at the destination with variable time delays between packets. This means that the Internet is better suited for transporting certain types of data streams than other types of data streams. For example, time-dependent applications such as SNA logical link control (LLC) type 2 data could be adversely affected by variable time delays, possibly resulting in session timeouts occurring even though a workstation on one local area network (LAN) accessing a mainframe connected to a distant LAN responded in a timely manner to a mainframe query. Similarly, an attempt to route digitized voice via the use of a specialized gateway that converts voice into a sequence of IP packets would be more suitable for use on an internal private network than for transmission over the Internet. In this example, an organization could install ReSerVation Protocol (RSVP)compatible equipment to allocate portions of bandwidth through their internal network for time delay-sensitive applications, such as the transport of digitized voice. In comparison, the deployment of RSVP-compatible equipment by ISPs is probably several years away, because several key issues remain to be resolved, including how to bill subscribers for reserved bandwidth established between several ISPs. When considering network predictability as an issue, there are several applications that are very suitable for transport via the Internet. Those applications include electronic mail, file transfer, and Web browsing into a corporate database. Thus, if an organization is considering the use of the Internet as a mechanism to replace a costly leased line-based private network, and its applications fall into the previously mentioned types of time-dependent data transfers that are not adversely affected by the 110
AU1253_ch11_Frame Page 111 Saturday, October 26, 2002 4:29 PM
VPN Design Approaches unpredictable nature of Internet transmission, an economic comparison becomes warranted. However, if the organization currently uses a private network for transporting digitized voice conversations or for accessing one or more mainframes using a time-dependent protocol such as LLC2, one should probably defer a decision on the use of the Internet as a virtual network until RSVP becomes available and is priced. At that time, one would then perform an economic analysis to determine if the potential savings afforded from replacing a private line-based network by the use of the Internet is worth the effort. Concerning that effort, another issue that requires careful attention when moving from a private leased line-based network to the use of the Internet is security. Security Considerations When using a private leased line-based network, most security issues concern the distribution of userIDs and passwords if required for employees to gain access to different computers connected to the network. In such situations, the ability of a hacker from outside the organization to adversely affect security is nonexistent because there is no connection between a public network and the organization’s private network. However, once an organization decides to use the Internet as a virtual network to interconnect geographically separated locations, security becomes a key issue as the organization is now exposed to the efforts of millions of persons that could attempt to access that organization’s computational facilities. Thus, a mechanism to bar intruders and allow authorized users from one location to access another location becomes necessary. This mechanism can be obtained either through the packet filtering capability of a router or through the use of a firewall. The establishment of a virtual private network (VPN) via a public network provides the potential for every person connected to that network to access the computational facilities of the organization. Thus, the establishment of a VPN must include careful consideration of different security measures to protect the organization’s network resources. To illustrate how one can integrate a VPN capability with an existing Internet architecture, first look at the manner by which most organizations connect their internal network infrastructures to the Internet. Exhibit 3 illustrates a typical connection to the Internet. In this example, it is assumed that the router’s access list capability provides network security. Depending on the type of router used and its level of software, the router may be capable of supporting a relatively new innovation in access lists, referred to as reflective access lists. Thus, a firewall is not shown in Exhibit 3. To understand the manner by which reflective access lists operate, first review the operation of a basic generic access list. An access list contains a permit or deny statement, followed by source and destination addresses 111
AU1253_ch11_Frame Page 112 Saturday, October 26, 2002 4:29 PM
TECHNOLOGY
Exhibit 3. A Common Networking Configuration Used to Provide Organizational Access to the Internet
and the TCP or UDP port number. Thus, the format of a generic access list would be as follows: [Permit/Deny] Source Destination Port
Most router access lists support the use of wildcard characters. For example, assume the network has the IP address of 198.78.46.0 and one wants to allow computers on that network to originate and receive telnet communications. Because telnet occurs on port 23, one would code the router with the following statements: Permit 198.78.46.*..*.* 23 Permit..*.* 198.78.46.* 23 The first Permit statement allows packets from any computer on the internal network whose IP address is 198.78.46.* (where the asterisk denotes a station address between 1 and 254) to flow to any destination if it is transporting telnet (port 23) data. The second Permit statement allows any packet transporting telnet to reach any computer on the 198.78.46.0 network, regardless of its origination. Note that, normally, access list entries are symmetrical to allow sessions established in one direction to flow back in the opposite direction. 112
AU1253_ch11_Frame Page 113 Saturday, October 26, 2002 4:29 PM
VPN Design Approaches One of the problems associated with the use of conventional router access lists is the fact that they must be explicitly programmed to enable the flow of data from one router interface to another. Thus, if the organization initially needs to support telnet and other users later request access to ftp, Web servers, e-mail, and other applications, the programming and reprogramming of router access lists can represent a time-consuming process. This is where reflective access lists can help. A reflective access list is programmed or coded to allow data to leave the “trusted” side of a network, such as an internal network. The router uses the reflective access list and activity that occurs on the trusted network to temporarily create new permit statements that allow inbound traffic that corresponds to the reverse or reflex of the outbound traffic. This means one could establish a series of permit statements to support a group of outbound applications and the router would automatically create the appropriate inbound access control list entries as needed. In addition to minimizing the necessity to periodically create and revise router access control lists, the use of reflective access lists minimizes the potential for security problems due to improperly coded access lists. This is because all inbound traffic is barred until a user on the trusted side of the network attempts to access a location on the other side of the router. Although reflective access control lists can represent a considerable enhancement to the security of a network, they have a key weakness that is similar to conventional access control lists. That weakness is in two key areas. First, a router simply examines source and destination addresses and port numbers to permit or deny the flow of a packet. This means the router does not verify the originator of the packet (authentication) nor alter the data field entries of the packet so that they become unintelligible (encryption) to any person on the public network who attempts to read the contents of the packet. A second limitation associated with the use of router access lists is the fact that they do not examine the activity performed by a packet. Thus, their operation can be considered as stateless, in comparison to a firewall with a stateful inspection capability in which the relationship of the contents of packets is examined for potential security violations. Stateful inspection can identify repeated log-on attempts in which a hacker uses an electronic dictionary to attempt to discover the password associated with one or more computer accounts. Because most firewalls have a stateful inspection capability, they are commonly used to provide an additional level of protection to private networks connected to the Internet. Exhibit 4 illustrates the use of a firewall to add protection to a private network connected to the Internet. Note that a demilitarized LAN (DMZ LAN) represents a LAN without any connections other than the router and firewall connections. This design forces all packets flowing between the 113
AU1253_ch11_Frame Page 114 Saturday, October 26, 2002 4:29 PM
TECHNOLOGY
Exhibit 4. Adding Protection to a Private Network Through the Use of a Firewall
public and private networks to flow through the firewall. In addition, this design technique precludes the possibility of users from the public network being able to hack into a computer on the private network without having their packets flow through the firewall, where stateful inspection might discover the security violation and terminate the attempt prior to it becoming successful. Packet Filtering Router A packet filtering router can be used to restrict access based on the source address, destination address, and TCP port number contained in a datagram. Here, the TCP port number is a numeric value between 0 and 1023 that defines the type of data being transported. For example, HyperText Transport Protocol (HTTP), which conveys Web browser pages, uses port 80. Thus, an example of a filter that would bar all traffic other than Web server traffic through a router from users on the IP network whose address is 192.47.27.0 to the network address 203.171.141.25 would be entered as follows: Permit TCP 80 192.47.27.0 203.171.141.25 114
AU1253_ch11_Frame Page 115 Saturday, October 26, 2002 4:29 PM
VPN Design Approaches
Exhibit 5.
Using a Firewall
Although packet filtering represents a useful mechanism for barring unauthorized access, it has a specific weakness in the fact that IP addresses can be spoofed. In addition, by itself, packet filtering does not verify the originator of data; nor does it prevent a user that gains access to a network behind the router from using an electronic dictionary in an attempt to gain illegal access to organizational computational facilities. To obtain an enhanced level of security, most organizations that anticipate using the Internet as a virtual network will install a firewall at each location connected to the Internet. Using Firewalls Exhibit 5 illustrates the placement of a firewall to provide an extra level of protection between a corporate LAN and the Internet. In this example, the router is connected to a hub that has only one other connection — that of the firewall. This type of workstationless hub is commonly called a DMZ LAN, as any illegal activity passed by the router is barred by the firewall prior to the activity adversely affecting users. In addition to performing filtering in a manner similar to routers, firewalls may include a number of additional security-related functions and features. Those features can include the authentication of remote users, proxy services, and virus scanning of incoming e-mail and file transfers. Authentication is usually performed by a one-time password check, using the Bellcore S/Key system or the Security Dynamics Secure ID card. The S/Key system generates via software a one-time password that is checked by the firewall to verify the authenticity of the user requesting access. In comparison, the Security Dynamics Secure ID card is a credit card–sized device that generates a pseudo-random number every 60 seconds. A user would enter his or her PIN number and the number generated by the 115
AU1253_ch11_Frame Page 116 Saturday, October 26, 2002 4:29 PM
TECHNOLOGY Secure ID card, which is transmitted to the firewall. The firewall would use an algorithm to compute the Secure ID card number based on the provided PIN and consider the requestor to be authenticated if the number generated by the firewall matches the transmitted number. The proxy service capability of a firewall results in the firewall barring direct client/server requests. Instead, the firewall examines each request against a set of predefined rules and, if permitted, acts as an intermediate client and performs the requested server connection. Through the use of proxy services, the firewall can check for dictionary attacks, protocol spoofing, and other illegal activities, and can either terminate the attempts or alert a manager via an e-mail or page to the illegal activity being attempted. When considering the Internet as a virtual network, the cost of a firewall as an added measure of protection should be based on one’s organizational requirements. If one plans to use the Internet only to transfer e-mail, a virus checker on the mail servers may be both sufficient and considerably less costly than the use of a firewall. If the organization has several servers at each location with important content that requires a high level of protection, then the expense associated with the use of firewalls may be well justified. Thus, a careful analysis of the type of data to be transmitted via the Internet between corporate locations, as well as economics and security issues associated with the use of the Internet, become important criteria prior to determining if virtual networking is a practical solution for the replacement of a private leased line-based network. Performance Considerations Prior to designing a VPN, it is important to determine the applications that will flow over the logical path superimposed on the physical infrastructure of the public network one intends to use. The reason one should consider the type of applications that will flow over a VPN is because different applications have different latency or delay requirements. For example, the packets that transport an electronic mail message do not have to arrive at their destination within a predefined time interval from other packets for the message to be understood. In comparison, the transmission of packets carrying digitized voice must arrive at their destination with a minimum variation in delay time for speech to be reconstructed so it does not appear awkward sounding. Although equipment vendors developed jitter buffers in their voice products designed to transmit voice over IP and frame relay networks, if the overall latency is too long through the network, the use of a jitter buffer will not be able to make the resulting reconstructed speech pleasant sounding, and the application will not be suitable for a VPN. One can determine the ability of a VPN to support a particular application without having to actually implement the application. If an organization currently has two locations connected to a public network, it can use 116
AU1253_ch11_Frame Page 117 Saturday, October 26, 2002 4:29 PM
VPN Design Approaches the Ping utility program included as a TCP/IP application utility in most operating systems to determine the round-trip delay time between two computers. By dividing the round-trip delay time by two, the one-way latency through the public network can be determined. Exhibit 6 illustrates the format of the Windows NT Ping command. Note that one must use the Ping program from within the MS-DOS Command Prompt window when using Windows 95, Windows 98, or Windows NT/ Windows 2000. This is because the version of Ping supported by the different “flavors” of Windows represents a text-based application. If using a thirdparty program such as Network Associates’ WebXRay, one can use Ping as a graphic user interface (GUI) program, as many third-party network management programs and diagnostic programs include Ping as a GUI utility. As noted in Exhibit 6, one can simply enter the command Ping, followed by a destination address expressed either as an IP address formed using dotted decimal notation or as a host address. Also note that through the use of the -n option, one can set the number of echo requests the program sends to a destination. Ping operates by transmitting one or more Internet Control Message Protocol (ICMP) echo-request packets to a defined address. If the TCP/IP protocol stack is correctly operating, that address responds to each echo-request with an echo-reply message. The time between issuing the echo request and receiving the echo reply then becomes the round-trip delay time. By default, all Windows versions of Ping transmit four echorequest packets unless altered through the use of the -n option. Exhibit 7 illustrates the use of the Ping command to determine the round-trip delay time to the Web server operated by Yale University (www.yale.edu) and the Web server operated by American University (www.american.edu). If an educational institution were considering creating VPNs from its location to each university, the use of Ping would represent a good starting point to determine if VPNs could be implemented that would provide a relatively good level of performance. In the top portion of Exhibit 7, the Ping of the Yale University server returns a round-trip time between 120 and 130 ms, or a one-way delay of 60 and 65 ms. Because voice cannot tolerate more than 250 ms of delay before it becomes awkward to hear, one must consider the 65-ms delay through the Internet in addition to digitization delays, equipment delays, and packet delays from a router to determine if a VPN to Yale could support voice. Put another way 250 ms – 65 ms results in 195 ms being available for all other delays other than the data flow through the Internet for voice via a VPN to be practical. In the second example of the use of the Ping command shown in Exhibit 7, note that the round-trip delay to American University is between 20 and 117
Exhibit 6. The Format of the Ping Command under the Windows Operating System
AU1253_ch11_Frame Page 118 Saturday, October 26, 2002 4:29 PM
TECHNOLOGY
118
Exhibit 7. Pinging the Web Servers Located at Yale University and American University to Determine the Round-Trip Delay to Each Server
AU1253_ch11_Frame Page 119 Saturday, October 26, 2002 4:29 PM
VPN Design Approaches
119
AU1253_ch11_Frame Page 120 Saturday, October 26, 2002 4:29 PM
TECHNOLOGY 40 ms. This means that the one-way delay is between 10 and 20 ms, which is considerably less than the delay experienced when the previous series of echo-request packets were routed to Yale University. Thus, a VPN transporting digitized voice among other applications would have a higher probability of success if the destination were American University. If one is considering a VPN for strictly supporting data transmission such as the exchange of e-mail, file transfer, telnet, and other applications that are not critically time-dependent, then either location would be suitable. This is because the maximum one-way delay of 65 ms is not sufficient to cause session timeouts, which usually commence, depending on application, when transmission delays exceed three to five seconds. Now that one has an appreciation for the use of Ping to determine if the creation of a VPN for supporting one or more applications is practical, one can focus on the actual design of the VPN and design methods that facilitate securing transmission through a public network while barring unauthorized Internet users from accessing an organization’s private network. Other Factors in VPN Operation Although the use of a firewall can considerably enhance the security of a private network connected to the Internet, the creation of a VPN implies that traffic will flow between two or more organizational locations instead of randomly flowing to ftp, Web, and other addresses. This means one may wish to verify the identity of users located on one private network that accesses another, and vice versa. In addition, depending on the type of data transported between VPN locations, one may wish to encrypt the data field of packets flowing between VPN locations. Thus, one should consider the addition of an authentication and encryption capability that automatically provides these two features to sessions originating on one private network that are destined for another private network. To accomplish this, two basic approaches are considered. One can obtain stand-alone encryption and authentication servers, or one can consider a firewall that supports the addition of modules to provide this capability. In some instances, the first approach may represent a more practical solution, although it results in additional hardware that must be supported. In fact, several vendors are now producing so-called “tunnel” servers that combine authentication and encryption into one hardware platform that is installed on the private network behind the firewall. Packets generated by stations on the private network are directed to the tunnel server, which examines their destination. If the destination represents a location on another private network whose destination is reached via a logically created VPN, the tunnel server provides authentication and encryption services. Otherwise, the server simply forwards the packet to the router if it is destined off the network, such as to a public Web location. Because the firewall does not have to perform authentication and encryption, the possibility that it becomes a bottleneck 120
AU1253_ch11_Frame Page 121 Saturday, October 26, 2002 4:29 PM
VPN Design Approaches is reduced. Thus, if a large amount of traffic is expected to flow between private networks via a logically created VPN, it may be more practical to use separate hardware for authentication and encryption instead of adding such support to a firewall. Summary There are two key issues that must be considered when designing a VPN: performance and security. By carefully investigating the latency tolerance of proposed applications, using the Ping utility to determine delays, and considering the use of firewalls and tunnel servers as well as reflective access lists, one can design a network infrastructure to efficiently and effectively support an organization’s VPN requirements. Using the Internet as a virtual network can save costs. Before using the Internet in such a way, a data center manager should consider the following: • Distance between locations to be networked. The greater the distance between these locations, the greater potential for saving money. • The number of locations to be connected. The larger the number, the greater opportunity for savings. Also, the Internet is a reliable network. For a similarly reliable private network, an organization would have to purchase more equipment. This is another way in which using the Internet as a virtual network can save cost. • Network predictability. The Internet is not predictable. If an organization wants to use a virtual Internet network for applications other than E-mail, Web browsing, and transferring files, the Internet should not be viewed as an option. • Network security. By using the Internet as a virtual network, an organization risks exposing vital information to other users of the Internet. Firewalls do protect sites connected to the Internet, but they are still vulnerable to hackers. By weighing the pros and cons previously listed, a data center manager can decide if using the Internet as a virtual network will save money and still provide the needed security and predictability. THE MARKET FOR VPN Several distinct qualities of VPN are driving the investigation by many organizations to implement VPN as a business interchange technology. VPNs attempt to resolve a variety of current technological limitations that represent themselves as costs in equipment and support or solutions where none had existed previously. The areas that can be improved by VPNs are: • • • •
Remote user access and remote office connectivity Extranet partner connectivity Internal departmental security Remote access 121
AU1253_ch11_Frame Page 122 Saturday, October 26, 2002 4:29 PM
TECHNOLOGY Providing remote users access via a dial-up connection can become a costly service for any organization to provide. Organizations must consider costs for: • • • • •
Telephone lines Terminating equipment Long distance Calling card 800/877 number support
Telephone connections must be increased to support the number of proposed simultaneous users that will be dialing in for connectivity to the network. Another cost that is rolled up into the telephone line charge is the possible need for equipment to allow the addition of telephone lines to an existing system. Terminating equipment, such as modem pools, can become expenses that are immediate savings once VPN is utilized. Long-distance charges, calling cards that are supplied to roaming users, and toll-free lines require initial capital and continuous financial support. In reality, an organization employing conventional remote access services is nothing more than a service provider for their employees. Taking this into consideration, many organizations tend to overlook the use of the Internet connection by the remote users. As the number of simultaneous users access the network, the more bandwidth is utilized for the existing Internet service. The cost savings are realized by redirecting funds, originally to support telephone communications, in an ISP and its ability to support a greater area of access points and technology. This allows an organization to eliminate support for all direct connectivity and focus on a single connection and technology for all data exchange — ultimately saving money. With the company access point becoming a single point of entry, access controls, authenticating mechanisms, security policies, and system redundancy is focused and common among all types of access regardless of the originator’s communication technology. The advent of high-speed Internet connectivity by means of cable modems and asymmetric digital subscriber line (ADSL) is an example of how VPN becomes an enabler to facilitate the need for high-speed, individual remote access where none existed before. Existing remote access technologies are generally limited to 128-k ISDN (Integrated Services Digital Network), or more typically, 56-k modem access. Given the inherent properties of the Internet and IPSec functioning at the network layer, the communication technology utilized to access the Internet only needs to be supported at the immediate connection point to establish an IP session with the ISP. Using the Internet as a backbone for encrypted communications allows for equal IP functionality with increased performance and security over conventional remote access technology. 122
AU1253_ch11_Frame Page 123 Saturday, October 26, 2002 4:29 PM
VPN Design Approaches Currently, cable modem and ADSL services are expanding from the home-user market into the business industry for remote office support. A typical remote office will have a small frame relay connection to the home office. Any Internet traffic from the remote office is usually forwarded to the home office’s Internet connection, where access controls can be centrally managed and Internet connection costs are eliminated at the remote office. However, as the number of remote offices and the distances increase, so does the financial investment. Each frame relay connection, Permanent Virtual Circuit (PVC), has costs associated with it. Committed information rate (CIR), port speed (e.g., 128 k), and sometimes a connection fee add to the overall investment. A PVC is required for any connection; thus, as remote offices demand direct communication to their peers, a PVC will need to be added to support this decentralized communication. Currently within the United States, the cost of frame relay is very low and typically outweighs the cost of an ISP and Internet connectivity. As the distance increases and moves beyond the United States, the costs can increase exponentially and will typically call for more than one telecommunications vendor. With VPN technology, a local connection to the Internet can be established. Adding connectivity to peers is accomplished by configuration modifications; this allows the customer to control communications without the inclusion of the carrier in the transformation. The current stability of remote, tier three and lower ISPs is an unknown variable. The arguable service associated with multiple and international ISP connectivity has become the Achilles’ heel for VPN acceptance for businesscritical and time-critical services. As the reach of tier one and tier two ISPs increases, they will be able to provide contiguous connectivity over the Internet to remote locations using an arsenal of available technologies. Extranet Access The single, most advantageous characteristic of VPNs is to provide protected and controlled communication with partnering organizations. Years ago, prior to VPN becoming a catchword, corporations were beginning to feel the need for dedicated Internet access. The dedicated access is becoming utilized for business purposes, whereas before it was viewed as a service for employees and research requirements. The Internet provides the ultimate bridge between networks that was relatively nonexistent before VPN technology. Preceding VPNs, a corporation needing to access a partner’s site was typically provided a frame relay connection to a common frame relay cloud where all the partners claimed access. Other options were ISDN and dial-on-demand routing. As this requirement grows, several limitations begin to surface. Security issues, partner support, controlling access, disallowing unwanted interchange between partners, and connectivity support for partners without supported 123
AU1253_ch11_Frame Page 124 Saturday, October 26, 2002 4:29 PM
TECHNOLOGY access technologies all conspire to expose the huge advantages of VPNs over the Internet. Utilizing VPNs, an organization can maintain a high granularity of control over the connectivity per partner or per user on a partner network. Internal Protection As firewalls became more predominant as protection against the Internet, they were increasingly being utilized for internal segmentation of departmental entities. The need for protecting vital departments within an organization originally spawned this concept of using firewalls internally. As the number of departments increase, the management, complexity, and cost of the firewalls increase as well. Also, any attacker with access to the protected network can easily obtain sensitive information due to the fact that the firewall applies only to perimeter security. Virtual Local Area Networks (VLANs) with access control lists became a minimized replacement for conventional firewalls. However, the same security issue remained; the perimeter security was controlled and the internal network was left open for attack. As IPSec became accepted as a viable secure communication technology and applied in MAC environments, it also became the replacement for other protection technologies. Combined with strategically placed firewalls, VPN over internal networks allows secure connectivity between hosts. IPSec encryption, authentication, and access control provide protection for data between departments and within a department. Future of IPSec VPNs Like it or not, VPN is here to stay. IP version 6 (IPv6) has the IPSec entrenched in its very foundation; as the Internet grows, IPv6 will become more prevalent. The current technological direction of typical networks will become the next goals for IPSec, specifically, quality of service (QoS). Asynchonous transfer mode (ATM) was practically invented to accommodate the vast array of communication technologies at high speeds; but to do it efficiently, it must control who gets in and out of the network. Ethernet type of service (ToS) (802.1p) allows for 3 b of data in the frame to be used to add ToS information and then be mapped into ATM cells. IP version 4, currently applied, has support for a ToS field in the IP Header similar to Ethernet 802.1p; it provides 3 b for extended information. Currently, techniques are being applied to map QoS information from one medium to another. This is very exciting for service organizations that will be able sell end-to-end QoS. As the IPSec standard grows and current TCP/IP applications and networks begin to support the existing IP ToS field, IPSec will quickly conform to the requirements. 124
AU1253_ch11_Frame Page 125 Saturday, October 26, 2002 4:29 PM
VPN Design Approaches The IETF and other participants, in the form of RFCs, are continually addressing the issues that currently exist with IPSec. Packet sizes are typically increased due to the added header and sometimes trailer information associated with IPSec. The result is increased possibility of packet fragmentation. IPSec addresses fragmentation and packet loss; the overhead of these processes is the largest concern. IPSec can only be applied to the TCP/IP protocol. Therefore, multiprotocol networks and environments that employ IPX/SPX, NetBEUI, and others will not take direct advantage of the IPSec VPN. To allow non-TCP/IP protocols to communicate over an IPSec VPN, an IP gateway must be implemented to encapsulate the original protocol into an IP packet and then be forwarded to the IPSec gateway. IP gateways have been in use for some time and are proven technology. For several organizations that cannot eliminate non-TCP/IP protocols and wish to implement IPSec as the VPN of choice, a protocol gateway is imminent. As is obvious, performance is crucial to IPSec VPN capabilities and cost. As encryption algorithms become increasingly sophisticated and hardware support for those algorithms becomes readily available, this current limitation will be surpassed. Another perceived limitation of IPSec is the encryption export and import restrictions of encryption. There are countries upon which the United States places restrictions to hinder their ability to encrypt possibly harmful information into the United States. In 1996, the International Traffic in Arms Regulation (ITAR) governing the export of cryptography was reconditioned. Responsibility for cryptography exports was transferred to the Department of Commerce from the Department of State. However, the Department of Justice is now part of the export review process. In addition, the National Security Agency (NSA) remains the final arbiter of whether to grant export licenses to encryption products. The NSA staff is assigned to the Commerce Department and many other federal agencies that deal with encryption policy and standards. This includes the State Department, Justice Department, National Institute for Standards and Technology (NIST), and the Federal Communications Commission. As one can imagine, the laws governing the export of encryption are complicated and under constant revision. Several countries are completely denied access to encrypted communications to the United States; other countries have limitations due to government relationships and political posture. The current list (as of this writing) of embargoed countries include: • • • •
Syria Iran Iraq North Korea 125
AU1253_ch11_Frame Page 126 Saturday, October 26, 2002 4:29 PM
TECHNOLOGY • • • •
Libya Cuba Sudan Serbia
As one reads the list of countries, it is easy to determine why the United States is reluctant to allow encrypted communications with these countries. Past wars, conflict of interests, and terrorism are the primary ingredients to become exiled by the United States. Similar rosters exist for other countries that have the United States listed as “unfriendly,” due to their perception of communication with the United States. As one can certainly see, the concept of encryption export and import laws is vague, complex, and constantly in litigation. In the event a VPN is required for international communication, it will be necessary to obtain the latest information available to properly implement the communication as per the current laws. Summary VPN technology, based on IPSec, will become more prevalent in our everyday existence. The technology is in its infancy; the standards and support are growing every day. Security engineers will see an interesting change in how security is implemented and maintained on a daily basis. It will generate new types of policies and firewall solutions — router support for VPN will skyrocket. This technology will finally confront encryption export and import laws, forcing the hand of many countries. Currently, there are several issues with export and import restrictions that affect how organizations deploy VPN technology. As VPNs become more prevalent in international communications, governments will be forced to expedite the process. With organizations sharing information, services, and product, the global economy will force computer security to become the primary focus for many companies. For VPNs, latency is the center for concern, and once hardware solutions and algorithms collaborate to enhance overall system performance, the technology will become truly accepted. Once this point is reached, every packet on every network will be encrypted. Browsers, e-mail clients, and the like will have VPN software embedded, and only authenticated communications will be allowed. Clear Internet traffic will be material for campfire stories. It is a good time to be in security.
126
AU1253_ch12_Frame Page 127 Saturday, October 26, 2002 4:33 PM
Chapter 12
Wireless Technology Andres Llana, Jr.
Wireless technology has been with us for many years; however, the application of this technology did not begin a very real advance until the mid1990s. Much of the success of this technology can be traced to the rapid deployment of wireless technology in European countries. In these areas, the deployment of wireless local loop (WLL) systems made it possible to provide an alternative to the lack of a dependable copper infrastructure. In some countries where subscribers waited years for a telephone, the availability of wireless technology reduced the wait time to weeks. Later, as Global System for Mobile (GSM) networks began to proliferate, the concept of greater mobility (i.e., mobile handsets) enabled many more subscribers to move onto the public network without the requirement for even a terminal in their homes — as was the case with the WLL systems. Due to the growing penetration of cellular services, the International Telecommunications Union (ITU) projects that by 2008 there will be more mobile than fix-line subscribers, perhaps as many as a billion cellular subscribers. The fast-paced growth in global wireless services has greatly impacted the expansion of wireless data communications. This is not to say that wireless systems in support of data communication requirements have not been around for some time; it just was not embraced as an enterprise network solution. However, with the success of wireless technology in European countries and around the world, more viable wireless solutions have made their way into the marketplace. Broadly speaking, the driving forces for change can be seen in the growth of the Internet, increased user mobility, and pervasive computing, where computer chips now play a greater role in the monitoring and control of various service devices. Mobile telephones and pagers have accomplished a great deal in supporting the remote worker’s requirement for maintaining a meaningful information exchange with corporate headquarters. Applications such as voice messaging, online fax, and online information access have driven wireless data transmission to the next tier. These applications have served to give the new-age “road warrior” a definite advantage as a remote worker.
0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
127
AU1253_ch12_Frame Page 128 Saturday, October 26, 2002 4:33 PM
TECHNOLOGY
Exhibit 1.
Wireless Internal Communications
WIRELESS COMMUNICATIONS Wireless communications in the United States extend back to the early 1950s, when the Rural Electrification Administration (REA) sought ways to provide telephone service to remote farms and ranches. Early efforts bore little fruit and, as late as 1985, the REA was still trying to get a system into operation. However, by the mid-1990s, a rush of new products resulted following the successful deployment of global analog cellular mobile telephone service. The most common form of wireless telephones came with the application of the CT-10 cordless telephone and, later, the CT-2 digital phone. Wireless internal telecommunications became fairly commonplace when AT&T, Ericsson, Nortel, NEC, and Rolm introduced wireless adjunct systems for installed private branch exchange (PBX) systems. These adjunct systems linked to a PBX via separate station line cards based on the standard 2500 nonelectronic desk telephone (see Exhibit 1). These add-on systems supported an RF controller that used the ISM (Industrial– Scientific–Medical) 900 MHz frequencies. Remote RF controllers were positioned around the user’s premises to receive transmissions from roving users with mobile handsets. Today Lucent (AT&T), Ericsson, NEC, and Rolm (Siemens) have all introduced an entirely new generation of wireless PBX products that allow the end user to establish a totally integrated wireless voice and data network. For example, Lucent has introduced their Definity Wireless Business Systems as well as their TransTalk 9000 system. This latter system can be either a dual-zone or single-zone system and can support up to 500,000 128
AU1253_ch12_Frame Page 129 Saturday, October 26, 2002 4:33 PM
Wireless Technology
Exhibit 2.
Wireless PBX System
square feet. A similar two-zone system can be used to support a multilevel building or a combination of several closely coupled buildings (i.e., warehouse, manufacturing, etc.). The Definity wireless digital enhanced cordless telecommunications (DECT) system, which operates in the 1880- to 1900-MHz range, has similar capabilities and is marketed outside the United States. The Nortel Companion system is another similar wireless system and works off of the Meridan I (Option 11 C) system. The Companion system supports all of the same station features as found on a standard electronic desk telephone. These new wireless PBX systems can be integrated directly to the corporate local area network (LAN) or wide area network (WAN) and function as centralized communications servers. For example, the Ericsson MD 110 system, when configured with an IP gateway unit, serves to interface the MD 110 PBX to an IP network, allowing voice traffic to share bandwidth with data over the IP network (see Exhibit 2). WIRELESS OFFICE SERVICES (WOS) Office complexes, manufacturing warehouses, and other facilities that are spread out and supported with disbursed population of employees are an ideal opportunity for the wireless service provider. Motorola, which introduced its M-Cell GSM access product at the 1998 GSM World Congress, was 129
AU1253_ch12_Frame Page 130 Saturday, October 26, 2002 4:33 PM
TECHNOLOGY able to provide attendees with support for over 16,000 calls during the three-day conference. This system is essentially an internal telephone system that functions like any other PBX system except that it is supported by a localized GSM wireless network operator. In this environment, building distributed RF units linked to cluster controllers support internal interoffice calling. When a user leaves the office, his or her calls are then seamlessly linked via the local GSM wireless network. Once general packet radio service (GPRS) support is added to the network, nonvoice services can also be supported. In the United States, service providers are now pursuing wireless office services (WOS) as a new market niche. In this environment, the service provider establishes a distributed radio system (DRS) throughout the office or multitenant facility in much the same way that a PBX system or wireless LAN is configured. In this scenario, mini base stations (MBS) are interfaced to distributed antennas (DAs), forming the basic infrastructure. The MBS units are linked in much the same way as in building data networks, which in turn are linked to a central radio. The advantage of these carrier-provided solutions is the transparent mobility of the end users in the system. While in the building or corporate facilities, the end users do not incur any per-minute billing; however, once they leave the premises, they are treated like regular mobile users and billed accordingly. In this arrangement, the end user is never out of touch and always within reach, as one assigned telephone number follows the end user both on and off premises. Cellular One on the West Coast is currently offering this service in the San Francisco area. Sprint has begun to offer wireless data service over its PCS network, which comprises over 11,000 base stations. This network exceeds the BellSouth Wireless Data service and ARIDS combined data networks. The Sprint data network will work through Sprint PCS smart phones, such as the Nokia, Motorola, or Qualcom, that support smart set displays. Further, these smart sets, when configured with microbrowsers, can be used to access the Internet for e-mail and other abridged services. This new data service also provides access to stock quotes and other time-critical information. Kits are available to provide Internet access for laptops or PDAs at 14.4 kbps. CELLULAR DIGITAL PACKET DATA Wireless data communications using a packetized data standard called Cellular Digital Packet Data (CDPD) has been getting more use as more wireless applications are being deployed. However, this service is limited to low speeds of 19.2 kbps or less, and has been implemented on D-AMPS IS-136 networks. CDPD technology serves to enhance the existing AMPS 130
AU1253_ch12_Frame Page 131 Saturday, October 26, 2002 4:33 PM
Wireless Technology cellular infrastructure by detecting unused cellular channel space in which to transmit data. This allows the operator to maximize the use of the available physical cell site infrastructure. While 19.2 kbps may seem slow, it does answer a broad requirement for low-speed transactions aimed at one-way data collection for meter or device reading. This application of CDPD has made it possible to offer many new data collection type applications for electric, gas, and water meter reading. To meet the growing demand for wireless data applications, newer CDPD modems have made their appearance. For example, Novatel has introduced the Minstrel modem for applications with Palm computing devices. These modems have their own IP address and can be used to access the Internet. The modems also support a built-in TCP/IP stack that can be used for custom software development using the Palm OS™. The Minstrel modem is configured with SmartCode software, HandMail™ and HandWeb™ software, and a modem management package. This new technology has resulted in a number of sales terminal applications, field technician applications, as well as mobile applications in transportation (e.g., fleet and vehicle management, public safety, and disaster recovery). Handheld terminal applications have also been aided by the introduction of Windows CE software configured with utilities such as Pocket Excel, Pocket Word, Internet Explorer, Scheduler, e-mail, Calendar, and Task Manager. All of these packages allow mobile workers to become more efficient with their time while in transit. WIRELESS LOCAL AREA NETWORKS Some of the earliest wireless LAN products were slow by comparison with today’s products. For example, in the early 1990s Motorola introduced a product that was developed around a microcellular design using the 18 to 19 GHz frequency. The system used an intelligent six-sector antenna, which was used for both data reception and transmission. The antenna supported a scanning system that was used to select the best transmission path from its associated terminal to the next terminal in the network. A high-performance RF digital signal processor was used to handle the modulation and demodulation of the 18 GHz carrier using four-level frequency shift keying (FSK). This would ultimately support 10-Mbps Ethernet, which was considered fast for the early 1990s. Wireless LAN technology in the early 1990s was slow to catch on as many networks were hard-wired; it was not until changes were made in office and facility arrangements that wireless technology gained acceptance. Because the early products were unlicensed, they could be used to cover short distances (several hundred feet) within buildings and under a 131
AU1253_ch12_Frame Page 132 Saturday, October 26, 2002 4:33 PM
TECHNOLOGY mile between buildings. A good example of such a wireless network can be seen in the Jacob Javits Convention Center in New York. In this application, a wireless LAN was tailored to cover 1.5 million sq ft of convention center floorspace. Distributed smart antennas, which act like mini base stations, are spread around the facility and allow transmission of voice and data throughout the facility. 802.11. STANDARD In 1997, the IEEE standard for wireless networking was finally ratified, establishing an interoperability standard for all vendor products. Essentially, the 802.11 standard made it possible for companies to introduce a higher performing wireless LAN product that offers a degree of interoperability into the enterprise. The Wireless Ethernet Compatibility Alliance (WECA) is developing a series of interoperability tests that will allow vendors to test their products to determine if they are interoperable. These new products provide wireless connectivity starting at the mobile PC level and include products to interface a wired LAN with wireless desktop PCs, and peripherals. Also new to wireless LANs are firewalls that protect against unauthorized access into the corporate LAN. These wireless LAN security devices are based on an IP network layer encryption using the IPSec (IP Security) standards. Also incorporated as part of these systems are a range of authorization keys, authentication policies, and automatic security procedures. The original 802.11 products operated in the 2.4-GHz ISM band with a bit rate of up to 2 Mbps and a fall-back rate of 1 Mbps. Many vendor products can go higher; for example, Ericsson introduced an 802.11 product line in 1998 that provides a data rate of 3 Mbps. The newer 802.11b standard (2.4 GHz at 11 Mbps) is widely available today, and work is recently completed on the 802.11a standard that will support data rates of up to 54 Mbps. These devices will operate in the 5-GHz ISM band. WIRELESS INTERNET ACCESS Broadband access to the Internet is gradually getting away from the ISDN or dial-up access model. This can be attributed in part to the FCC, which released 300 MHz of spectrum for the Unlicensed National Information Infrastructure (U-NII). The U-NII band is broken down into three bands: 5.15–5.25 GHz for indoor application, 5.25–5.35 GHz for campus application, and 5.75–5.85 GHz for local access of up to ten miles. This new spectrum has resulted in the introduction of a new generation of wireless Internet routers, also referred to as Internet radios. Internet radios can be set up on rooftops by an ISP to provide direct Internet access via the ISP Internet hub. These 132
AU1253_ch12_Frame Page 133 Saturday, October 26, 2002 4:33 PM
Wireless Technology terminals can be configured in a point-to-point configuration or a point-tomultipoint configuration that can be used by an ISP to set up a point-tomultipoint Internet access arrangement completely outside of the public utility. By controlling the cost of local loop access, the ISP can offer better rates and higher speed access. This access arrangement is sometimes referred to as W-DSL because a network can support DSL-like access with speeds of up to 512 kbps of symmetrical bandwidth. WIRELESS BROADBAND INTERNET ACCESS Broadband Internet access is now being offered via licensed 38-GHz local multipoint distribution services (LMDS) and local multipoint communications systems (LMCS) license holders. These fixed wireless service providers are able to support fiber-optic network bandwidth without the physical fiber being in place. A good example of a broadband wireless (LMDS) system can be seen in the TRITON Invisible Fiber product line used to deploy a network of rooftop terminals in a consecutive point network. These networks are capable of supporting a 20- to 40-sq mi geographic area, providing local broadband service for an entire metropolitan area. MaxLink Communications of Ontario, Canada, has launched an LMDS service in Canada using a Newbridge LMDS system to offer IP over asynchronous transfer mode (ATM). Home Telephone, a successful bidder in the 1998 FCC LMDS spectrum auction, is offering LMDS service in the Charleston, South Carolina, basic trading area (BTA), using the Newbridge LMDS system. A similar service is being tested in San Jose using the TRITON Invisible Fiber product. Initially, this service will be limited to a select user group within an office park and expanded from there. LMDS broadband services provide the enterprise network designer with a potentially more cost-effective option where broadband services are required to support multimedia, video, and IP data transport requirements. USES FOR WIRELESS TECHNOLOGY Some of the largest users of wireless technology can be seen in the transportation and shipping industries. Federal Express and United Parcel Service are good examples of perhaps the largest users of wireless technology. Another area is that of automated vehicle location systems that are supported through a combination of satellite and landline systems coupled with the Internet. Consumer Applications A good example of a consumer-level system can be seen in the OnStar system being offered as an option with automobile products such as General Motors Cadillac automobile product line. The OnStar system is combined with a cellular service and the GPS tracking system. The system provides 133
AU1253_ch12_Frame Page 134 Saturday, October 26, 2002 4:33 PM
TECHNOLOGY a series of end-user services that includes travel directions, emergency road services, automobile enabling services, personal notification, and theft notification. The OnStar system uses a GPS tracking device that is installed on the vehicle and allows the OnStar control center to locate a subscriber’s vehicle. Through a cellular link with an on-board computer, the control center can detect if the car’s airbags have been deployed. If so, the control center detects a change, and a call to the subscriber is made to determine if there is a need for assistance. The control center can also remotely open the car doors if the subscriber has locked himself out of the car. Transportation Qualcomm offers a multilevel vehicle location and monitoring service for large trucking and transport companies. This service is supported through a combination of satellite, cellular, and landline services. Trucks with special roof-mounted units can be tracked and monitored any place within the United States, Mexico, and Canada. Monitoring includes truck system performance, loading and unloading events, and redirection of vehicles for new load pickups. Drivers are able to communicate with the control center via messaging or cellular wireless contact. Dispatchers are able, through land line contact with the Qualcomm control center, to dispatch and manage all company assets deployed on the nation’s highway network. Health Care A surprisingly large number of health care service providers have taken advantage of wireless technology. Good examples of the application of wireless technology can be seen at Austin Regional Clinic, Indiana Methodist Hospital, St. Joseph Hospital, Wausau Hospital, and Winthrop-University Hospital, to name a few. All of these facilities have essentially the same problem — that of getting to patient information, where and when needed. Many found that they had to take handwritten notes to the nearest nurse station and enter the information manually into a computer terminal. As a result, administrators had to come up with a more efficient way to operate. Austin Regional Clinic elected to supply its medical professionals with mobile handheld computers to record and retrieve patient information in real-time. These terminals were linked to the clinic’s Novell Netware LAN using PCMCIA modem cards. A series of wireless distributed access points located throughout the clinic provided a direct link to the LAN via a corresponding link in the clinic’s communication server. The portable computers used were grid pad, pen-based portables configured with application screens that allowed medical professionals simplified data entry and retrieval. This system eliminated large amounts of paperwork, thus allowing the professionals to function in a paperless environment. 134
AU1253_ch12_Frame Page 135 Saturday, October 26, 2002 4:33 PM
Wireless Technology Manufacturing In some manufacturing plants, sensors and programmable logic controllers (PLCs) are used to control many of the processes related to product manufacturing. In many places, these devices are hard-wired into highmaintenance networks that need frequent attention. In many plants, these networks have been fitted with Ethernet interfaces as part of a plantwide LAN. However, many plant managers have found that they can refit with wireless adapter cards that provide an RF link to wireless access points located around the plant. These arrangements link the PLCs directly into the wired LAN and the server, ensuring timely monitoring of all devices. Avon Products, Inc. faced an expensive problem in extending the LAN in a Chicago area plant’s factory floor. In this facility, production lines were not static and subject to regular reconfiguration. Further, operator mobility required to support 50 production lines along 500 linear feet confounded the problem of rewiring print stations to support the operators with barcode labels. Instead of rewiring, a series of printers configured with wireless modems were set up to receive barcode label files from print servers. The plant has a series of distributed base stations (terminal servers) that are linked to the LAN and a host system that supports the wireless link between the wireless printers and the LAN. The print servers, which are linked to the LAN Ethernet, receive barcode files from a VAX computer. As product is being manufactured, barcode information can be sent to the appropriate print server, where it can then be routed to the proper remote wireless printer. Financial The Pacific Exchange (on the West Coast) and Hull Trading (headquartered in Chicago) both opted to deploy wireless terminals on the trading floor to simplify the trading process. Traders, instead of walking to a static terminal to enter trade information, can now do that from their handheld terminals. This innovation permits much faster trades, while eliminating many manual steps as well as the reliance on handwritten notes. SEARCHING FOR A WIRELESS SOLUTION In planning for the migration to a wireless network arrangement, the planner must be certain of his or her plan. Wireless applications require antennas and base stations to receive and transmit wireless signals between a mobile terminal and a mini base station. That said, the planner must be certain that antenna coverage can be established throughout the area(s) to be served by the wireless terminals. While most wireless modems and RF base stations work, many may not be interoperable with vendor equipment. Because there are so many vendors offering products, the planner needs to be certain of the vendor’s 135
AU1253_ch12_Frame Page 136 Saturday, October 26, 2002 4:33 PM
TECHNOLOGY commitment to the market. Now that the 802.11 standard has been accepted, the planner should not consider proprietary systems to avoid early obsolescence; many products and vendors of the early 1990s that had great products are no longer with us. Wireless network arrangements provide a great deal of flexibility, but the planner should limit the migration to a wireless network arrangement to those applications that will produce a reasonable savings in terms of reduced manpower. Application software requires careful review because much of the software designed to function over a LAN with standard PCs may not work the same way with a laptop PC. Further, because many mobile terminals are configured with Windows CE software, one needs to be aware of the differences and their interface to the LAN operating system. Where the opportunity for the application of wireless technology is limited, the planner may find opportunities for direct linking of facilities to avoid central office (CO) dedicated circuit costs for voice and data transport. With many of the newer systems on the market, the planner can gain greater reach than before to link company facilities. Further, by working with an ISP provider, many times the planner can arrange for a rooftop Internet radio to link the ISP hub directly with the corporate network hub, thus providing much higher speed access to the Internet for the corporate network users. SUMMARY Wireless technology has opened up a new range of possibilities for linking the enterprise network than previously available to the network planner. The keys to success are proper preplanning and selection of equipment; adherence to established standards with an eye toward the future; and the availability of future systems with higher throughput options. Careful alignment of applications software is another important issue as some tailor-made software may be necessary to link legacy applications. Enhancing the corporate network to bring it into line with the state-of-the-art should not be the end-all, but rather an opportunity to reduce operating costs and improve overall corporate productivity.
136
AU1253_ch13_Frame Page 137 Saturday, October 26, 2002 4:35 PM
Chapter 13
Wireless Application Protocol (WAP) Mahesh S. Raisinghani Carlson Colomb
Wireless Application Protocol (WAP) is now the de facto worldwide standard for wireless information and telephony services on digital mobile phones and wireless devices such as Personal Digital Assistants (PDAs) that often run Palm OS or Microsoft’s Windows CE. The idea comes from the wireless industry, from companies such as Nokia, Motorola, Ericsson, and Unwired Planet, founding members of the WAP Forum (www.wapforum.org) that is dedicated to the development of the standard. The WAP Forum was formed after Omnipoint, a U.S. network operator, issued a tender for the supply of mobile information service. This resulted in responses from different vendors using proprietary technology to deliver the information, including HDML from Unwired Planet (now Phone.com). Vendors responding to the tender were informed that a common standard was desired and not proprietary technology. Because of the similarity of the vendors’ approach, it made sense for them to cooperate to define such a standard. WAP bridges the gap between the mobile world and the Internet and corporate intranets. An unlimited range of mobile value-added services can now be delivered to mobile users, independent of their network, mobile provider, and terminal. Using a pocket-sized or handheld device, mobile subscribers can access the same wealth of information from a mobile handset device as they can from the desktop. Why WAP? In the past, wireless extranet access has been available through proprietary protocols that were designed for strict business applications, and never the consumer market. Examples of such are the portable shoeboxsized data collection terminals, such as those FedEX delivery people carry about on their route, logging customer signatures and delivery status wirelessly to the head office. 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
137
AU1253_ch13_Frame Page 138 Saturday, October 26, 2002 4:35 PM
TECHNOLOGY WAP optimizes the content of products that employ standard Internet technology to fit the small screen interfaces and bandwidth limitations of wireless devices and networks. Borrowing from the client/server model of the Internet, WAP uses a relatively simple microbrowser in the mobile phone, which requires only limited resources on the device. Thus, the services and applications reside on WAP servers, not in phones. A board member of the WAP Forum commented, “The philosophy behind WAP’s approach is to utilize as few resources as possible on the handheld device and compensate for the constraints of the device by enriching the functionality of the network.” WAP defines application, session, security, transaction, and transport layer protocols. The language in which pages are rendered to be delivered over WAP is Wireless Markup Language (WML). Thus, WML is to WAP what HTML is to HTTP. WML, although similar to HTML, is actually an XML application. The W3C defined XML as a meta-language, or a series of rules on creating other languages for specific applications. WML is such a language, for wireless applications, that complies with XML rules. The advantages of WAP include: • • • • •
Open vendor independent standard Carrier network independent Optimum for small screen size and low power consumption Multidevice support Transport mechanism optimized for wireless data carriers
Everyone listens to radio station WIFM (“What’s in it for me?”). So what are the underlying benefits for everyone concerned? The benefit for wireless telecommunications carriers is simple. During WAP’s infancy, WAP-capable carriers will attract customers from their competitors who are slower to move on the technology. Also, current wireless fence-sitters who have long held out will suddenly jump on the bandwagon due to the increased valueadded WAP services. And, of course, there is all that additional “surfing” airtime usage that the wireless carriers get to bill their subscribers, perhaps via online billing using WAP, thereby cutting snail-mail billing costs and drawing another dime of airtime out of their customers. Wireless carriers will certainly be among the first to implement such applications, including wireless activation, call management, viewing of billing history information and payment options, push news on new services or promotions, voice message management, and more. Content providers and application developers, familiar with the Internet model on which WAP relies, will soon be able to use WAP tools to quickly create a plethora of new online wireless services. These services will be sold by content providers to a variety of customers, such as WAP search engines or portals, ISPs, etc., who will seek to add value to their own 138
AU1253_ch13_Frame Page 139 Saturday, October 26, 2002 4:35 PM
Wireless Application Protocol (WAP) service offerings for their subscriber base. These turnkey service or content solutions will help attract new subscribers, build loyalty, and increase revenues. And, naturally, end users will benefit from secure access to Internet information and services such as instant messaging, banking, stock quotes, and more, through their mobile devices. Even intranet information such as corporate databases or legacy host systems can be accessed via WAP technology. One study conducted on the adoption rate of WAP devices concluded that most respondents who expected to get a WAP phone within the year did so because their employers would pay for it. Applications for WAP There are a wide variety of mobile applications that can exploit the mobile devices’ unrivaled one-to-one interactive capabilities. As discussed, content providers and application developers will provide many services for ISPs, portals, and online businesses to add value to wireless subscribers. Such services and applications are virtually endless: e-mail, instant messaging, weather and traffic alerts, online directory services, maps, location triangulation and listing of nearby services, customer service, news, sports scores, travel booking, flight schedule tracking, E-commerce transactions, banking, billing, payment, stock brokering, online ticket purchasing, personalized location-based mobile shopping services, and more. WAP’s push capability affords a distinct advantage over the WWW and represents tremendous potential. But business applications will initially drive wireless Web adoption. Enterprises will deploy applications to leverage mobile technology’s ability to deliver real-time corporate information to employees and partners on demand. For example, wireless E-business applications that allow mobile personnel such as sales people to access sales account information, inventory status, or order tracking from their WAP-enabled mobile phones or PDAs will be immensely popular. Whether wireless E-commerce or E-business type applications or services, it seems clear that back-end connections will be required to existing big-iron legacy host systems such as IBM mainframes or AS/400s, which drive most of the required business logic. Whether it is banking or flight booking, inventory or order tracking, there will be an undoubtedly large demand for a means to access core business applications residing on legacy host systems. Hand-to-host access software solutions will therefore become an important underlying platform of many of the new WAP applications that will be created for both consumer and business markets. Some traditional host access vendors, like Eicon Technology with its Aviva products, have been quick on the ball and are seeking this growing hand-to-host market. These solutions enable rapid development of wireless front ends, without having to modify existing core host applications 139
AU1253_ch13_Frame Page 140 Saturday, October 26, 2002 4:35 PM
TECHNOLOGY that are tried and tested. Often such legacy applications have millions of lines of code, and any alteration of the actual business logic is a major undertaking. Thus, hand-to-host is easily achieved by developers writing a WAP application on top of products, such as Aviva, that do the back-end upstream connection to the host computer, sometimes over legacy protocols such as SNA, and automatically navigate through one or more host applications to retrieve the desired data. This is then securely returned to the mobile user via WAP to complete the transaction request. WAP Topology Current Internet technologies like HTML are not practical for wireless networks, having been designed for more powerful computers with generally reliable data networks and decent bandwidth. WAP utilizes Internet standards such as XML and TCP/IP but is optimized for the unique constraints of wireless technology, including bandwidth restrictions, higher latency, unreliable connection stability or predictability, less powerful CPUs, and less memory, power consumption, and interface constraints. Binary transmission allows greater data compression and optimization for long-latency low-bandwidth wireless networks. As depicted in Exhibit 1, there are two possible scenarios in a WAP topology. The URL request from the mobile device (WAP client) is sent to the WAP gateway, which lies between the carriers’ network and the Internet. If the Web server provides content in WML, the WAP gateway transmits it directly to the WAP client. But if the Web server delivers a response in HTML, the WAP gateway converts the HTML into WML before passing it on. In both instances, the WAP gateway encodes the data from the Web server into compact binary form. WAP Predictions Through the WAP Forum, worldwide mobile carriers, terminal manufacturers, and content developers are collaborating do deliver a wireless data solution based on a single standard. Timing, as they say, is everything.
Exhibit 1. 140
WAP Network Topology
AU1253_ch13_Frame Page 141 Saturday, October 26, 2002 4:35 PM
Wireless Application Protocol (WAP) The current wired Internet has proven highly successful in reaching the home consumer market worldwide, with over a hundred million users online. It is foreseeable that the equally astounding mobile telephone adoption rate will lead the already Internet-initiated consumers to readily adopt wireless data services and applications with ease. They are already familiar and comfortable with both the Internet and their mobile phones. By mixing the Web’s chocolate with mobile phone’s peanut butter, a new taste sensation has been created that will revolutionize communications. The adoption of the wireless Internet is virtually ensured. But will WAP be adopted as the way to get there? As support by vendors for WAP grows, so do mounting claims that WAP is simply an intermediary technology and perhaps even a mistake. Sometimes, these criticisms come from the WAP Forum’s own members. One major criticism is that WAP is creating the necessity for rewriting Web sites in WML, in essence creating a parallel Internet-limiting content available to users who have been accustomed to being able to access all the content they want. Redesigning and maintaining two Web sites is an expensive proposition. And although all WAP gateways currently provide a simplistic on-the-fly HTML-to-WML conversion, this is insufficient for some sites that are complex in their HTML design and navigation. Essentially, this on-the-fly HTML-to-WML conversion is not robust enough to make every HTML Web site navigable or accessible through WAP. In the past, Microsoft has been one of the most vocal WAP critics, often making the “parallel Web” argument that there should be only one Internet standard for both wired and wireless Webs. The technology seemed to gain a lot of early support however, convincing even Goliath to assume the “if you can’t beat ’em, join ’em” strategy. Thus, Microsoft has joined the WAP Forum in hopes of influencing WAP’s direction and definition. Microsoft’s original mobile phone browser did not support WAP. Microsoft is now in cooperation with the WAP Forum to drive the next version of WAP technology to a convergence with the original Web, which will help it migrate its current consumer and business products into the wireless Web more easily. Phone.com feels that, although convergence is the utopian goal, a separate technology will always be necessary because phones will continue to lag behind standard PCs. Other companies are taking a wait-and-see strategy. Japan’s largest phone carrier, NTT DoCoMo, has 10 million subscribers to its I-mode wireless data service, which already offers color and video over many phones through a simplified version of HTML — not WAP. iMode has been so popular that NTT DoCoMo announced it would have to limit sales because the demand has caused them to suffer 16 service outages. NTT DoCoMo, being careful, has said it will also support WAP in the future. 141
AU1253_ch13_Frame Page 142 Saturday, October 26, 2002 4:35 PM
TECHNOLOGY Another criticism is that WAP will be unnecessary with 3G network technology, Universal Mobile Telephone Service (UMTS), offering up to 2 Mbps expected to be delivered within two years. Current wireless data transfer speed is only 9.6 kbps. The WAP Forum’s argument for WAP’s existence lies in the fact that the cost of bandwidth will never reach zero, and that many of the original constraints for which WAP was designed would still be valid after UMTS is available. These include intermittent coverage, screen size, low power consumption, carrier independence, multidevice support, and one-handed operation. In addition, the Forum argues that the bandwidth required by applications users want to use will also steadily increase, using up any headway gained. WAP, like any standard, will continue to evolve and be optimized. This is especially the case in terms of carrying multimedia over WAP. In defining WAP’s evolution, support of streaming multimedia mobile services is the current WAP Forum brain tickler. Other outstanding interests include security, smart-card interfaces, persistent storage, billing interfaces, privacy, and push technology. Yet another hurdle WAP must face is the fact that many members of the Forum, including NEC, Nokia, Phone.com, Geoworks, and others, are claiming that portions of the standard infringe on their intellectual property. Most of such claims, typical in developing any standard, can be settled through licensing fees. Any unrealistic or prohibitive fees will result in the Forum finding a workaround for the technology in question. However, even technologies that have to do with applications or services and not necessarily WAP technology seem to be up for patent-grabbers. The U.S. Patent Office has conditionally allowed Calgary-based Cell-Loc to claim the delivery of handset-based wireless location content and services over the Internet as its property, regardless of the technological method employed. Whatever the criticism or difficulties, WAP seems to have critical mass with more than 300 companies, many of them industry giants, developing it. Over 75 percent of the world’s major mobile terminal manufacturers are members of the WAP Forum and are announcing the release of WAP-capable handsets. It is fair to say that WAP, although having its share of naysayers, is well positioned for success. The problem of size, due to usability of input and output interfaces, does not go away. One-handed typing is a desired feature of mobile devices, although some argue that using numeric keypads is impossible. It is doubtful that anyone will expect to type essays via a wireless handheld device, even with a full QWRTY keypad shrunk to phone size à la Nokia Communicator, an early version of 3G mobile phones. The output display will be limited in size on portable devices (although refractory computer screen sunglasses à la Mission Impossible may not be far away). Thus, the overall 142
AU1253_ch13_Frame Page 143 Saturday, October 26, 2002 4:35 PM
Wireless Application Protocol (WAP) argument is that whatever the underlying protocol, certain things about wireless data access from mobile devices will remain unchanged for a long time — things that can be overcome using WAP. Producers of Palm and Windows CE handheld devices are already announcing WAP support. Through a survey taken on Yahoo mobile, about two thirds of the respondents said that they would prefer to have a hybrid device combining mobile phone and PDA functionality. Few would like to carry multiple devices around or pay for more than one device. Users will want a James Bond-like gadget, capable of multiple functionality; and although Ericsson’s remote control automobile driving capability as seen in the movie Tomorrow Never Dies is not yet supported by WAP, it is not unrealizable for the future. Mitsubishi has already announced a hybrid device, the Mondo, a WAP-capable mobile phone with color display running Windows CE and featuring a slightly smaller touch-screen than a standard WinCE Palm-size device. Will the next big-money acquisitions be taking place between PC and cellular phone manufacturers? Will Dell and Nokia merge? This is not unthinkable. WAP is indeed an intermediary technology. Are not all technologies? There are only two certainties after all: obsolescence and taxes. Moore’s law is nothing new, so those who state that WAP is merely an intermediary technology will certainly be able to pat themselves on the back for their astute predictions. Thus, such observations seem to be much ado about nothing. The fact is that WAP answers the needs currently required to make worldwide adoption of the wireless Web a reality in a short period of time. It is the standard that has the vast majority of supporting vendors, developers, and content providers; and, as learned from the history of the VHS vs. Beta, or Microsoft vs. Apple, critical mass and standardization are all it takes, not technical superiority. Customers do not buy technology for technology’s sake; they buy services and applications; and it would be foolish to expect that initial services will provide the perfect user experience. As users choose what types of services and applications they want to use, WAP will evolve. WAP and the current Web will converge, and thus, WAP is the means and not the end. One thing is certain: those late to jump on the bandwagon might not find a seat. WAP: TECHNOLOGY FOR M-COMMERCE There is a more honest attitude now. There will be a Darwinian selection process, and the end of opportunism. — Enrique Carrier, Director of Prince & Cooke, Argentina, speaking about the future of dot.coms 143
AU1253_ch13_Frame Page 144 Saturday, October 26, 2002 4:35 PM
TECHNOLOGY The International Data Corporation promises one billion cellular telephones worldwide by 2004, with half of them Internet-enabled. The most popular Internet-enabling technology being adopted en masse by handset manufacturers and service providers is wireless application protocol (WAP). This section attempts to describe the fast-growing trend for tools to access the Internet that will be more popular in the future than the predominant use of personal computers is at present. It also depicts the importance of WAP in the field of E-commerce, with its popularity leading E-commerce into mobile commerce (M-commerce). Because it works in already existing networks, WAP needs little modification in Web content and can be available with ease. Already, there are numerous companies providing E-commerce services through WAP around the world, and with the huge mobile telephone subscriber base, the potential for M-commerce is tremendous. Introduction Trade developed through many stages, from barter in the old days to E-commerce today. What will be the tool for transactions tomorrow? In the past half decade, the Internet has revolutionized the practice and procedure of trade, giving birth to the new world of E-commerce. Now people can buy or sell goods and services practically twenty-four hours a day, seven days a week, if they have access to the Web. Vendors have been able to tap into markets that were impossible to reach due to remote geographic location or other reasons. It is this “anywhere, anytime” technology that has fueled the new economy. Although much has been accomplished toward this goal of being able to trade anywhere, anytime, personal computer laptops are too bulky for M-commerce. The obvious choice is empowering the mobile telephone to be the choice tool for M-commerce. The M-commerce phenomenon is centered in Asia and Europe (not the United States), where mobile telephony is further advanced and PC usage is much lower. Nokia, Ericsson, Motorola, and NTT DoCoMo, to name a few — as well as giants in banking, retail, and travel — are developing their mobile E-sites, including Amazon and Schwab, and all are settling on WAP. WAP works with all major wireless networks — code division multiple access (CDMA), Global System for Mobile communications (GSM), time division multiple access (TDMA), and Cellular Digital Packet Data (CDPD) — via circuit-switched, packet, or short messaging service and can be built into any operating system, including Windows CE, Palm OS, Epoc, or JavaOS. The Japanese mobile operator DoCoMo is the leader, with the first mover advantage in bringing mobile Internet services to market by attracting 10 million subscribers to its i-mode service in less than one year. The Palm VII personal digital assistant (PDA) from 3COM can deliver wireless e-mail and information access service in the United States and the United Kingdom. Most current mobile 144
AU1253_ch13_Frame Page 145 Saturday, October 26, 2002 4:35 PM
Wireless Application Protocol (WAP) Internet services are based on the WAP standard. Microsoft, who came a bit late to the game, gave its grudging approval recently by redoing its cellular telephone browser for WAP. Analysts say such personalized services will be the meat of M-commerce. According to Gartner’s research vice president Phillip Redman, “The personalization of content and services that help consumers make their purchasing decisions” will be pivotal. Information is key to the overall success of M-commerce, and Cellmania and BroadVision are two wireless applications based on that premise. Cellmania’s mEnterprise is intended to help companies bolster customer relations in part by increasing the productivity of traveling employees. mEnterprise integrates with a company’s infrastructure and powers fieldservice and sales-force automation applications and mobile portals. BroadVision is offering BroadVision Mobile Solution to help businesses get a better line on the content customers want pushed to handheld devices by capturing customer data. It also can create home pages that site visitors can customize to their needs. WAP-Enabled Phones Every day there is some news about WAP-enabled phones and their growing use toward the Internet. Is this growth going to sustain or even surpass people’s expectation to become the most important medium for communication and commerce? Will it lead the static wired E-commerce to wireless M-commerce? Although the only Internet-enabling technology being adopted en masse by handset manufacturers and service providers is WAP, there are other options, such as J2ME (Java 2 Micro Edition), a mobile ASP (application service provider), a Citrix terminal solution, or an OracleMobile solution, which totally ignore cellular telephones and promise to satisfy all of your mobile Internet business needs over a pager. In addition, there are issues with WAP’s WML that cannot be read on an HTML browser and vice versa. Is Sun’s J2ME, which allows a small application to be on the telephone so it can be used even when disconnected, a good solution, or is it, as reported by Internet service vendors (ISVs), too small and does it lack too many of the Java standard edition components needed to create useable applications? In Sun’s defense, Motorola displayed applications such as expense reports, e-mail, and calendaring on an Motorola iDEN cellular telephone running J2ME. In the business-to-business (B2B) environment, real-time mobile access to online exchanges, virtual communities, and auctions can be facilitated by M-commerce. Mobile workers such as sales reps, truck drivers, and service personnel will be able to use the mobile Internet. Medical doctors 145
AU1253_ch13_Frame Page 146 Saturday, October 26, 2002 4:35 PM
TECHNOLOGY will be able to use their handheld PDAs to pull up patient information, information on available drugs, and online ordering and scheduling of prescriptions, clinical tests, and other procedures. Unified messaging services will allow mobile workers to use a single device for all their communications and interactions; and ubiquitous computing will use online connections to communicate exception reports, performance problems, and errors to service personnel. Most IT executives are still on the fence, whereas a few early adopters have settled on proprietary technologies. One example is a women’s accessory company, NineWest, which has a non-WAP client/server solution for its field reps and buyers deployed into older Nokia 9000 cellular telephones. Developed by the Finnish company Celesta, it creates smart forms using Short Message Service (SMS) rather than going through an ISP. This solution has reportedly been profitable for NineWest because it alerts headquarters in real time, rather than through weekly batch files, when a store carrying its line needs to be restocked. Similarly, NeoPoint of La Jolla, California, a developer of Web telephones, has created a wireless service called myAladdin.com that, among other abilities, can monitor information such as airline flights or stock performance and alert a user when a flight is delayed or a stock price drops. InfoMove of Kirkland, Washington integrates the global positioning system (GPS) and text-to-speech technologies to create a private-label information service that has been sold to DaimlerChrysler and Paccar, a heavy truck manufacturer. Tekelec makes equipment for wired and wireless telecommunications suppliers to enable them to offer value-added services to their customers. Because the FCC requires that if you switch or move, your telephone company must let you keep your old telephone market, Tekelec’s local number portability (LDP) software is the best on the market and with its reseller networks such as Lucent and Tellabs, Tekelec is a strong takeover candidate. WAP: A Global Standard WAP is a format for displaying Web and other data on the small screens of handheld devices, specifically cellular telephones. WAP is a set of specifications, developed by the WAP Forum, that lets developers using WML build networked applications designed for handheld wireless devices. WAP is a standard, similar to the Internet language HTML, which translates the Web site into a format that can be read on the mobile’s screen. The data is broadcast by the telephone’s network supplier. WAP v1.1 constitutes the first global transparent de facto standard to be embraced by well over 75 percent of all relevant industry segments. WAP’s key elements include: 146
AU1253_ch13_Frame Page 147 Saturday, October 26, 2002 4:35 PM
Wireless Application Protocol (WAP) • • • • •
The WAP programming model Wireless mark-up language and WML Script A micro-browser specification Wireless telephony application The WAP stack
WAP is designed to work with most wireless protocols such as CDPD, CDMA, GSM, PDC, PHS, TDMA, FLEX, ReFLEX, iDEN, TETRA, DECT, DataTAC, and Mobitex. Operating System for WAP WAP is a communications protocol and an application environment. It can be built on any operating system including PalmOS, EPOC, Windows CE, FLEXOS, OS/9, and JavaOS. WAP provides service interoperability even between different device families. WAP uses existing Internet standards, and the WAP architecture (illustrated in Exhibit 2) was designed to enable standard off-the-shelf Internet servers to provide services to wireless devices. In addition to wireless devices, WAP uses many Internet additions when communicating standards such as XML, UDP, and IP. WAP wireless protocols are based on Internet standards such as HTTP and transport layer security (TLS), but have been optimized for the unique constraints of the wireless environment. Internet standards such as HTML, HTTP, TLS, and TCP are inefficient over mobile networks, requiring large amounts of mainly text-based data to be sent. Standard HTML Web content generally cannot be displayed in an effective way on the small screens of pocket-sized mobile telephones and pagers, and navigation around and between screens is not easy in one-handed mode. HTTP and TCP are not optimized for the intermittent coverage, long latencies, and limited bandwidth associated with wireless networks. HTTP sends its headers and commands in an inefficient text format instead of compressed binary. Wireless services using these protocols are often slow, WML
Filter
WAP Proxy WML HTML
Web Server
Filter
WML Wireless Network
WML WTA Server
WML
WAP Proxy
Exhibit 2.
WAP Architecture 147
AU1253_ch13_Frame Page 148 Saturday, October 26, 2002 4:35 PM
TECHNOLOGY
Mobile Phone
SMS or Data Call
Database Application Server
Web Server
Desktop PC
WAP Server
Corporate Network
Exhibit 3.
Operator Network
WAP and the Web
costly, and difficult to use. The TLS standard requires many messages to be exchanged between client and server which, with wireless transmission latencies, results in a very slow response for the user. WAP has been optimized to solve all these problems, utilizing binary transmission for greater compression of data, and is optimized for long latency and low to medium bandwidth. WAP sessions cope with intermittent coverage and can operate over a wide variety of wireless transports using IP where it is possible and other optimized protocols where IP is impossible. The WML used for WAP content makes optimum use of small screens and allows easy navigation with one hand without a full keyboard and has built-in scalability from two-line text displays through to the full graphic screens on smart telephones and communicators. Exhibit 3 illustrates the relationship between WAP and the Web. WAP Forum The WAP Forum is the industry association comprised of more than 200 members that has developed the de facto world standard for wireless information and telephony services on digital mobile telephones and other wireless terminals. The primary goal of the WAP Forum is to bring together companies from all segments of the wireless industry value chain to ensure product interoperability and growth of the wireless market. WAP Forum members represent over 95 percent of the global handset market carriers, with more than 100 million subscribers, leading infrastructure providers, software developers, and other organizations providing solutions to the wireless industry (http://www.wapforum.org/). ARGUMENTS FOR WAP WAP is efficient at coping with the limited bandwidth and connectionoriented nature of today’s wireless networks due to its stripped-down 148
AU1253_ch13_Frame Page 149 Saturday, October 26, 2002 4:35 PM
Wireless Application Protocol (WAP) protocol stack. WAP works with all major wireless networks and can be built into any operating system, including Windows CE, PalmOS, Epoc, or JavaOS. WAP applications are available over second-generation GSM networks albeit only at 14.4 kbps. WAP services, however, also work on other platforms, including 2.5-Gb (data-enhanced second-generation) networks offering up to 128 kbps. WAP low data rate services, already available in many European national markets, include short messaging service (SMS) wireless e-mail, which can interconnect with the Internet. New products and services that use the WAP format provide instant access to personal financial data, flight schedules, news and weather reports, and countless shopping opportunities. Finally, WAP gateway’s flexibility enables operators to introduce and bill for new services easily without having to make changes to their existing billing systems. ARGUMENTS AGAINST WAP Although WAP has drawn a tremendous amount of attention in the business and technology sector, its huge popularity has also drawn criticism that leads one to think that WAP will not develop into a major force impacting business and life. According to David Rensin, CTO at Aether Systems, a handheld infrastructure developer in Owings Mills, Maryland, “WAP is dead.” Chief among his complaints was the necessity for rewriting the Web sites in WML for every device to which a WAP-enabled Web site is sent. WML is used as a technique to get content from an HTML Web site using WAP onto small-screen devices. “You have to rewrite the same Web site for a four-line cell phone display and again for an eight-line display,” and “the problem [with WAP] is content. Redoing a Web page for multiple sites on different devices is a nightmare,” according to Rensin. Handheld devices are more limited than desktop computers in several important ways. Their screens are small, able to display only a few lines of text, and they are often monochrome instead of color. Their input capabilities are limited to a few buttons or numbers, and entering data takes extra time. They have less processing power and memory to work with, their wireless network connections have less bandwidth, and they are slower than those of computers hard-wired to fast LANs. Web applications are traditionally designed based on the assumption that visitors will have a desktop computer with a large screen and a mouse. A smart telephone cannot display a large color graphic and does not have point-and-click navigation capabilities. As some analysts say, these limitations will hinder WAP as the choice for tomorrow’s technology. Mobile Phones and Health Issues All mobile telephones and wireless LAN devices emit microwave radiation at the same frequencies used to cook food. Now scientists are trying to 149
AU1253_ch13_Frame Page 150 Saturday, October 26, 2002 4:35 PM
TECHNOLOGY determine whether end users are at risk. “We have evidence of possible genetic damage,” says Dr. George Carlo, chairman of Wireless Technology Research LLC (Washington, D.C.), which has been conducting research into cellular telephones for six years. His study found that “using mobile phones triples the risk of brain cancer.” Dr. Kjell Hansson Mild of Sweden studied radiation risk in 11,000 mobile telephone users. Symptoms such as fatigue, headaches, and burning sensations on the skin were more common among those who made longer mobile telephone calls. At the same time, there are a growing number of unconfirmed reports of individuals whose health has been affected after chronic, frequent use of mobile telephones, presumably from radiation effects on cells. There is no evidence so far of mobile phone radiation causing tumor formation or memory impairment in humans. Much more research is needed before any firm conclusions can be drawn. Whatever the effects of using mobile telephones may be in humans, the health risk to an individual user from electromagnetic radiation is likely to be very small indeed, but some individuals may be more prone to radiation side effects than others (http://www.globalchange.com/radiation.htm). Security Furnishing full protection in a wireless world involves three types of code: 1. Encryption algorithms to scramble data 2. Digital certificates to restrict access 3. Antivirus software Encryption, the most demanding of the three, follows a fairly simple equation: the larger the algorithm, the stronger the security, and the more CPU cycles needed. WAP-enabled telephones do not have the horsepower to handle the bulky security software designed for PCs. At this point, all handheld devices, including PDAs, are vulnerable to any virus that comes along. It is worth noting that there are currently no known viruses that attack wireless gear, but as mobile IP gains popularity, it will become an increasingly attractive target. “It’s conceivable one could have a worm virus similar to Explore.zip that could spread to every person’s device in a matter of a few seconds,” says Carey Nachenberg of Symantec. WAP and M-Commerce The average mobile telephone is essentially a dumb device: good for allowing people to chat, but hopeless when it comes to managing the information that makes people’s lives go round. For the past few years, the wireless industry has been engaged in a gargantuan effort to change this. The idea is to create a single smart gadget that will allow people to check their e-mail, consult the Internet, plan their schedule, and, of course, make telephone 150
AU1253_ch13_Frame Page 151 Saturday, October 26, 2002 4:35 PM
Wireless Application Protocol (WAP) calls: in other words, a combination of an electronic organizer, a personal computer, and a mobile telephone. With regard to M-commerce applications, Sonera of Finland, which has implemented an Apion WAP gateway, is the world’s first telecom operator to launch WAP services (2Q/99). In addition to providing its own services, the telco/cellco is actively and rapidly creating partnerships with companies such as Finnair, CNN Interactive, Yellow Pages, Tieto Corporation, and Pohjola. Recently, a company in California called Everypath started to deliver a new era of freedom in mobility and convenience in which one will be able to shop, purchase gift certificates, bid on auctions, trade stocks, play games, pay bills, bid on fine wines, get driving directions, check the calendar, reserve a hotel room, track home prices, plan a vacation, stay in touch, or order tickets from the palm of the hand or with the sound of the voice, no matter where one is. In Japan, NTT DoCoMo sold more than one million of its Internet-based i-mode telephones within six months after they were launched and received remarkably few complaints. The rest of the world’s producers are getting ready for a surge in demand as they release their products over the next few months. Internet content-providers are already tailoring their products for telephone users — getting rid of power-hungry pictures, for example, and distilling long-winded news stories into the bald facts. Nokia has an alliance with America’s CNN to provide news that has been specifically designed for telephones. NTT DoCoMo reports that there are already more than 1000 companies providing Web pages for its telephones. Critical Success Factors for WAP and M-Commerce The critical success factors for M-commerce are speed, billing, and security. Each of these factors will be discussed. Speed. Today, most digital cellular users are limited to circuit-switched data at about 9.6 kbps, sufficient for text-based messaging and limited file transfer. This is where desktop Internet users were in 1994, when there were just 4 million host computers on-net compared with more than 60 million Internet hosts worldwide in October 1999. The next move in the circuitswitched world is high-speed circuit-switched data (HSCSD) running at 57.6 kbps. This is sufficient for fully functional Web browsing. However, as underlined by analysts such as Gartner Group’s Dataquest, HSCSD is an early adopter scenario that gives operators a competitive edge with corporations. Essentially, it is profiled for bulky data transfers.
151
AU1253_ch13_Frame Page 152 Saturday, October 26, 2002 4:35 PM
TECHNOLOGY General Packet Radio Service (GPRS), conversely, is quick and agile. As a packet-switched bearer, it promises “always-on” service at up to 115 kbps (for practical purposes). At the same time, it sits comfortably on the migration path to Enhanced Data for GSM evolution (EDGE), running at up to 384 kbps. So, although speed may be a concern for WAP surfers now, technology will enhance that in the very near future. Billing. The WAP gateway has been profiled to gather extensive billing detail for each transaction, e.g., the download of content (both volume and time), universal resource locators (URLs) visited, and other typical events during a WAP session. This information is stored in a generic, flexible format in a billing log. This, in turn, interfaces to a mediation platform that translates it into valid call detail records (CDRs) and passes them to the billing agency or credit card company’s billing system. The billing may be transaction based where the services are paid according to service usage with different prices possible for different services, subscription based with a monthly fee, flat rate with one price for all, free where the content provider may pay for the airtime to the operator, or a combination of the above four billing options.
The billing log receives “billable events” from the event manager. The gateway’s billing data interface requires only minor tuning to adjust its data formatting for different billing systems. In short, the WAP gateway’s flexibility enables operators to introduce and bill for new services easily without having to make changes to their existing billing systems. However, service roaming is difficult if transaction-based billing is used. The Holy Grail is turning the handheld device into a payment device or the equivalent of an electronic wallet. As we move toward the third-generation (3G) mobile standard, also known as Universal Mobile Telecommunications System (UMTS), an International Telecommunications Union (ITU) standard for voice, video, and Internet services licensed in Europe in 2000 and to be deployed in 2002, airtime will be packet based with an emphasis on content; billing possibilities are monthly fee (similar to the Internet model), amount of data or time based, commercials, service transactions, or a combination of the above options. Billing is a very market-sensitive problem and one solution is not possible. Without a doubt, the biggest change will be more choices and, in the end, markets will decide between free versus price for M-commerce. Security. Security is optional in the WAP standard, but is dearly mandatory for E-commerce providers and users. It may be implemented initially at the wireless transport layer security (WTLS) level of the WAP stack. This is the wireless version of industry standard TLS, equivalent to the widely deployed secure sockets layer (SSL) 3.1. As a recent Baltimore Technologies 152
AU1253_ch13_Frame Page 153 Saturday, October 26, 2002 4:35 PM
Wireless Application Protocol (WAP) white paper notes, it provides a secure network connection session between a client and a server, and it most commonly appears between a Web browser (in WAP’s case, the handset microbrowser) and a Web server, which can be an existing Internet server that is also WAP-enabled. Full participation in E-commerce requires that the additional security elements of verified authentication, authorization, and nonrepudiation be addressed. In real terms, this implies integration with public key infrastructure (PKI) systems that are already deployed and with new systems in the future. In the wireless arena, these systems will be defined in WAP. Recently citing the growth in usage of wireless devices, Richard Yanowitch, VeriSign Vice President of Worldwide Marketing, said that his company plans to provide “a complete trust infrastructure to the wireless world.” Key to the plan is an arrangement whereby Motorola will include the Verisign technology in the browsers that run on Motorola mobile telephones. Other companies endorsing Verisign’s plan include RSA Security, BellSouth, Sonera SmartTrust, and Research In Motion. These companies will leverage the technologies in their own products and services. For instance, technologies and services available from VeriSign include: • Microclient Wireless Personal Trust Agent code for embedding in handheld devices — code designed to enable seamless use of private keys, digital certificates, and digital signatures available to device manufacturers now. • Short-lived wireless server certificates — “mini-digital certificates,” according to officials, that are optimized for authentication of wireless devices and services. • A gateway-assisted SSL trust model — to enable network service providers to substitute wireless certificates for SSL certificates. • A gateway-assisted public key infrastructure roaming model — to enable small-footprint devices to digitally sign transactions. • Subscriber Trust Services — for secure messaging and transactions using wireless handheld devices. • Server/Gateway Trust Services — designed to allow electronic-businesses operating wireless servers and gateways to deliver secure applications. • Developer Trust Services — for digitally protecting downloadable content. • Enterprise Trust Services — for wireless, B2B, and B2C applications such as banking, brokerage, health care, and messaging. • Service provider platforms — for network operators and application service providers to offer VeriSign wireless trust services. Transaction services to be offered include Wireless Validation Services for real-time certificate validation, and Wireless Payment Services to enable wireless payment applications. 153
AU1253_ch13_Frame Page 154 Saturday, October 26, 2002 4:35 PM
TECHNOLOGY Future Impact A new study by International Data Corporation predicts that the number of wireless Internet subscribers will jump from 5 million in 2000 to nearly 300 million in just 3 years. That would account for more than half of all Internet users worldwide. WAP’s impact on mobile data would be similar to what Netscape’s impact was for the Internet: to provide an attractive and notionally transparent portal to the cyber world, which had more than 200 million users in September 1999, in addition to thousands of corporate intranets. For E-commerce providers, that portal provides a potential user base of more than 400 million mobile subscribers worldwide because the Internet is ultimately about E-commerce. Even though it includes a vast range of so-called “free” services — e-mail, social networks, consumer networks, a range of educational tools, computer games, and more — it is all about global economic activity and productivity. For the vast majority of fixed network Internet users, E-commerce is still relatively young. Amazon.com was not a household word in 1996. Internet banking, brokering, and financial services were not yet deployed into the mass market. Yet this E-commerce world of B2B, retail banking, brokering, insurance, financial services, and purchase of almost any good or service is commonplace. There is no reason why the Internet space should not be embraced by mobile users in the same manner, subject to some differences in their marketing profile. Salespeople, for example, are provided, through a wireless database access, the information needed to close a deal on the spot. Prices and delivery dates can be checked, orders can be entered, and even payments can be made without stepping outside the customer’s office. That boosts the hit ratio, eliminates paperwork (and low-level administrative positions), improves customer service, and speeds cash flow. Similar to the Internet revolution, this mobile makeover will change forever the way companies do business. Out of the office will no longer mean out of touch. In fact, remote employees may make wireless a way of life, so they do not have to dial in for e-mail and other information. Companies will be able to reinvent business processes, extending them directly to the persons in the field who deal directly with customers. Ultimately, companies and carriers could deploy wireless LANs to hotels and other public places, creating hot spots of high-speed connectivity for M-commerce. In the future, the ideal mobile device will be a single product suited for standard network access and services to handle tasks that extend the use of the device beyond its hardware-based limitations. 154
AU1253_ch13_Frame Page 155 Saturday, October 26, 2002 4:35 PM
Wireless Application Protocol (WAP) A U.K.-based consultancy’s analyst predicts that 70 percent of current cellular users in developed countries may be using advanced data services by 2005, with the value of the cellular data market overall set to reach $80 billion, from a very low base in 1999. The takeoff of cellular data is attracting a host of new players to the mobile communications market, including Internet-based companies such as Netscape, Amazon, Excite, Microsoft, IBM, and Cisco. Media companies such as CNN, Reuters, and ITN are examples of early-bird providers. As for the United States, the number of people using cellular telephones for wireless data skyrocketed from 3 percent of the U.S. online population to 78 percent over a relatively short period of time. The main reason for the increase is that employers started to pay for these services, according to a survey released by New York-based Cap Gemini America and Corechange, Inc., a wireless portal provider based in Boston. Currently, 33 percent of the U.S. online population uses cellular phones for business purposes. Of that 33 percent, 11 percent (or 3 percent of the total online population) uses them for data applications such as e-mail and news, the companies say. According to this survey of 1000 U.S. Internet users, which was conducted by Greenfield Online, Inc. on behalf of Cap Gemini, 47 percent of those who began using cellular telephones to access data in the year 2001 said they did so because someone else, mainly their employer, began paying for it. “This was the most important reason for adoption of the new technology,” said David Ridemar, head of Cap Gemini America’s E-Business Unit. Of those who started accessing data with their cell phones in 2001, 52 percent said they used the functionality for a mix of e-mail, personal data, and business information, 24 percent used it for e-mail and personal data, and 13 percent used it for e-mail only. Jupiter Communications forecasts a jump in consumer-to-consumer auctions from $3 billion in 1999 sales to $15 billion in 2004. These numbers are significant because auctions are a natural match for wireless providers for the following reasons: • Wireless auctions require much less bandwidth and data than a typical E-commerce Web site. • The time sensitivity of auctions makes it much easier to access over WAP-enabled phones or PDAs such as Palm VII (compatible with eBay) or Research in Motion’s 957 wireless handheld compatible with Bid.com. Indeed, it is suggested by some analysts that cellular subscriber numbers will top 1 billion by 2004, a substantial number of them WAP-enabled. Clearly, giving mobile users the same mobile data connectivity that fixed
155
AU1253_ch13_Frame Page 156 Saturday, October 26, 2002 4:35 PM
TECHNOLOGY network Internet users enjoy could more than double the potential global Internet market at a stroke. The Gartner Group’s Nigel Deighton maintains that, given current penetrations of mobile and Internet markets, the stage is set for a global boom in M-commerce that could largely ignore the PC in favor of mobile devices. He predicts further that some 30 to 50 percent of B2B E-commerce will be carried out via a mobile device by 2004. Motorola, for example, estimates that by 2005 the number of wireless devices with Internet access will exceed the number of wired ones. These smart new telephones will not only give another boost to the sale of mobiles, but they will change the nature of the Internet economy, making personal computers far less important, yet at the same time tempting many more people onto the information superhighway. The authors strongly believe that trade cannot be tied to wires. As so much research indicates, a major part of the workforce is heading toward location independence. The PC-based Internet has already redefined the nature of doing business, giving birth to popular E-commerce. However, to be truly location independent and to be “anywhere, anytime,” the PC is not the choice for B2B and B2C M-commerce. Necessity is the mother of all invention. M-commerce is already becoming a necessity in this age of the digital economy. In conclusion, the world is betting on M-commerce, in a manner reminiscent of the 1999 United States bet on Internet commerce. We can safely predict many losers, and a few winners, from the worldwide run to mobile Internet services.
156
AU1253_ch14_Frame Page 157 Saturday, October 26, 2002 4:36 PM
Chapter 14
Choosing A Remote Access Strategy John R. Vacca
Modern enterprises are defined by the reach and reliability of their networks. Business needs and new technologies are pushing the expansion of these networks beyond the traditional, hardened edge protected by the corporate firewall. Increasingly, enterprises must accommodate access from outside the firewall to support its network extremities — a distributed workforce at multiple remote corporate offices, customer sites, job sites, public hotspots, and other new, difficult and unusual locations. The 802.11b wireless access and remote network access via the public Internet present the key security challenges of choosing a remote access strategy today. The advent of additional enterprise networks outside the traditional enterprise firewall (networks in satellite offices, executive suites, customer sites, employee homes, and most recently, wireless users) increase productivity, yet create significant security risks. Enterprises need to meet these challenges in a unique way, such that it keeps IT in control of the entire enterprise network inside and outside of the main enterprise firewall, including the newly extended edge of the network, while providing “edge network” users with the capabilities and support they need to drive company productivity. A common misperception is that virtual private networks (VPNs) are the cure-all strategy for securely deploying networks outside of the enterprise firewall. Unfortunately, VPNs have become part of the problem because too often they originate from insecure locations. The proliferation of inexpensive firewalls is a response to the VPN problem, but unfortunately, they too have become part of the problem because they are typically not easily manageable in scalable numbers. The real strategy requires the centralized management of all remote firewalls and the authentication of all users attempting to access the VPN. This includes placing locations typically not under management, such as those provisioned by DSL/cablebased broadband. 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
157
AU1253_ch14_Frame Page 158 Saturday, October 26, 2002 4:36 PM
TECHNOLOGY Exhibit 1.
Growing Demand for Remote and Wireless Network Access
According to Cahner’s Instat, there are currently over 4 million remote branch offices (RBOs) worldwide with over 6 million by 2006. U.S.-based enterprises are 56 percent of the total and average over 200 RBOs per firm. Mid-sized businesses are only 29 percent of the total, with technology costs as a factor. Small businesses make up just under 51 percent of RBOs, often with the homes of key decisionmakers identified as an RBO. However, according to Gartner, 65 percent of all U.S. businesses will deploy wireless LANs by 2003. IDC estimates the wireless LAN market at over 2 billion today and 4.3 billion by 2006. Wireless LANs are being driven by the endless need for mobile connectivity both in and out of the enterprise.
This is a strategy needed by a large and growing number of companies. According to Cahner’s, there are currently over 4 million remote branch offices worldwide with over 6 million by 2006 (see Exhibit 1). Regarding the adoption of Wireless Fidelity (Wi-Fi), Gartner reports that 65 percent of all U.S. businesses will deploy wireless local area networks (LANs) by 2003. REMOTE NETWORK AND WIRELESS NETWORK SECURITY: CONTROLLING ACCESS As these edge networks grow (LAN by LAN, office by office, customer by customer, home user by home user), IT organizations are tasked to meet the growing demand for access to the corporate LAN from outside the firewall. Whereas increased network access increases productivity, it also increases enterprise network vulnerability. The deployment of wireless local area networks (WLAN) presents multiple security issues also relating to access control. In addition to sharing all the same access concerns as wireline remote networks, wireless LANs introduce a special security concern because they publicly transmit radio waves through the air. IT cannot physically prevent unauthorized reception of these radio waves even if access to the network itself is secure. With a range of 100 meters, it is possible for reception and eavesdropping beyond the physical walls of an access-controlled building. As a result, IT must ensure that everyone who associates with a wireless access point (whether inside or outside of a secure building) is a valid and authorized user. This means that users wirelessly accessing the enterprise network should be considered remote network users and routed as if they were outside of the enterprise firewall — even if they are physically located inside the headquarters building! VPNs Have Become Part of the Problem The common practice for securing access from remote networks is to deploy VPN tunnels. VPNs are designed to prevent interception of traffic between the remote edge and the corporate firewall. Accomplished through encryption, VPN technology assumes that both ends of the tunnel 158
AU1253_ch14_Frame Page 159 Saturday, October 26, 2002 4:36 PM
Choosing A Remote Access Strategy are located in secure networks because VPNs do not control access to the tunnels themselves. As a result, enterprise networks secured by a main enterprise firewall and vigilant IT staff are consistently cracked because their remote and wireless networks are relatively less managed and secure. Remote offices, executive suites, and employee homes lack the same level of equipment and IT support at headquarters, thereby making themselves easy targets. An enterprise network consisting of headquarters and satellite locations interconnected over the Internet with VPN tunnels is only as strong as the weakest security at the least supported remote location. When a remote or wireless network is compromised, a VPN actually aggravates the risk because it facilitates the advancement of the attack through the encrypted tunnel and vouchsafes the intrusion past the enterprise firewall at the headquarters end. Known as the “U-Turn” problem, it basically means that if an intrusion is repelled by a secured enterprise firewall, it can turn around and enter the enterprise through a less secure remote or wireless network — oftentimes with the assistance of a VPN. Firewalls Have Become Part of the Problem The industry practice for securing a network (whether at headquarters or a remote location [or wireless laptop user]) is with a firewall. Firewalls are designed to prohibit access to a network from the outside. The most secure network is the one that prevents all access. Unfortunately, business needs and productivity demands require at least some access to the network from the outside, such as electronic mail, file transfers, and Web traffic. The challenge for IT is to balance enterprise needs for access with the risks of granting access. As a result, IT must, discretionarily, open holes or ports in the enterprise firewall, accepting some traffic and denying the rest. Accepting traffic from a VPN is one such hole. The more holes an enterprise has in its enterprise firewall, the more vulnerable the entire network is to an attack. Because VPNs essentially pass along the security weaknesses of remote and wireless networks, these weaknesses have become a liability for the entire enterprise. Unfortunately, there is no consistent industry practice for securing remote and wireless networks. Firewalls designed for securing the headquarters network are complex equipment requiring expertise and management. They are too complex and expensive to deploy in most remote locations lacking onsite IT support. Personal Firewalls are Not the Solution As a result of the need for firewall alternatives at remote locations (sometimes a remote location is simply a user’s laptop with a wireless card!), a market has been created for “personal firewalls.” These are relatively 159
AU1253_ch14_Frame Page 160 Saturday, October 26, 2002 4:36 PM
TECHNOLOGY inexpensive, easy to operate software-based firewalls that run on the computers of individual remote users. A sales professional at a remote office, with little to no IT support, can configure and operate a personal firewall with the assistance of a decent user interface. While this has had the immediate benefit of adding some inexpensive protection where there was none, it has resulted in unintended costly consequences. In effect, responsibility for maintaining the security of the corporate enterprise has been shifted from IT to the desktops of remote sales professionals and other employees accessing the enterprise from a remote network. Recall that holes opened in remote firewalls are susceptible to risks that are vouchsafed by VPNs into the main enterprise firewall. As a result, with the assistance of relatively inexpensive personal firewalls, non-IT personnel have become empowered to decide which holes to open in the enterprise firewall. Not only is this a poor, inefficient, and costly redistribution of enterprise expertise, it presents serious security risks for the entire enterprise network. The bait of inexpensive personal firewalls should not lure enterprises into placing the management and control of enterprise network security into the hands of remote, non-IT personnel. There Is No Longer One Corporate Firewall—There Are Thousands Every remote network’s firewall (whether a personal, PC-based application or an enterprise-grade device) has the capability to open multiple holes into the enterprise network. Every copy of a personal firewall installed on an employee’s desktop or laptop computer is capable of opening those same holes. When it comes to enterprise firewall management, the problem has grown from managing one enterprise firewall to managing tens, hundreds, scores, or thousands of remote network firewalls running on tens, hundreds, scores, or thousands of employee machines at home, in satellite locations, customer sites, or wherever enterprise requirements take them. THE STRATEGY The correct remote access strategy should provide secure, encrypted, authentication of all users, whether wireless or wireline (including centralized Network Operations Center (NOC)-level management and control of all remote and wireless network firewalls) — or whether down the hall or around the world. In addition, the correct remote access strategy software should securely extend enterprise networks to extreme locations. Secure Access with Authentication Remote access strategy should also develop software that provides access control and security for all network “edges” — remote networks, wireless access, and unsecured walljacks within enterprise buildings. A single 160
AU1253_ch14_Frame Page 161 Saturday, October 26, 2002 4:36 PM
Choosing A Remote Access Strategy enabled appliance should be able to control access to one or more wireless access points, desktops, laptops, or other Internet-ready devices. This ensures that every user attempting network access is “hijacked” to a captive portal and forced to authenticate by identifying themselves prior to gaining access. Once the user is identified, the software should be able to route and connect the user to the desired network resources based on “level-of-service” markings placed on every packet. In effect, the software should dynamically build a custom firewall for every user or class of user on the enterprise network — whether inside or outside of the physical corporate location. Support There should also be support for multiple remote networks and locations; wired and wireless; leased line and Internet Service Provider (ISP)-provisioned digital subscriber line (DSL) and cable; static; dynamic; and Pointto-Point Protocol over Ethernet (PPPoE)-assigned Internet Protocol (IP) addresses. For wired and wireless networks at remote enterprise locations connected to each other and headquarters via the Internet, remote access strategy should provide a centrally managed firewall infrastructure that protects the remote networks and controls access to the enterprise VPN — reducing vulnerability to U-Turn attacks. A single remote access strategy should also provide Internet and wireless access for the entire remote location, ensuring a secure, centrally managed connection to the headquarters enterprise intranet. This can be done using inexpensive cable and DSL Internet services typically priced at $40 per month as opposed to costly leased-line connections that can run into the thousands of dollars per location. Centralized Management Finally, remote access strategy should also be able to provide centralized management of all remote corporate firewalls and network access to ensure global enforcement of enterprise security policies. In other words, remote access strategy management software should be able to centrally manage and coordinate all remote and wireless networks of any scale, domestic and international, connected via leased-line and public access Internet service provided by multiple ISPs using static, dynamic, or PPPoE-assigned IP addresses. It should enable single-command enforcement of new security policies and remote firewall coordination across a far ranging network. The remote access strategy enterprise software package should also be able to run inside the main enterprise firewall and provide monitoring and access to all powered appliances. CONCLUSION AND SUMMARY As enterprise workforces are increasingly distributed across the globe, connecting remote employees to the enterprise network is quickly becoming a 161
AU1253_ch14_Frame Page 162 Saturday, October 26, 2002 4:36 PM
TECHNOLOGY necessity to remain competitive. The financial and productivity benefits of traditional dial remote access solutions are well understood but far from optimal. Today, IT managers have a variety of other remote access strategies to choose from. Finally, due to the high cost of owning and maintaining traditional dial solutions, more companies are changing their capital investment strategy and are purchasing virtual private networking solutions. As a result, dial remote access server and concentrator deployments are rapidly declining, while VPN is seeing significant growth. Today, a winning remote access strategy is one that integrates VPN technology into an existing dial remote access solution. With the preceding in mind, it is hoped that the information contained in this chapter has helped the reader navigate the implementation process and choose a more appropriate remote access strategy.
162
AU1253_ch15_Frame Page 163 Saturday, October 26, 2002 4:37 PM
Unit 3
Security
AU1253_ch15_Frame Page 164 Saturday, October 26, 2002 4:37 PM
AU1253_ch15_Frame Page 165 Saturday, October 26, 2002 4:37 PM
Chapter 15
An Introduction to Secure Remote Access Christina M. Bird
In the last decade, the problem of establishing and controlling remote access to corporate networks has become one of the most difficult issues facing network administrators and information security professionals. As information-based businesses become a larger and larger fraction of the global economy, the nature of “business” itself changes. “Work” used to take place in a well-defined location — such as a factory, an office, or a store — at well-defined times, between relatively organized hierarchies of employees. But now, “work” happens everywhere: all over the world, around the clock, between employees, consultants, vendors, and customer representatives. An employee can be productive working with a personal computer and a modem in his living room, without an assembly line, a filing cabinet, or a manager in sight. The Internet’s broad acceptance as a communications tool in business and personal life has introduced the concept of remote access to a new group of computer users. They expect the speed and simplicity of Internet access to translate to their work environment as well. Traveling employees want their private network connectivity to work as seamlessly from their hotel room as if they were in their home office. This increases the demand for reliable and efficient corporate remote access systems, often within organizations for whom networking is tangential at best to the core business. The explosion of computer users within a private network — now encompassing not only corporate employees in the office, but also telecommuters, consultants, business partners, and clients — makes the design and implementation of secure remote access even tougher. In the simplest local area networks (LANs), all users have unrestricted access to all resources on the network. Sometimes, granular access control is provided at the host computer level by restricting log-in privileges. But in 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
165
AU1253_ch15_Frame Page 166 Saturday, October 26, 2002 4:37 PM
SECURITY most real-world environments, access to different kinds of data — such as accounting, human resources, or research and development — must be restricted to limited groups of people. These restrictions may be provided by physically isolating resources on the network or through logical mechanisms (including router access control lists and stricter firewall technologies). Physical isolation, in particular, offers considerable protection to network resources, and sometimes develops without a deliberate network security strategy. Connections to remote employees, consultants, branch offices, and business par tner networks make communications between and within a company extremely efficient; but they expose corporate networks and sensitive data to a wide, potentially untrusted population of users, and a new level of vulnerability. Allowing nonemployees to use confidential information creates stringent requirements for data classification and access control. Managing a network infrastructure to enforce a corporate security policy for nonemployees is a new challenge for most network administrators and security managers. Security policy must be tailored to facilitate the organization’s reasonable business requirements for remote access. At the same time, policies and procedures help minimize the chances that improved connectivity will translate into compromise of data confidentiality, integrity, and availability on the corporate network. Similarly, branch offices and customer support groups also demand costeffective, robust, and secure network connections. This chapter discusses general design goals for a corporate remote access architecture, common remote access implementations, and the use of the Internet to provide secure remote access through the use of virtual private networks (VPNs). SECURITY GOALS FOR REMOTE ACCESS All remote access systems are designed to establish connectivity to privately maintained computer resources, subject to appropriate security policies, for legitimate users and sites located away from the main corporate campus. Many such systems exist, each with its own set of strengths and weaknesses. However, in a network environment in which the protection of confidentiality, data integrity, and availability is paramount, a secure remote access system possesses the following features: • Reliable authentication of users and systems • Easy-to-manage, granular control of access to particular computer systems, files, and other network resources • Protection of confidential data • Logging and auditing of system utilization • Transparent reproduction of the workplace environment • Connectivity to a maximum number of remote users and locations • Minimal costs for equipment, network connectivity, and support 166
AU1253_ch15_Frame Page 167 Saturday, October 26, 2002 4:37 PM
An Introduction to Secure Remote Access RELIABLE AUTHENTICATION OF REMOTE USERS/HOSTS It seems obvious, but it is worth emphasizing that the main difference between computer users in the office and remote users is that remote users are not there. Even in a small organization, with minimal security requirements, many informal authentication processes take place throughout the day. Co-workers recognize each other and have an understanding about who is supposed to be using particular systems throughout the office. Similarly, they may provide a rudimentary access control mechanism if they pay attention to who is going in and out of the company’s server room. In corporations with higher security requirements, the physical presence of an employee or a computer provides many opportunities — technological and otherwise — for identification, authentication, and access control mechanisms to be employed throughout the campus. These include security guards, photographic employee ID cards, and keyless entry to secured areas, among many other tools. When users are not physically present, the problem of accurate identification and authentication becomes paramount. The identity of network users is the basis for assignment of all system access privileges that will be granted over a remote connection. When the network user is a traveling salesman 1500 miles away from corporate headquarters, accessing internal price lists and databases — a branch office housing a company’s research and development organization — or a business partner with potential competitive interest in the company, reliable verification of identity allows a security administrator to grant access on a need-to-know basis within the network. If an attacker can present a seemingly legitimate identity, then that attacker can gain all of the access privileges that go along with it. A secure remote access system supports a variety of strong authentication mechanisms for human users and digital certificates to verify identities of machines and gateways for branch offices and business partners. Granular Access Control A good remote access system provides flexible control over the network systems and resources that may be accessed by an off-site user. Administrators must have fine-grain control to grant access for all appropriate business purposes while denying access for everything else. This allows management of a variety of access policies based on trust relationships with different types of users (employees, third-party contractors, etc.). The access control system must be flexible enough to support the organization’s security requirements and easily modified when policies or personnel change. The remote access system should scale gracefully and 167
AU1253_ch15_Frame Page 168 Saturday, October 26, 2002 4:37 PM
SECURITY enable the company to implement more complex policies as access requirements evolve. Access control systems can be composed of a variety of mechanisms, including network-based access control lists, static routes, and host system- and application-based access filters. Administrative interfaces can support templates and user groups, machines, and networks to help manage multiple access policies. These controls can be provided, to varying degrees, by firewalls, routers, remote access servers, and authentication servers. They can be deployed at the perimeter of a network as well as internally, if security policy so demands. The introduction of the remote access system should not be disruptive to the security infrastructure already in place in the corporate network. If an organization has already implemented user- or directory-based security controls (e.g., based on Novell’s Netware Directory Service or Windows NT domains), a remote access system that integrates with those controls will leverage the company’s investment and experience. Protection of Confidential Data Remote access systems that use public or semiprivate network infrastructure (including the Internet and the public telephone network) provide lots of opportunities for private data to fall into unexpected hands. The Internet is the most widely known public network, but it is hardly the only one. Even private frame relay connections and remote dial-up subscription services (offered by many telecommunications providers) transport data from a variety of locations and organizations on the same physical circuits. Frame relay sniffers are commodity network devices allowing network administrators to examine traffic over private virtual circuits, and they allow a surprising amount of eavesdropping between purportedly secure connections. Reports of packet leaks on these systems are relatively common on security mailing lists like BUGTRAQ and Firewall-Wizards. Threats that are commonly acknowledged on the Internet also apply to other large networks and network services. Thus, even on nominally private remote access systems — modem banks and telephone lines, cable modem connections, frame relay circuits — security-conscious managers will use equipment that performs strong encryption and per-packet authentication. Logging and Auditing of System Utilization Strong authentication, encryption, and access control are important mechanisms for the protection of corporate data. But sooner or later, every network experiences accidental or deliberate disruptions, from system failures (either hardware or software), human error, or attack. Keeping 168
AU1253_ch15_Frame Page 169 Saturday, October 26, 2002 4:37 PM
An Introduction to Secure Remote Access detailed logs of system utilization helps to troubleshoot system failures. If troubleshooting demonstrates that a network problem was deliberately caused, audit information is critical for tracking down the perpetrator. One’s corporate security policy is only as good as one’s ability to associate users with individual actions on the remote access system — if one cannot tell who did what, then one cannot tell who is breaking the rules. Unfortunately, most remote access equipment performs rudimentary logging, at best. In most cases, call-level auditing — storing username, start time, and duration of call — is recorded, but there is little information available about what the remote user is actually doing. If the corporate environment requires more stringent audit trails, one will probably have to design custom audit systems. Transparent Reproduction of the Workplace Environment For telecommuters and road warriors, remote access should provide the same level of connectivity and functionality that they would enjoy if they were physically in their offices. Branch offices should have the same access to corporate headquarters networks as the central campus. If the internal network is freely accessible to employees at work, then remote employees will expect the same degree of access. If the internal network is subject to physical or logical security constraints, then the remote access system should enable those constraints to be enforced. If full functionality is not available to remote systems, priority must be given to the most businesscritical resources and applications, or people will not use it. Providing transparent connectivity can be more challenging than it sounds. Even within a small organization, personal work habits differ widely from employee to employee, and predicting how those differences might affect use of remote access is problematic. For example, consider access to data files stored on a UNIX file server. Employees with UNIX workstations use the Network File Service (NFS) Protocol to access those files. NFS requires its own particular set of network connections, server configurations, and security settings in order to function properly. Employees with Windows-based workstations probably use the Server Message Bus (SMB) protocol to access the same files. SMB requires its own set of configuration files and security tuning. If the corporate remote access system fails to transport NFS and SMB traffic as expected, or does not handle them at all, remote employees will be forced to change their day-to-day work processes. Connectivity to Remote Users and Locations A robust and cost-effective remote access system supports connections over a variety of mechanisms, including telephone lines, persistent private network connections, dial-on-demand network connections, and the Internet. 169
AU1253_ch15_Frame Page 170 Saturday, October 26, 2002 4:37 PM
SECURITY This allows the remote access architecture to maintain its usefulness as network infrastructure evolves, whether or not all connectivity mechanisms are being used at any given time. Support for multiple styles of connectivity builds a framework for access into the corporate network from a variety of locations: hotels, homes, branch offices, business partners, and client sites, domestic or international. This flexibility also simplifies the task of adding redundancy and performance-tuning capabilities to the system. The majority of currently deployed remote access systems, at least for employee and client-to-server remote connectivity, utilize TCP/IP as their network protocol. A smaller fraction continues to require support for IPX, NetBIOS/NetBEUI, and other LAN protocols; even fewer support SNA, DECNet, and older services. TCP/IP offers the advantage of support within most modern computer operating systems; most corporate applications either use TCP/IP as their network protocol or allow their traffic to be encapsulated over TCP/IP networks. This chapter concentrates on TCP/IP-based remote access and its particular set of security concerns. Minimize Costs A good remote access solution will minimize the costs of hardware, network utilization, and support personnel. Note, of course, that the determination of appropriate expenditures for remote access, reasonable return on investment, and appropriate personnel budgets differs from organization to organization, and depends on factors including sensitivity to loss of resources, corporate expertise in network and security design, and possible regulatory issues depending on industry. In any remote access implementation, the single highest contribution to overall cost is incurred through payments for persistent circuits, whether telephone capacity, private network connections, or access to the Internet. Business requirements will dictate the required combination of circuit types, typically based on the expected locations of remote users, the number of LAN-to-LAN connections required, and expectations for throughput and simultaneous connections. One-time charges for equipment, software, and installation are rarely primary differentiators between remote access architectures, especially in a high-security environment. However, to fairly judge between remote access options, as well as to plan for future growth, consider the following components in any cost estimates: • • • • • 170
One-time hardware and software costs Installation charges Maintenance and upgrade costs Network and telephone circuits Personnel required for installation and day-to-day administration
AU1253_ch15_Frame Page 171 Saturday, October 26, 2002 4:37 PM
An Introduction to Secure Remote Access Not all remote access architectures will meet an organization’s business requirements with a minimum of money and effort, so planning in the initial stages is critical. At the time of this writing, Internet access for individuals is relatively inexpensive, especially compared to the cost of long-distance telephone charges. As long as home Internet access cost is based on a monthly flat fee rather than per-use calculations, use of the Internet to provide individual remote access, especially for traveling employees, will remain economically compelling. Depending on an organization’s overall Internet strategy, replacing private network connections between branch offices and headquarters with secured Internet connections may result in savings of one third to one half over the course of a couple of years. This huge drop in cost for remote access is often the primary motivation for the evaluation of secure VPNs as a corporate remote access infrastructure. But note that if an organization does not already have technical staff experienced in the deployment of Internet networks and security systems, the perceived savings in terms of ongoing circuit costs can easily be lost in the attempt to hire and train administrative personnel. It is the security architect’s responsibility to evaluate remote access infrastructures in light of these requirements. Remote access equipment and service providers will provide information on the performance of their equipment, expected administrative and maintenance requirements, and pricing. It is necessary to review pricing on telephone and network connectivity regularly; the telecommunications market changes rapidly and access costs are extremely sensitive to a variety of factors, including geography, volume of voice/data communications, and the likelihood of corporate mergers. A good remote access system is scalable, cost-effective, and easy to support. Scalability issues include increasing capacity on the remote access servers (the gateways into the private network), through hardware and software enhancements; increasing network bandwidth (data or telephone lines) into the private network; and maintaining staff to support the infrastructure and the remote users. If the system will be used to provide mission-critical connectivity, then it needs to be designed with reliable, measurable throughput and redundancy from the earliest stages of deployment. Backup methods of remote access will be required from every location at which mission-critical connections will originate. Remember that not every remote access system necessarily possesses (or requires) each of these attributes. Within any given corporate environment, security decisions are based on preexisting policies, perceived threat, potential losses, and regulatory requirements — and remote access decisions, like all else, will be specific to a particular organization and its networking requirements. An organization supporting a team of 30 to 40 traveling sales staff, with a relatively constant employee population, has 171
AU1253_ch15_Frame Page 172 Saturday, October 26, 2002 4:37 PM
SECURITY minimal requirements for flexibility and scalability, especially since the remote users are all trusted employees and only one security policy applies. A large organization with multiple locations, five or six business partners, and a sizable population of consultants probably requires different levels of remote access. Employee turnover and changing business conditions also demand increased manageability from the remote access servers, which will probably need to enforce multiple security policies and access control requirements simultaneously. REMOTE ACCESS MECHANISMS Remote access architectures fall into three general categories: 1. Remote user access via analog modems and the public telephone network 2. Access via dedicated network connections, persistent or on-demand 3. Access via public network infrastructures such as the Internet Telephones. Telephones and analog modems have been providing remote access to computer resources for the last two decades. A user, typically at home or in a hotel room, connects his or her computer to a standard telephone outlet, and establishes a point-to-point connection to a network access server (NAS) at the corporate location. The NAS is responsible for performing user authentication, access control, and accounting, as well as maintaining connectivity while the phone connection is live. This model benefits from low end-user cost (phone charges are typically very low for local calls, and usually covered by the employer for long-distance tolls) and familiarity.
Modems are generally easy to use, at least in locations with pervasive access to phone lines. Modem-based connectivity is more limiting if remote access is required from business locations which may not be willing to allow essentially unrestricted outbound access from their facilities. But disadvantages are plentiful. Not all telephone systems are created equal. In areas with older phone networks, electrical interference or loss of signal may prevent the remote computer from establishing a reliable connection to the NAS. Even after a connection is established, some network applications (particularly time-sensitive services such as multimedia packages and applications that are sensitive to network latency) may fail if the rate of data throughput is low. These issues are nearly impossible to resolve or control from corporate headquarters. Modem technology changes rapidly, requiring frequent and potentially expensive maintenance of equipment. And network access servers are popular targets for hostile action because they provide a single point of entrance to the private network — a gateway that is frequently poorly protected. 172
AU1253_ch15_Frame Page 173 Saturday, October 26, 2002 4:37 PM
An Introduction to Secure Remote Access Dedicated Network Connections. Branch office connectivity — network connections for remote corporate locations — and business partner connections are frequently met using dedicated private network circuits. Dedicated network connections are offered by most of the major telecommunications providers. They are generally deemed to be the safest way of connecting multiple locations because the only network traffic they carry “belongs” to the same organization.
Private network connections fall into two categories: dedicated circuits and frame relay circuits. Dedicated circuits are the most private, as they provide an isolated physical circuit for their subscribers (hence, the name). The only data on a dedicated link belongs to the subscribing organization. An attacker can subvert a dedicated circuit infrastructure only by attacking the telecommunications provider itself. This offers substantial protection. But remember that telco attacks are the oldest in the hacker lexicon — most mechanisms that facilitate access to voice lines work on data circuits as well because the physical infrastructure is the same. For high-security environments, such as financial institutions, strong authentication and encryption are required even over private network connections. Frame relay connections provide private bandwidth over a shared physical infrastructure by encapsulating traffic in frames. The frame header contains addressing information to get the traffic to its destination reliably. But the use of shared physical circuitry reduces the security of frame relay connections relative to dedicated circuits. Packet leak between frame circuits is well documented, and devices that eavesdrop onframe relay circuits are expensive but readily available. To mitigate these risks, many vendors provide frame relay-specific hardware that encrypts packet payload, protecting it against leaks and sniffing, but leaving the frame headers alone. The security of private network connections comes at a price, of course — subscription rates for private connections are typically two to five times higher than connections to the Internet, although discounts for high volume use can be significant. Deployment in isolated areas is challenging if telecommunications providers fail to provide the required equipment in those areas. Internet-Based Remote Access. The most cost-effective way to provide access into a corporate network is to take advantage of shared network infrastructure whenever feasible. The Internet provides ubiquitous, easyto-use, inexpensive connectivity. However, important network reliability and security issues must be addressed.
Internet-based remote user connectivity and wide area networks are much less expensive than in-house modem banks and dedicated network 173
AU1253_ch15_Frame Page 174 Saturday, October 26, 2002 4:37 PM
SECURITY circuits, both in terms of direct charges and in equipment maintenance and ongoing support. Most importantly, ISPs manage modems and dial-in servers, reducing the support load and upgrade costs on the corporate network/ telecommunications group. Of course, securing private network communications over the Internet is a paramount consideration. Most TCP/IP protocols are designed to carry data in cleartext, making communications vulnerable to eavesdropping attacks. Lack of IP authentication mechanisms facilitates session hijacking and unauthorized data modification (while data is in transit). A corporate presence on the Internet may open private computer resources to denialof-service attacks, thereby reducing system availability. Ongoing development of next-generation Internet protocols, especially IPSec, will address many of these issues. IPSec adds per-packet authentication, payload verification, and encryption mechanisms to traditional IP. Until it becomes broadly implemented, private security systems must explicitly protect sensitive traffic against these attacks. Internet connectivity may be significantly less reliable than dedicated network links. Troubleshooting Internet problems can be frustrating, especially if an organization has typically managed its wide area network (WAN) connections in-house. The lack of any centralized authority on the Internet means that resolving service issues, including packet loss, higher than expected latency, and loss of packet exchange between backbone Internet providers, can be time consuming. Recognizing this concern, many of the national ISPs are beginning to offer “business class” Internet connectivity, which provides service-level agreements and improved monitoring tools (at a greater cost) for business-critical connections. Given mechanisms to ensure some minimum level of connectivity and throughput, depending on business requirements, VPN technology can be used to improve the security of Internet-based remote access. For the purposes of this discussion, a VPN is a group of two or more privately owned and managed computer systems that communicates “securely” over a public network (see Exhibit 1). Security features differ from implementation to implementation, but most security experts agree that VPNs include encryption of data, strong authentication of remote users and hosts, and mechanisms for hiding or masking information about the private network topology from potential attackers on the public network. Data in transmission is encrypted between the remote node and the corporate server, preserving data confidentiality and integrity. Digital signatures verify that data has not been modified. Remote users and hosts are subject to strong authentication and authorization mechanisms, including one-time password generators and digital certificates. These help to guarantee that only appropriate personnel can access and modify corporate data. VPNs can prevent private 174
AU1253_ch15_Frame Page 175 Saturday, October 26, 2002 4:37 PM
An Introduction to Secure Remote Access
Exhibit 1.
Remote User VPN
network addresses from being propagated over the public network, thus hiding potential target machines from attackers attempting to disrupt service. In most cases, VPN technology is deployed over the Internet (see Exhibit 2), but there are other situations in which VPNs can greatly enhance the security of remote access. An organization may have employees working at a business partner location or a client site, with a dedicated private network circuit back to the home campus. The organization may choose to employ a VPN application to connect its own employees back into their home network — protecting sensitive data from potential eavesdropping on the business partner network. In general, whenever a connection is built between a private network and an entity over which the organization has no administrative or managerial control, VPN technology provides valuable protection against data compromise and loss of system integrity. When properly implemented, VPNs provide granular access control, accountability, predictability, and robustness at least equal to that provided by modem-based access or Frame relay circuits. In many cases, because network security has been a consideration throughout the design of VPN products, they provide a higher level of control, auditing capability, and flexibility than any other remote access technology. 175
AU1253_ch15_Frame Page 176 Saturday, October 26, 2002 4:37 PM
SECURITY
Exhibit 2.
Intranet WAN over VPN
VIRTUAL PRIVATE NETWORKS The term “virtual private network” is used to mean many different things. An assortment of different products are marketed as VPNs but offer widely varying functionality. In the most general sense, a VPN allows remote sites to communicate as if their networks were directly connected. VPNs also enable multiple independent networks to operate over a common infrastructure. The VPN is implemented as part of the system’s networking. That is, ordinary programs like Web servers and e-mail clients see no difference between connections across a physical network and connections across a VPN. VPN technologies fall into a variety of categories, each designed to address distinct sets of concerns. VPNs designed for secure remote access implement cryptographic technology to ensure the confidentiality, authenticity, and integrity of traffic carried on the VPN. These are sometimes referred to as secure VPNs or crypto VPNs. In this context, private suggests confidentiality and has specific security implications: namely, that the data will be encoded so as to be unreadable, and unmodified, by unauthorized parties. Some VPN products are aimed at network service providers. These service providers — including AT&T, UUNET, and MCI/Sprint, to name only 176
AU1253_ch15_Frame Page 177 Saturday, October 26, 2002 4:37 PM
An Introduction to Secure Remote Access a few — built and maintain large telecommunications networks, using infrastructure technologies like frame relay and ATM. The telecom providers manage large IP networks based on this private infrastructure. For them, the ability to manage multiple IP networks using a single infrastructure might be called a VPN. Some network equipment vendors offer products for this purpose and call them VPNs. When a network service provider offers this kind of service to an enterprise customer, it is marketed as equivalent to a private, leasedline network in terms of security and performance. The fact that it is implemented over an ATM or frame relay infrastructure does not matter to the customer and is rarely made apparent. These so-called VPN products are designed for maintenance of telecom infrastructure, not for encapsulating private traffic over public networks like the Internet, and are therefore addressing a different problem. In this context, the private aspect of a VPN refers only to network routing and traffic management. It does not imply the use of security mechanisms such as encryption or strong authentication. Adding further confusion to the plethora of definitions, many telecommunications providers offer subscription dial-up services to corporate customers. These services are billed as “private network access” to the enterprise computer network. They are less expensive for the organization to manage and maintain than in-house access servers because the telecom provider owns the telephone circuits and network access equipment. But let the buyer beware. Although the providers tout the security and privacy of the subscription services, the technological mechanisms provided to help guarantee privacy are often minimal. The private network points-ofpresence in metropolitan areas that provide local telephone access to the corporate network are typically co-located with the provider’s Internet access equipment, sometimes running over the same physical infrastructure. Thus, the security risks are often equivalent to using a bare-bones Internet connection for corporate access, often without much ability for customers to monitor security configurations and network utilization. Two years ago, the services did not encrypt private traffic. After much criticism, service providers are beginning to deploy cryptographic equipment to remedy this weakness. Prospective customers are well advised to question providers on the security and accounting within their service. The security considerations that apply to applications and hardware employed within an organization apply to network service providers as well and are often far more difficult to evaluate. Only someone familiar with a company’s security environment and expectations can determine whether or not they are supported by a particular service provider’s capabilities.
177
AU1253_ch15_Frame Page 178 Saturday, October 26, 2002 4:37 PM
SECURITY SELECTING A REMOTE ACCESS SYSTEM For organizations with small, relatively stable groups of remote users (whether employees or branch offices), the cost benefits of VPN deployment are probably minimal relative to the traditional remote access methods. However, for dynamic user populations, complex security policies, and expanding business partnerships, VPN technology can simplify management and reduce expenses: • VPNs enable traveling employees to access the corporate network over the Internet. By using remote sites’ existing Internet connections where available, and by dialing into a local ISP for individual access, expensive long-distance charges can be avoided. • VPNs allow employees working at customer sites, business partners, hotels, and other untrusted locations to access a corporate network safely over dedicated, private connections. • VPNs allow an organization to provide customer support to clients using the Internet while minimizing risks to the client’s computer networks. • VPNs can facilitate limited, highly controlled access to a corporate network for consultants, support technicians, and other nontraditional users. For complex security environments requiring the simultaneous support of multiple levels of access to corporate servers, VPNs are ideal. Most VPN systems interoperate with a variety of perimeter security devices such as firewalls. VPNs can utilize many different central authentication and auditing servers, simplifying management of the remote user population. Authentication, authorization, and accounting (AAA) servers can also provide granular assignment of access to internal systems. Of course, all this flexibility requires careful design and testing — but the benefits of the initial learning curve and implementation effort are enormous. Despite the flexibility and cost advantages of using VPNs, they may not be appropriate in some situations; for example: • VPNs reduce costs by leveraging existing Internet connections. If remote users, branch offices, or business partners lack adequate access to the Internet, then this advantage is lost. • If the required applications rely on non-IP traffic, such as SNA or IPX, then the VPNs are more complex. Either the VPN clients and servers must support the non-IP protocols, or IP gateways (translation devices) must be included in the design. The cost and complexity of maintaining gateways in one’s network must be weighed against alternatives like dedicated frame relay circuits, which can support a variety of non-IP communications.
178
AU1253_ch15_Frame Page 179 Saturday, October 26, 2002 4:37 PM
An Introduction to Secure Remote Access • In some industries and within some organizations, the use of the Internet for transmission of private data is forbidden. For example, the federal Health Care Finance Administration does not allow the Internet to be used for transmission of patient identifiable Medicare data (at the time of this writing). However, even within a private network, highly sensitive data in transmission may be best protected through the use of cryptographic VPN technology, especially bulk encryption of data and strong authentication/digital certificates. REMOTE ACCESS POLICY A formal security policy sets the goals and ground rules for all of the technical, financial, and logistical decisions involved in solving the remote access problem (and in the day-to-day management of all IT resources). Computer security policies generally form only a subset of an organization’s overall security framework; other areas include employee identification mechanisms, access to sensitive corporate locations and resources, hiring and termination procedures, etc. Few information security managers or auditors believe that their organizations have well-documented policies. Configurations, resources, and executive philosophy change so regularly that maintaining up-to-date documentation can be prohibitive. But the most effective security policies define expectations for the use of computing resources within the company and for the behavior of users, operations staff, and managers on those computer systems. They are built on the consensus of system administrators, executives, and legal and regulatory authorities within the organization. Most importantly, they have clear management support and are enforced fairly and evenly throughout the employee population. Although the anatomy of a security policy varies from company to company, it typically includes several components: • A concisely stated purpose defines the security issue under discussion and introduces the rest of the document. • The scope states the intended audience for the policy, as well as the chain of oversight and authority for enforcement. • The introduction provides background information for the policy, and its cultural, technical, and economic motivators. • Usage expectations include the responsibilities and privileges with regard to the resource under discussion. This section should include an explicit statement of the corporate ownership of the resource. • The final component covers system auditing and violation of policy: an explicit statement of an employee’s right to privacy on corporate systems, appropriate use of ongoing system monitoring, and disciplinary action should a violation be detected.
179
AU1253_ch15_Frame Page 180 Saturday, October 26, 2002 4:37 PM
SECURITY Within the context of remote access, the scope needs to address which employees qualify for remote access to the corporate network. It may be tempting to give access to everyone who is a “trusted” user of the local network. However, need ought to be justified on a case-by-case basis, to help minimize the risk of inappropriate access. A sample remote access policy is included in Exhibit 3. Another important issue related to security policy and enforcement is ongoing, end-user education. Remote users require specific training, dealing with the appropriate use of remote connectivity; awareness of computer security risks in homes, hotels, and customer locations, especially related to unauthorized use and disclosure of confidential information; and the consequences of security breaches within the remote access system.
180
AU1253_ch15_Frame Page 181 Saturday, October 26, 2002 4:37 PM
An Introduction to Secure Remote Access Exhibit 3.
Sample Remote Access Policy
Purpose of Policy. This policy was created to define expectations for use of the corporate remote access server (including access via the modem bank and access via the Internet); to establish policies for accounting and auditing of remote access use; and to determine the chain of responsibility for misuse of the remote access privilege. Intended Audience. This document is provided as a guideline to all employees requesting access to corporate network computing resources from noncorporate locations. Introduction. Company X provides access to its corporate computing environment for telecommuters and traveling employees. This remote connectivity provides convenient access into the business network and facilitates long-distance work. But it also introduces risk to corporate systems: risk of inappropriate access, unauthorized data modification, and loss of confidentiality if security is compromised. For this reason, Company X provides the following standards for use of the remote access system. All use of the Company X remote access system implies knowledge of and compliance with this policy. Requirements for Remote Access. An employee requesting remote access to the Company X computer network must complete the Remote Access Agreement, available on the internal Web server or from the Human Resources group. The form includes the following information: employee’s name and log-in ID; job title, organizational unit, and direct manager; justification for the remote access; and a copy of remote user responsibilities. After completing the form, and acknowledging acceptance of the usage policy, the employee must obtain the manager’s signature and send the form to the Help Desk. NO access will be granted unless all fields are complete. The Human Resources group will be responsible for annually reviewing ongoing remote access for employees. This review verifies that the person is still employed by Company X and that their role still qualifies them for use of the remote access system. Human Resources is also responsible for informing the IT/Operations group of employee terminations within one working day of the effective date of termination. IT/Operations is responsible for maintaining the modembased and Internet-based remote access systems; maintaining the user authentication and authorization servers; and auditing use of the remote access system (recording start and end times of access and user IDs for chargeback accounting to the appropriate organizational units). Remote access users are held ultimately responsible for the use of their system accounts. The user must protect the integrity of Company X resources by safeguarding modem telephone numbers, log-in processes and startup scripts; by maintaining their strong authentication tokens in their own possession at all times; and by NOT connecting their remote computers to other private networks at the same time that the Company X connection is active. [This provision does not include private networks maintained solely by the employee within their own home, so long as the home network does not contain independent connections to the Internet or other private (corporate) environments.] Use of another employee’s authentication token, or loan of a personal token to another individual, is strictly forbidden. Unspecified actions that may compromise the security of Company X computer resources are also forbidden. IT/Operations will maintain ongoing network monitoring to verify that the remote access system is being used appropriately. Any employee who suspects that the remote access system is being misused is required to report the misuse to the Help Desk immediately. Violation of this policy will result in disciplinary action, up to and including termination of employment or criminal prosecution.
181
AU1253_ch15_Frame Page 182 Saturday, October 26, 2002 4:37 PM
AU1253_ch16_Frame Page 183 Saturday, October 26, 2002 4:38 PM
Chapter 16
Centralized Authentication Services Bill Stackpole
RADIUS, TACACS, and DIAMETER are classified as authentication, authorization, and accounting (AAA) servers. The Internet Engineering Task Force (IETF) chartered an AAA Working Group in 1998 to develop the authentication, authorization, and accounting requirements for network access. The goal was to produce a base protocol that supported a number of different network access models, including traditional dial-in network access servers (NAS), Mobile-IP, and roaming operations (ROAMOPS). The group was to build upon the work of existing access providers like Livingston Enterprises. Livingston Enterprises (now part of Lucent Technologies) originally developed remote authentication dial-in user service (RADIUS) for their line of NAS to assist timeshare and Internet service providers (ISPs) with billing information consolidation and connection configuration. Livingston based RADIUS on the IETF distributed security model and actively promoted it through the IETF Network Access Server Requirements Working Group in the early 1990s. The client/server design was created to be open and extensible so it could be easily adapted to work with other third-party products. At this writing, RADIUS version 2 was a proposed IETF standard managed by the RADIUS Working Group. The origin of the Terminal Access Controller Access Control System (TACACS) daemon used in the early days of ARPANET is unknown. Cisco Systems adopted the protocol to support AAA services on its products in the early 1990s. Cisco extended the protocol to enhance security and support additional types of authentication requests and response codes. They named the new protocol TACACS+. The current version of the TACACS specification is a proposed IETF Standard (RFC 1492) managed by the Network Working Group. It was developed with the assistance of Cisco Systems. 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
183
AU1253_ch16_Frame Page 184 Saturday, October 26, 2002 4:38 PM
SECURITY Pat Calhoun (Sun Laboratories) and Allan Rubens (Ascend Communications) proposed the DIAMETER AAA framework as a draft standard to the IETF in 1998. The name DIAMETER is not an acronym but rather a play on the RADIUS name. DIAMETER was designed from the ground up to support roaming applications and to overcoming the extension limitations of the RADIUS and TACACS protocols. It provides the base protocols required to support any number of AAA extensions, including NAS, Mobile-IP, host, application, and Web-based requirements. At the time of this writing, DIAMETER consisted of eight IETF draft proposals, authored by twelve different contributors from Sun, Microsoft, Cisco, Nortel, and others. Pat Calhoun continues to coordinate the DIAMETER effort. AAA 101: KEY FEATURES OF AN AAA SERVICE The key features of a centralized AAA service include: • • • •
A distributed (client/server) security model Authenticated transactions Flexible authentication mechanisms An extensible protocol
Distributed security separates the authentication process from the communications process, making it possible to consolidate user authentication information into a single centralized database. The network access devices (i.e., a NAS) are the clients. They pass user information to an AAA server and act upon the response(s) the server returns. The servers receive user connection requests, authenticate the user, and return to the client NAS the configuration information required to deliver services to the user. The returned information may include transport and protocol parameters, additional authentication requirements (i.e., callback, SecureID), authorization directives (i.e., services allowed, filters to apply), and accounting requirements (Exhibit 1). Transmissions between the client and server are authenticated to ensure the integrity of the transactions. Sensitive information (e.g., passwords) is encrypted using a shared secret key to ensure confidentiality and prevent passwords and other authentication information from being monitored or captured during transmission. This is particularly important when the data travels across public carrier (e.g., WAN) links. AAA servers can support a variety of authentication mechanisms. This flexibility is a key AAA feature. User access can be authenticated using PAP (Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), the standard UNIX login process, or the server can act as a proxy and forward the authentication to other mechanisms like a Microsoft domain controller, a Novell NDS server, or a SecureID ACE server. Some AAA server implementations use additional mechanisms 184
AU1253_ch16_Frame Page 185 Saturday, October 26, 2002 4:38 PM
Centralized Authentication Services
Exhibit 1.
Key Features of a Centralized AAA Service
like calling number identification (caller ID) and callback to further secure connections. Because technology changes so rapidly, AAA servers are designed with extensible protocols. RADIUS, DIAMETER, and TACACS use variable-length attribute values designed to support any number of new parameters without disturbing existing implementations of the protocol. DIAMETER’s framework approach provides additional extensibility by standardizing a transport mechanism (framework) that can support any number of customized AAA modules. From a management perspective, AAA servers provide the following significant advantages: • Reduced user setup and maintenance times because users are maintained on a single host • Fewer configuration errors because formats are similar across multiple access devices • Less security administrator training requirements because there is only one system syntax to learn • Better auditing because all login and authentication requests come through a single system • Reduced help desk calls because the user interface is consistent across all access methods • Quicker proliferation of access information because information only needs to be replicated to a limited number of AAA servers • Enhanced security support through the use of additional authentication mechanisms (i.e., SecureID) • Extensible design makes it easy to add new devices without disturbing existing configurations 185
AU1253_ch16_Frame Page 186 Saturday, October 26, 2002 4:38 PM
SECURITY RADIUS: REMOTE AUTHENTICATION DIAL-IN USER SERVICE RADIUS is by far the most popular AAA service in use today. Its popularity can be attributed to Livingston’s decision to open the distribution of the RADIUS source code. Users were quick to port the service across multiple platforms and add customized features, many of which Livingston incorporated as standard features in later releases. Today, versions of the RADIUS server are available for every major operating system from both freeware and commercial sources, and the RADIUS client comes standard on NAS products from every major vendor. A basic RADIUS server implementation references two configuration files. The client configuration file contains the address of the client and the shared secret used to authenticate transactions. The user file contains the user identification and authentication information (e.g., user ID and password) as well as connection and authorization parameters. Parameters are passed between the client and server using a simple five-field format encapsulated into a single UDP packet. The brevity of the format and the efficiency of the UDP protocol (no connection overhead) allow the server to handle large volumes of requests efficiently. However, the format and protocol also have a downside. They do not lend themselves well to some of today’s diverse access requirements (i.e., ROAMOPS), and retransmissions are a problem in heavy load or failed node scenarios. Putting the AA in RADIUS: Authentications and Authorizations RADIUS has eight standard transaction types: access–request, access–accept, access–reject, accounting–request, accounting–response, access–challenge, status–server, and status–client. Authentication is accomplished by decrypting a NAS access–request packet, authenticating the NAS source, and validating the access–request parameters against the user file. The server then returns one of three authentication responses: access–accept, access–reject, or access–challenge. The latter is a request for additional authentication information such as a one-time password from a token or a callback identifier. Authorization is not a separate function in the RADIUS protocol but simply part of an authentication reply. When a RADIUS server validates an access request, it returns to the NAS client all the connection attributes specified in the user file. These usually include the data link (i.e., PPP, SLIP) and network (i.e., TCP/IP, IPX) specifications, but may also include vendor-specific authorization parameters. One such mechanism automatically initiates a Telnet or rlogin session to a specified host. Other methods include forcing the port to a specific IP address with limited connectivity, or applying a routing filter to the access port. 186
AU1253_ch16_Frame Page 187 Saturday, October 26, 2002 4:38 PM
Centralized Authentication Services The Third A: Well, Sometimes Anyway! Accounting is a separate function in RADIUS, and not all clients implement it. If the NAS client is configured to use RADIUS accounting, it will generate an Accounting-Start packet once the user has been authenticated, and an Accounting-Stop packet when the user disconnects. The Accounting-Start packet describes the type of service the NAS is delivering, the port being used, and user being serviced. The Accounting-Stop packet duplicates the Start packet information and adds session information such as elapsed time, bytes inputs and outputs, disconnect reason, etc. Forward Thinking and Other Gee-Whiz Capabilities A RADIUS server can act as a proxy for client requests, forwarding them to servers in other authentication domains. Forwarding can be based on a number of criteria, including a named or numbered domain. This is particularly useful when a single modem pool is shared across departments or organizations. Entities are not required to share authentication data; each can maintain their own RADIUS server and service proxied requests from the server at the modem pool. RADIUS can proxy both authentication and accounting requests. The relationship between proxies can be distributed (one-to-many) or hierarchical (many-to-one), and requests can be forwarded multiple times. For example, in Exhibit 2, it is perfectly permissible for the “master” server to forward a request to the user’s regional server for processing.
Departmental RADIUS Servers
Corporate "Master" RADIUS Server
RADIUS Proxy Server
Regional RADIUS Proxy Servers
NAS Modem Pool
Regional NAS Regional NAS Regional NAS
Exhibit 2. “Master” Server Forwards a Request on to the User’s Regional Server for Processing
187
AU1253_ch16_Frame Page 188 Saturday, October 26, 2002 4:38 PM
SECURITY Most RADIUS clients have the ability to query a secondary RADIUS server for redundancy purposes, although this is not required. The advantage is continued access when the primary server is offline. The disadvantage is the increase in administration required to synchronize data between the servers. Most RADIUS servers have a built-in database connectivity component. This allows accounting records to be written directly into a database for billing and reporting purposes. This is preferable to processing a flat text accounting “detail” file. Some server implementations also include database access for authentication purposes. Novell’s implementation queries NDS, NT versions query the PDC, and several vendors are working on LDAP connectivity. It Does Not Get Any Easier than This. Or Does It? When implementing RADIUS, it is important to remember that the source code is both open and extensible. The way each AAA, proxy, and database function is implemented varies considerably from vendor to vendor. When planning a RADIUS implementation, it is best to define one’s functional requirements first and then choose NAS components and server software that support them. Here are a few factors to consider: • What accesses need to be authenticated? External accesses via modem pools and VPN servers are essential, but internal accesses to critical systems and security control devices (i.e., routers, firewalls) should also be considered. • What protocols need to be supported? RADIUS can return configuration information at the data link, network, and transport levels. Vendor documentation as well as the RADIUS RFCs and standard dictionary file are good sources of information for evaluating these parameters. • What services are required? Some RADIUS implementations require support for services like Telnet, rlogin, and third-party authentication (i.e., SecureID), which often require additional components and expertise to implement. • Is proxy or redundancy required? When NAS devices are shared across management or security domains, proxy servers are usually required and it is necessary to determine the proxy relationships in advance. Redundancy for system reliability and accessibility is also an important consideration because not all clients implement this feature. Other considerations might include: • • • • • 188
Authorization, accounting, and database access requirements Interfaces to authentication information in NDS, X.500, or PDC databases The RADIUS capabilities of existing clients Support for third-party Mobile-IP providers like iPass Secure connection support (i.e., L2TP, PPTP)
AU1253_ch16_Frame Page 189 Saturday, October 26, 2002 4:38 PM
Centralized Authentication Services Client setup for RADIUS is straightforward. The client must be configured with the IP address of the server(s), the shared secret (encryption key), and the IP port numbers of the authentication and accounting services (the defaults are 1645 and 1646, respectively). Additional settings may be required by the vendor. The RADIUS server setup consists of the server software installation and three configuration files: • The dictionary file is composed of a series of attribute/value (AV) pairs the server uses to parse requests and generate responses. The standard dictionary file supplied with most server software contains the attributes and values found in the RADIUS RFCs. One may need to add vendor-specific attributes, depending upon one’s NAS selection. If any modifications are made, double-check that none of the attribute names or values are duplicated. • The client file is a flat text file containing the information the server requires to authenticate RADIUS clients. The format is the client name or IP address, followed by the shared secret. If names are used, the server must be configured for name resolution (i.e., DNS). Requirements for the length and format of the shared secret vary, but most UNIX implementations are eight characters or less. There is no limitation on the number of clients a server can support. • The user file is also a flat text file. It stores authentication and authorization information for all RADIUS users. To be authenticated, a user must have a profile consisting of three parts: the username, a list of authentication check items, and a list of reply items. A typical entry would look like the one displayed in Exhibit 3. The first line contains the user’s name and a list of check items separated by commas. In this example, John is restricted to using one NAS device (the one at 10.100.1.1). The remaining lines contain reply items. Reply items are separated by commas at the end of each line. String values are put in quotes. The final line in this example contains an authorization parameter that applies a packet filter to this user’s access. The check and reply items contained in the user file are as diverse as the implementations, but a couple of conventions are fairly common. Username prefixes are commonly used for proxy requests. For example, usernames with the prefix CS would be forwarded to the computer science RADIUS server for authentication. Username suffixes are commonly used to designate different access types. For example, a user name with a %vpn suffix would indicate that this access was via a virtual private network (VPN). This makes it possible for a single RADIUS server to authenticate users for multiple NAS devices or provide different reply values for different types of accesses on the same NAS. 189
AU1253_ch16_Frame Page 190 Saturday, October 26, 2002 4:38 PM
SECURITY DIAMETER Forwarding Broker
DIAMETER Redirect Broker
X.509 CRL DB OCSP DB
DIAMETER Proxy Server
DIAMETER "HOME" Server
DIAMETER Proxy Server
DIAMETER "HOME" Server
Legend Proxy Request Broker Redirect Command Home Server Replies
Exhibit 3.
DIAMETER Uses a Broker Proxy Server
The DEFAULT user parameter is commonly used to pass authentication to another process. If the username is not found in the user file, the DEFAULT user parameters are used to transfer the validation to another mechanism. On UNIX, this is typically the /etc/passwd file. On NT, it can be the local user database or a domain controller. Using secondary authentication mechanisms has the advantage of expanding the check items RADIUS can use. For example, UNIX and NT groups can be checked as well as account activation and date and time restriction. Implementations that use a common NAS type or one server for each NAS type have fairly uncomplicated user files, but user file contents can quickly become quite convoluted when NAS devices and access methods are mixed. This not only adds complexity to the management of the server, but also requires more sophistication on the part of users. Stumbling Blocks, Complexities, and Other RADIUS Limitations RADIUS works well for remote access authentication but is not suitable for host or application authentication. Web servers may be the first exception. 190
AU1253_ch16_Frame Page 191 Saturday, October 26, 2002 4:38 PM
Centralized Authentication Services Adding a RADIUS client to a Web server provides a secure method for authenticating users across open networks. RADIUS provides only basic accounting facilities with no facilities for monitoring nailed-up circuits or system events. User-based rather than device-based connection parameters are another major limitation of RADIUS. When a single RADIUS server manages several different types of NAS devices, user administration is considerably more complex. Standard RADIUS authentication does not provide facilities for checking a user’s group membership, restricting access by date or time of day, or expiring a user’s account on a given date. To provide these capabilities, the RADIUS server must be associated with a secondary authentication service. Overall, RADIUS is an efficient, flexible, and well-supported AAA service that works best when associated with a secondary authentication service like NDS or NT, where additional account restrictions can be applied. The adoption of RADIUS version 2 as an IETF standard will certainly ensure its continued success and importance as a good general-purpose authentication, authorization, and accounting service. TACACS: TERMINAL ACCESS CONTROLLER ACCESS CONTROL SYSTEM What is commonly referred to today as TACACS actually represents two evolutions of the protocol. The original TACACS, developed in the early ARPANet days, had very limited functionality and used the UDP transport. In the early 1990s, the protocol was extended to include additional functionality and the transport changed to TCP. To maintain backward compatibility, the original functions were included as subsets of the extended functions. The new protocol was dubbed XTACACS (Extended TACACS). Virtually all current TACACS daemons are based on the extended protocol as described in RFC 1492. Cisco Systems adopted TACACS for its AAA architecture and further enhanced the product by separating the authentication, authorization, and accounting functions and adding encryption to all NAS-server transmissions. Cisco also improved the extensibility of TACACS by permitting arbitrary length and content parameters for authentication exchanges. Cisco called their version TACACS+, but in reality, TACACS+ bears no resemblance to the original TACACS, and packet formats are not backward compatible. Some server implementations support both formats for compatibility purposes. The remainder of this section is based on TACACS+ because it is the proposed IETF standard. TACACS+ servers use a single configuration file to control server options, define users and AV pairs, and control authentication and authorization actions. The options section specifies the settings of the service’s operation parameters, the shared secret key, and the accounting file name. The remainder of the file is a series of user and group definitions used to control 191
AU1253_ch16_Frame Page 192 Saturday, October 26, 2002 4:38 PM
SECURITY authentication and authorization actions. The format is “user = username” or “group = groupname,” followed by one or more AV pairs inside curly brackets. The client initiates a TCP session and passes a series of AV pairs to the server using a standard header format followed by a variable length parameter field. The header contains the service request type (authentication, authorization, or accounting) and is sent in the clear. The entire parameter field is encrypted for confidentiality. TACACS’ variable parameter field provides for extensibility and site-specific customization, while the TCP protocol ensures reliable delivery. However, the format and protocol also increase communications overhead, which can impact the server’s performance under heavy load. A 1: TACACS AUTHENTICATION TACACS authentication has three packet types: Start, Continue, and Reply. The client begins the authentication with a Start packet that describes the type of authentication to be performed. For simple authentication types like PAP, the packet may also contain the user ID and password. The server responds with a Reply. Additional information, if required, is passed with client Continue and server Reply packets. Transactions include login (by privilege level) and password change using various authentication protocols (i.e., CHAP, PAP, PPP, etc.). Like RADIUS, a successful TACACS authentication returns AV pairs for connection configuration. These can include authorization parameters or they can be fetched separately. A 2: TACACS Authorization Authorization functions in TACACS consist of Request and Response AV pairs used to: • • • • • •
Permit or deny certain commands, addresses, services, or protocols Set user privilege level Invoke input and output packet filters Set access control lists (ACLs) Invoke callback actions Assign a specific network address
Functions can be returned as part of an authentication transaction or an authorization-specific request. A 3: TACACS Accounting TACACS accounting functions use a format similar to authorization functions. Accounting functions include Start, Stop, More, and Watchdog. The Watchdog function is used to validate TCP sessions when data is not sent for extended periods of time. In addition to the standard accounting data supported by RADIUS, TACACS has an event logging capability that can 192
AU1253_ch16_Frame Page 193 Saturday, October 26, 2002 4:38 PM
Centralized Authentication Services record system-level changes in access rights or privileges. The reason for the event as well as the traffic totals associated with it can also be logged. Take Another Look (and Other Cool Capabilities) TACACS authentication and authorization processes are considerably enhanced by two special capabilities: recursive lookup and callout. Recursive lookup allows connection, authentication, and authorization information to be spread across multiple entries. AV pairs are first looked up in the user entry. Unresolved pairs are then looked up in the group entry (if the user is a member of a group) and finally assigned the default value (if one is specified). TACACS+ permits groups to be embedded in other groups, so recursive lookups can be configured to encompass any number of connection requirements. TACACS+ also supports a callout capability that permits the execution of user-supplied programs. Callout can be used to dynamically alter the authentication and authorization processes to accommodate any number of requirements; a considerably more versatile approach than RADIUS’ static configurations. Callout can be used to interface TACACS+ with third-party authentication mechanisms (i.e., Kerberos and SecureID), pull parameters from a directory or database, or write audit and accounting records. TACACS, like RADIUS, can be configured to use redundant servers and because TACACS uses a reliable transport (TCP), it also has the ability to detect failed nodes. Unlike RADIUS, TACACS cannot be configured to proxy NAS requests, which limits its usefulness in large-scale and crossdomain applications. Cisco, Cisco, Cisco: Implementing TACACS There are a number of TACACS server implementations available, including two freeware versions for UNIX, a Netware port, and two commercial versions for NT, but the client implementations are Cisco, Cisco, Cisco. Cisco freely distributes the TACACS and TACACS+ source code, so features and functionality vary considerably from one implementation to another. CiscoSecure is generally considered the most robust of the commercial implementations and even supports RADIUS functions. Once again, be sure to define functional requirements before selecting NAS components and server software. If your shop is Cisco-centric, TACACS is going to work well; if not, one might want to consider a server product with both RADIUS and TACACS+ capabilities. Client setup for TACACS on Cisco devices requires an understanding of Cisco’s AAA implementation. The AAA function must be enabled for any of the TACACS configuration commands to work. The client must be configured with the IP address of the server(s) and the shared secret encryption key. A typical configuration would look like this: 193
AU1253_ch16_Frame Page 194 Saturday, October 26, 2002 4:38 PM
SECURITY aaa new-model tacacs-server key
tacacs-server host tacacs-server host
followed by port-specific configurations. Different versions of Cisco IOS support different TACACS settings. Other NAS vendors support a limited subset of TACACS+ commands. TACACS server setup consists of the server software installation and editing the options, authentication, and authorization entries in the configuration files. Comments may be placed anywhere in the file using a pound sign (#) to start the line. In the following example, Jane represents a dial-in support contractor, Bill a user with multiple access methods, and Dick an IT staff member with special NAS access. # The default authentication method will use the local UNIX # password file, default authorization will be permitted for # users without explicit entries and accounting records will be # written to the/var/adm/tacacs file. default authentication = file/etc/passwd default authorization = permit accounting file = /var/adm/tacacs # Contractors, vendors, etc. user = jane { name = “Jane Smith” global = cleartext “Jane’sPassword” expires = “May 10 2000” service = ppp protocol = ip { addr = 10.200.10.64 inacl = 101 outacl = 102 } } # Employees with “special” requirements user = bill { name = “Bill Jones” arap = cleartext “Apple_ARAP_Password” 194
AU1253_ch16_Frame Page 195 Saturday, October 26, 2002 4:38 PM
Centralized Authentication Services pap = cleartext “PC_PAP_Password” default service = permit } user = dick { name = “Dick Brown” member = itstaff # Use the service parameters from the default user default service = permit # Permit Dick to access the exec command using connection access list 4 service = exec { acl = 4 } # Permit Dick to use the telnet command to everywhere but 10.101.10.1 cmd = telnet { deny 10\.101\.10\.1 permit.* } } # Standard Employees use these entries user = DEFAULT { service = ppp { # Disconnect if idle for 5 minutes idletime = 5 # Set maximum connect time to one hour timeout = 60 } protocol = ip { addr-pool = hqnas } } # Group Entries group = itstaff { # Staff uses a special password file login = file/etc/itstaff_passwds } 195
AU1253_ch16_Frame Page 196 Saturday, October 26, 2002 4:38 PM
SECURITY Jane’s entry sets her password to “Jane’sPassword” for all authentication types, requires her to use PPP, forces her to a known IP, and applies both inbound and outbound extended IP access control lists (a.k.a. IP filters). It also contains an account expiration date so the account can be easily enabled and disabled. Bill’s entry establishes different passwords for Apple and PAP logins, and assigns his connection the default service parameters. Dick’s entry grants him access to the NAS executive commands, including Telnet, but restricts their use by applying a standard IP access control list and an explicit deny to the host at 10.101.10.1. Bill’s and Dick’s entries also demonstrate TACACS’ recursive lookup feature. The server first looks at user entry for a password, then checks for a group entry. Bill is not a member of any group, so the default authentication method is applied. Dick, however, is a member of “itstaff,” so the server validates the group name and looks for a password in the group entry. It finds the log-in entry and authenticates Dick using the /etc/itstaff_passwds file. The default user entry contains AV pairs specifying the use of PPP with an idle timeout of five minutes and a maximum session time of one hour. In this example, the UNIX/etc/password and /etc/group files are used for authentication, but the use of other mechanisms is possible. Novell implementations use NDS, NT versions use the domain controller, and CiscoSecure support LDAP and several SQL compatible databases. Proxyless, Problems, and Pitfalls: TACACS Limitations The principle limitation of TACACS+ may well be its lack of use. While TACACS+ is a versatile and robust protocol, it has few server implementations and even fewer NAS implementations. Outside of Cisco, this author was unable to find any custom extensions to the protocol or any vendorspecific AV pairs. Additionally, TACACS’ scalability and performance are an issue. Unlike RADIUS’ single-packet UDP design, TACACS uses multiple queries over TCP to establish connections, thus incurring overhead that can severely impact performance. TACACS+ servers have no ability to proxy requests, so they cannot be configured in a hierarchy to support authentication across multiple domains. CiscoSecure scalability relies on regional servers and database replication to scale across multiple domains. While viable, the approach assumes a single management domain, which may not always be the case. Overall, TACACS+ is a reliable and highly extensible protocol with existing support for Cisco’s implementation of NAS-based VPNs. Its “outcalls” capability provides a fairly straightforward way to customize the AAA functions and add support for third-party products. Although TACACS+ supports more authentication parameters than RADIUS, it still works best when associated with a secondary authentication service like NDS or an NT domain. The adoption of TACACS+ as an IETF standard and its easy extensibility 196
AU1253_ch16_Frame Page 197 Saturday, October 26, 2002 4:38 PM
Centralized Authentication Services should improve its adoption by other NAS manufacturers. Until then, TACACS+ remains a solid AAA solution for Cisco-centric environments. DIAMETER: TWICE RADIUS? DIAMETER is a highly extensible AAA framework capable of supporting any number of AAA schemes and connection types. The protocol is divided into two distinct parts: the Base Protocol and the Extensions. The DIAMETER Base Protocol defines the message format, transport, error reporting, and security services used by all DIAMETER extensions. DIAMETER extensions are modules designed to conduct specific types of AAA transactions (i.e., NAS, Mobile-IP, ROAMOPS, and EAP). The current IETF draft contains definitions for NAS requests, Mobile-IP, secure proxy, strong security, and accounting, but any number of other extensions are possible. DIAMETER is built upon the RADIUS protocol but has been augmented to overcome inherent RADIUS limitations. Although the two protocols do not share a common data unit (PDU), there are sufficient similarities to make the migration from RADIUS to DIAMETER easier. DIAMETER, like RADIUS, uses a UDP transport but in a peer-to-peer rather than client/ server configuration. This allows servers to initiate requests and handle transmission errors locally. DIAMETER uses reliable transport extensions to reduce retransmissions, improve failed node detection, and reduce node congestion. These enhancements reduce latency and significantly improve server performance in high-density NAS and hierarchical proxy configurations. Additional improvements include: • • • • •
Full support for roaming Cross-domain, broker-based authentication Full support for the Extensible Authentication Protocol (EAP) Vendor-defined attributes–value pairs (AVPs) and commands Enhanced security functionality with replay attack protections and confidentiality for individual AVPs
There Is Nothing Like a Good Foundation The DIAMETER Base Protocol consists of a fixed-length (96-byte) header and two or more attribute–value pairs (AVPs). The header contains the message type, option flags, version number, and message length, followed by three transport reliability parameters (see Exhibit 4). Exhibit 4. Type
DIAMETER Base Protocol Packet Format Flags
Version Message Length Node Identifier Next Send Next Received AVPs…
197
AU1253_ch16_Frame Page 198 Saturday, October 26, 2002 4:38 PM
SECURITY AVPs are the key to DIAMETER’s extensibility. They carry all DIAMETER commands, connection parameters, and AAA and security data. AVPs consist of a fixed-length header and a variable-length data field. A single DIAMETER message can carry any number of AVPs, up to the maximum UDP packet size of 8192 bytes. Two AVPs in each DIAMETER message are mandatory. They contain the message Command Code and the sender’s IP address or host name. The message type or the Extension in use defines the remaining AVPs. DIAMETER reserves the first header byte and the first 256 AVPs for RADIUS backward compatibility. A Is for the Way You Authenticate Me The specifics of a DIAMETER authentication transaction are governed by the Extension in use, but they all follow a similar pattern. The client (i.e., a NAS) issues an authentication request to the server containing the AARequest Command, a session-ID, and the client’s address and host name followed by the user’s name and password and a state value. The session-ID uniquely identifies this connection and overcomes the problem in RADIUS with duplicate connection identifiers in high-density installations. Each connection has its own unique session with the server. The session is maintained for the duration of the connection, and all transactions related to the connection use the same session-ID. The state AVP is used to track the state of multiple transaction authentication schemes such as CHAP or SecureID. The server validates the user’s credentials and returns an AA-Answer packet containing either a Failed-AVP or the accompanying Result-Code AVP or the authorized AVPs for the service being provided (i.e., PPP parameters, IP parameters, routing parameters, etc.). If the server is not the HOME server for this user, it will forward (proxy) the request. Proxy on Steroids! DIAMETER supports multiple proxy configurations, including the two RADIUS models and two additional Broker models. In the hierarchical model, the DIAMETER server forwards the request directly to the user’s HOME server using a session-based connection. This approach provides several advantages over the standard RADIUS implementation. Because the proxy connection is managed separately from the client connection, failed node and packet retransmissions are handled more efficiently, and the hop can be secured with enhanced security like IPSec. Under RADIUS the first server in the authentication chain must know the CHAP shared secret, but DIAMETER’s proxy scheme permits the authentication to take place at the HOME server. As robust as DIAMETER’s hierarchical model is, it still is not suitable for many roaming applications. 198
AU1253_ch16_Frame Page 199 Saturday, October 26, 2002 4:38 PM
Centralized Authentication Services Exhibit 5.
A Typical Entry
User Name
Attribute = Value
John
Password = “1secret9,” NAS-IP-Address = 10.100.1.1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 10.200.10.1, Framed-IP-Netmask = 255.255.255.0, Filter-Id = “firewall”
DIAMETER uses a Broker proxy server to support roaming across multiple management domains. Brokers are employed to reduce the amount of configuration information that needs to be shared between ISPs within a roaming consortium. The Broker provides a simple message routing function. In DIAMETER, two routing functions are provided: either the Broker forwards the message to the HOME server or provides the keys and certificates required for the proxy server to communicate directly with the HOME server (see Exhibit 5). A Two Brute: DIAMETER Authorization Authorization transactions can be combined with authentication requests or conducted separately. The specifics of the transaction are governed by the Extension in use but follow the same pattern and use the same commands as authentications. Authorization requests must take place over an existing session; they cannot be used to initiate sessions, but they can be forwarded using a DIAMETER proxy. Accounting for Everything DIAMETER significantly improves upon the accounting capabilities of RADIUS and TACACS+ by adding event monitoring, periodic reporting, real-time record transfer, and support for the ROAMOPS Accounting Data Interchange Format (ADIF). DIAMETER accounting is authorization–server directed. Instructions regarding how the client is to generate accounting records is passed to the client as part of the authorization process. Additionally, DIAMETER accounting servers can force a client to send current accounting data. This is particularly useful for connection troubleshooting or to capture accounting data when an accounting server experiences a crash. Client writes and server polls are fully supported by both DIAMETER proxy models. For efficiency, records are normally batch transferred; but for applications like ROAMOPS, where credit limit checks or fraud detection are required, records can be generated in real-time. DIAMETER improves upon 199
AU1253_ch16_Frame Page 200 Saturday, October 26, 2002 4:38 PM
SECURITY standard connect and disconnect accounting with a periodic reporting capability that is particularly useful for monitoring usage on nailed-up circuits. DIAMETER also has an event accounting capability like TACACS+ that is useful for recording service-related events like failed nodes and server reboots. Security, Standards, and Other Sexy Stuff Support for strong security is a standard part of the DIAMETER Base Protocol. Many applications, like ROAMOPS and Mobile-IP, require sensitive connection information to be transferred across multiple domains. Hop-by-hop security is inadequate for these applications because data is subject to exposure at each interim hop. DIAMETER’s Strong Proxy Extension overcomes the problem by encrypting sensitive data in S/MIME objects and encapsulating them in standard AVPs. Got the telecommuter, mobile workforce, VPN, multiplatform, dial-in user authentication blues? One does not need to! AAA server solutions like RADIUS, TACACS, and DIAMETER can chase those blues away. With a little careful planning and a few hours of configuration, one can increase security, reduce administration time, and consolidate one’s remote access venues into a single, centralized, flexible, and scalable solution. That should put a smile on one’s face.
200
AU1253_ch17_Frame Page 201 Saturday, October 26, 2002 4:39 PM
Chapter 17
Remote Access Authentication Ellen Bonsall
The computing world has evolved from a centralized environment consisting of single mainframes and multiple dumb terminals to today’s distributed client/server networking environment. Given this global change in information systems (IS), networking industry experts around the world agree that the management of information systems — particularly network security — is an increasingly difficult task for today’s executives. IS managers live with the fear that a great financial loss due to an unforeseen network security breach will be blamed solely on the IS team. Complex distributed networks have made security a critical component of network architecture. Client/server technology is delivering sensitive data and mission-critical applications directly to the desktop. Most of today’s security products are designed to do one specific job, without regard to their roles in the larger security scheme. Without appropriate protection on both the Internet and enterprise sides of the network, an organization is vulnerable to even the simplest of attacks. To protect an organization’s information assets, IS teams must establish security policies, procedures, and systems to support these assets. USER AND CLIENT AUTHENTICATION IS security professionals must combine the task of integrating worldwide authentication services across multiple networking platforms with that of securing information in the burgeoning distributed and mobile computing environment. User and client authentication must be the foundation of any viable network security plan. To compete in today’s global economy, CEOs, CIOs, and IS professionals are seeking ways to seamlessly tie employees, business and technology partners, suppliers, and customers together for information sharing while simultaneously protecting sensitive data. The market for remote access security and authentication products boils down to one fact: people want to know with whom they are dealing. However, as advancing technology makes complex distributed networks 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
201
AU1253_ch17_Frame Page 202 Saturday, October 26, 2002 4:39 PM
SECURITY the norm rather than the exception, it becomes increasingly difficult to guarantee that information will be protected from unauthorized users. It can be devastating for individuals and organizations when sensitive information falls into the wrong hands. IS professionals should track patterns of information crime, study the ways in which other organizations have dealt with network security breaches, and keep abreast of the latest products designed to protect information assets. The specter of unauthorized local area network (LAN) remote access has caused many IS departments to consider an authentication complement for their network security schemes. Even with added protection, however, systems are vulnerable. IS security is not just about protecting electronic communications from Internet criminals. Moreover, a new range of access points in today’s open systems has made it possible to hack into systems from sites located anywhere in the world. To establish easy-to-use, costeffective safeguards, IS security professionals must coordinate with CEOs, CIOs, IS staff, and users to address basic security fundamentals. Optimum solutions cannot be achieved without user cooperation and participation. Regardless of how fail-safe a system may appear, if users can disable it, or gain access to information without having to comply with established security standards, the safeguard is useless. Finally, many organizations put the cart before the horse by installing the latest security panacea (e.g., an internal or external firewall) without first establishing an overall security policy. It is essential to effective access and user authentication strategies to pinpoint exactly what is being protected and from whom. DEFINING THE SECURITY PROCESS If an organization does not already have an official security policy that is endorsed at all levels of management, it is essential that the IS team gather the necessary parties and create one. Some departments may already have policies; the basic elements of these may be relevant to an organizational policy. The policy should be implemented as soon as possible and should, above all, mandate an enterprisewide user authentication solution that can be scaled to differing security requirements. The IS team should develop a code of conduct for employees and should require that employees sign a compliance document once they have read and understood the code. To further ensure compliance, the team should plan to educate employees about the importance of security and the value of information to the organization. Employee awareness programs are useful for this purpose. MAKING ENTERPRISE-SPECIFIC SECURITY CHOICES Myriad solutions exist to combat today’s security problems, some of which cost more than others both in time and monetary investment. Vendors of 202
AU1253_ch17_Frame Page 203 Saturday, October 26, 2002 4:39 PM
Remote Access Authentication firewalls, routers, and communications servers are continually integrating the latest technology to make their security products more reliable. IS staff who are responsible for choosing and implementing such products should carefully compare products before purchasing and implementing them. The best security solutions for an organization are not necessarily those used by other organizations in the same industry. Primary in importance is that the IS team begins the process and establishes safeguards, with the assumption that products will require constant review and updating. Before addressing specific strategies for securing servers with either native options or third-party systems, IS staff should take special care to secure any server that can be accessed remotely or that can be accessed from other remotely accessed servers on the wide area network (WAN). When evaluating security tools, it is useful to establish the goals of the organization’s security system, including the user authentication facet of security. IS staff should establish exactly what the security and remote access authentication system will protect; who will be permitted access and, relatedly, who will be denied specific access. The more specific the outline of user access requirements is, the more comprehensive remoteaccess security will be. The success of these access objectives can be measured when the system is implemented, and the objectives can be changed as personnel, networks, and organizational goals change. IS staff should draw up written procedures that detail how and when the security systems will be audited. In addition, an independent, internal or external audit team should look over the systems at least quarterly, and the members should be fully aware of all of the security and access objectives of the organization. When the independent audit team submits a report, any noncompliance should be addressed by the IS team immediately. Establishing Basic Controls A number of fundamental controls should be implemented in any organization to secure Internet and dial-up remote access. Management Controls Technical personnel within the organization should be trained before they are permitted to cruise the Internet or to dial into the LAN through a remote connection. If the organization is connected to external networks, IS staff must understand the risks and manage these connections properly. In addition, a policy on the acceptable use of the Internet should be distributed to all employees. Internet access can negatively affect productivity, unless reasonable limits are set and enforced. IS staff should also establish and execute procedures for reporting and resolving detected breaches of remote access security. Procedures should 203
AU1253_ch17_Frame Page 204 Saturday, October 26, 2002 4:39 PM
SECURITY include reporting breaches to management or to external organizations such as CERT. Monitoring programs that scan the system regularly for Trojan Horses, sniffers, and other undesirable programs and data are also fundamental security tools. Inbound Traffic Controls Inbound traffic controls include the implementation of network and node application restrictions through a firewall to limit access by remote connection to applications. Additional application controls should be installed, such as restrictions on certain types of transactions that a remote user may process. IS staff should maintain logs of all activity originating through remote access and review the logs for anomalies. Authorization and authentication of employees must be required to view or modify internal application data. Users requesting access through an external network or remote access must also be authenticated. Proxy logins should be prohibited; allowing one user to act for another invites unauthorized access. Outbound Traffic Controls Systems security is often designed to protect an organization’s networks from those who would attempt to break in. It is just as critical, however, that outbound traffic controls be established to monitor the information that leaves the organization. Implementing such controls can be very difficult, as the legal tangle of personal privacy and e-mail versus corporate liability demonstrates. At a minimum, IS staff should maintain logs of all external network activity originated by internal users and identify and communicate to users any risks or potential threats (e.g., viruses). File Transfer Controls To ensure that records are transmitted and that data is received, IS staff should implement manual or automated controls to monitor file transfers. Executable code should be transmitted only by systems and applications designed to prevent unauthorized or inadvertent execution. It is usually difficult to protect against data-driven attacks, or attacks where something is mailed or copied to an internal host and then executed. All attempts at unsolicited distribution of executable files should be called to the attention of management. Executable files are a popular way to spread viruses. IS staff should control the use of the File Transfer Protocol (FTP) site through a proxy server. If this is not possible, another way of restricting incoming connections to the network must be explored. 204
AU1253_ch17_Frame Page 205 Saturday, October 26, 2002 4:39 PM
Remote Access Authentication DEFINING REMOTE ACCESS: ESTABLISHING A COMMON VOCABULARY Once an organizational policy has been written and fundamental controls implemented, remote access and authentication can be targeted. The security team must ensure that everyone in the organization shares a common, remote access vocabulary, so that all of the security provisions will be fully understood and complied with. In most organizations, IS departments struggle to maintain control of information in the midst of rapidly changing strategic business and communications issues. Healthcare systems are an effective example of this. Instead of having users dial into three or four different platforms and use different equipment for applications that might include claims entry, individual eligibility, and claim status verification, an IS team could purchase an integrating access server to centralize remote connections. A single dial-in access connection would allow users to access multiple hosts across diverse platforms. Authentication Authentication should not be confused with identification or authorization. The IS team must agree on the definition of remote access user authentication and the tools associated with it before they make decisions about specific technologies or products. • Identification. User identification is the process by which people identify themselves to the system as valid users. The log-on process is an example of a simple user identification. Identification is not the same process as authentication, which establishes that the person logging on to the network is indeed that user. • Authentication. The process of determining the true identity of a user or an object (e.g., a communications server) attempting to access a system. It is the confirmation of the claimed identity. • Authorization. The process of determining what types of activities are permitted. In the context of authentication, once the system has authenticated a user, he or she may be authorized for various levels of access or different activities. • Authentication token. A portable device (or software loaded directly on a PC) that is used for authentication. Authentication tokens use a variety of techniques, including challenge–response asynchronous, event–time–based synchronous, and time–only–based synchronous technologies. • Authentication tool. A software or handheld hardware “key” or “token” used during the authentication process. Remote Access The generic term “remote access” is commonly applied to terminal emulation, file transfer, and network management. Remote access software (such 205
AU1253_ch17_Frame Page 206 Saturday, October 26, 2002 4:39 PM
SECURITY as pcAnywhere) makes a PC drive or peripherals available to other computers. It can dial up another PC through a modem, query that computer’s hard drive, and give commands to print or to transfer files. Basic remote access software does not give as high a level of power as remote control products that establish the PC as a node on the LAN. In using remote access software only, the access control measures provided by it are not robust enough to protect against unauthorized intrusion. Remote Control Remote control is the taking over of a host system with a PC keyboard and mouse and viewing its screen from anywhere in the world. The user can run programs, edit and transfer files, read e-mail, or browse a distant database. The user can dial up with a modem or a node-to-node LAN connection and take complete charge of another computer’s screen, keyboard, and mouse. The simplest remote control scheme is a synchronous, one-toone dial-up connection between modems attached to two PCs. Whatever mode or combination of modes the user’s network employs, user and client authentication are vital to protecting information assets. When a remote node connection is established, the PC is actually sitting on the LAN with which it has been connected. The PC or workstation is connected to the all of the remote’s network services. The user has access to any services or information for which it has been authorized. Therefore, if the remote network does not have an authorization, identification, and authentication system in place, the user may roam at will. A limited, secure connection can be established first through the use of a remote control software package and the use of any security features native to the system’s operating system or communications hardware. If levels of security are required that are not provided by native security, third-party authentication technology should be added. SIX COMPONENTS THAT SECURE REMOTE ACCESS Authenticating LAN dial-up users is a starting point in evaluating user authentication technology. A variety of reasons for controlling access to the LAN and to office network workstations exist, but not all of them are about protecting the organization. Protecting the privacy of personal information is a top priority for many companies or users. Most users create personal information on their computers. No one wants such personal information made public. By controlling access, business plans and proposals, pricing figures, payroll information, and other sensitive information can be kept from prying eyes. Controlling access also reduces the chances of virus infection and slows the spread of an infection, should one occur. 206
AU1253_ch17_Frame Page 207 Saturday, October 26, 2002 4:39 PM
Remote Access Authentication Authenticating users preserves the integrity of information. By locking out unauthorized users, the chances that someone will make unwanted (or unintentional) changes to critical files are reduced. Six components are critical to secure remote access: 1. 2. 3. 4. 5. 6.
Authorization Authentication Confidentiality Auditing Control Nonrepudiation
Authorization The key to secure remote access is to understand and integrate the critical components without leaving anything out. Network managers must be able to authorize users (i.e., control who on the network may access which resources). Properly implemented, authorization systems prohibit the engineering department, for example, from reading the CEO’s business projections. Authorization systems should provide secure, single sign-on, which allows users to log onto a network once, to gain access to all the resources that they require (but none of the ones that they are unauthorized to have). In most cases, authorization systems are comprised of complex software packages with code that executes on specifically secured computers on the network. Some examples are IBM’s, Cygnus Support’s, and CyberSAFE’s Kerberos-based systems, and ICL Enterprises’ North America’s Sesamebased system. However, such security is limited by the specific platforms on which they work. User Authentication Authentication is the process of verifying the identity of end users (and clients). It should be considered a basic building block of secure remote access. A critical component of any network architecture, user authentication employs passwords — the most common method of authenticating users. Virtually all network operating systems offer limited password protection, as do most communications servers and other applications that allow access to a network. The reusable (i.e., static) passwords that are employed are easy to use, but offer an extremely limited degree of security. User authentication takes place after entry into the system with common IDs and reusable passwords. Security is very lax. Reusable passwords have been shown over a lengthy period of time to be the least successful way to protect networks. 207
AU1253_ch17_Frame Page 208 Saturday, October 26, 2002 4:39 PM
SECURITY Why are static, reusable passwords so easy to steal or guess? Several intrinsic weaknesses are found in reusable passwords. First, most people have a difficult time remembering passwords, especially if they must remember many different passwords that are unique to each network or application that they use. Typically, they give the passwords to co-workers or paste them in visible areas for easy reference, especially if the IS staff requires them to change the passwords on a regular basis. Second, if permitted to choose their own passwords, they often pick trivial ones that are easy to remember. These may include permutations of their names, their children’s names, or personal information, such as date of birth. Trivial passwords are common words that are subject to “dictionary attacks” or simply educated guesses, which is not a very secure form of authentication. Third, static passwords are vulnerable because it is possible to steal them electronically. This can be done either by unauthorized insiders or by outsiders (i.e., hackers) through a “password sniffer” or similar program designed to monitor and record the names and passwords of authorized users as they log onto a network. Because of these basic weaknesses, reusable passwords seriously jeopardize overall communications security. It is too easy to impersonate authorized users by logging on with passwords that actually are legitimate to access restricted information. To solve this problem, network security experts are now choosing from a variety of authentication systems that generate one-time-use-only (i.e., dynamic) passwords for a greater degree of user authentication and, therefore, information security. Handheld authentication devices (e.g., tokens) employ encryption and public or proprietary algorithms to calculate these one-time-use-only passwords (or responses) to random challenges issued by authentication servers residing on the network. More specifically, there are stand-alone devices (i.e., hardware boxes) placed in front of a communications server or router to provide authentication prior to network entry, and software security servers (i.e., software running on a dedicated machine designed to operate directly on the network), for example, on a Windows NT or UNIX box. Server-based authentication software responds to requests originating from network access control points, such as firewalls, remote access servers, or O/S security software. An Authentication Security Server. An authentication security server is not a communications server. In many cases, third-party vendors work with the manufacturers of firewalls, communications servers, and routers to integrate user authentication technology so that users may be authenticated before they pass through gateways to the LAN. Types of communications servers that integrate third-party user authentication technology include: Shiva’s LANRover; Microsoft’s NT Remote Access Service (RAS) Server; Attachmate’s Remote LAN Node Server (RLN), a Cisco router operating as a communications server; Checkpoint’s firewall; and Atlantic 208
AU1253_ch17_Frame Page 209 Saturday, October 26, 2002 4:39 PM
Remote Access Authentication Systems Group’s TurnStyle firewall. The entire authentication process is dependent on the use of tokens (either hardware or software) so that onetime-use passwords used for authentication can be generated on both ends of the authentication process and then compared before access is granted. (Passwords are generated on the user’s end by the token, and at the network server end by the authentication server.) Authentication Tokens. Some of the tokens that work with the previously mentioned authentication servers may be used to verify dial-up users, users already on LANs, or users seeking access to a LAN through the Internet. Different tokens have different capabilities. Some products even authenticate users connecting through fax machines or telephones. Tokens can be small, handheld, hardware devices, a connector-sized device that sits between a computer and a modem, or software that runs on the user’s PC. Some have more complex features and are considered more secure than others. However, all challenge–response tokens serve the same purpose. They generate passwords that a user’s PC transmits to an authentication server that resides at an access point on a network. Alternatively, they transmit them to authentication software residing on, for example, a Microsoft NT Remote Access Server.
The authentication servers (or the software residing on a PC or workstation located directly on the network) verify that the users are who they say they are when they first identify themselves. Challenge-Response Asynchronous Authentication. In a secure, challenge– response, asynchronous authentication process, network managers typically configure the tokens themselves — a definite benefit over factory-issued secret keys. No one except the network manager or administrator has access to the database of user secret keys and other pertinent user information. A LAN dial-up remote access can provide an example of how this works. A user dials up remotely, and before the network allows the user access, the call is intercepted by a master authentication device (or a software authentication server), which prompts the user for an ID. When the user is identified as one of the individuals allowed access to the network, the server issues a random, alphanumeric challenge to begin the process of authenticating (i.e., determining that the user is who he or she says he or she is).
That random challenge is used by both the token and the server to calculate a one-time-use password based on a secret key value stored in both the token and the server. The process typically involves the use of an encryption algorithm. The reliability of the algorithm used in an organization’s authentication solution should be carefully evaluated. Solutions that employ the challenge–response process, secret user keys, and encryption algorithms to generate passwords result in a very high 209
AU1253_ch17_Frame Page 210 Saturday, October 26, 2002 4:39 PM
SECURITY level of authentication security. The one-time-use passwords are issued only once, can be used only once, and even if stolen or captured can never be used again. The mathematics involved in the encryption process to calculate the passwords makes it essentially impossible to reuse them. Synchronous-Only-Based Authentication. Time-only synchronous authentication is based on time clocks and secret keys that reside in two places: on the network side (i.e., protected) and on the user side (i.e., the side to be authenticated). On the network side, a time clock and database of secret keys operate in either a dedicated, authentication hardware box or in a software authentication server. On the user side of the authentication equation, a clock, which is synchronized to the authentication server, and a secret key (corresponding to a secret key in the server) operate inside the token.
Several implementations are possible of time-only synchronous authentication. In one specific time-synchronous scheme, a proprietary algorithm continually executes in the token to generate access codes based on the time clock and the token’s secret key. In this case, the time is the “variable.” A new access code is generated by the token approximately once a minute. The token is always activated. When the user dials into the authentication server, the server issues a prompt to the user for an access code. The user simply attaches his or her secret personal identification number (PIN) to the code currently displayed on his or her token at the moment access is required, and then the user transmits the combined PIN and code (which become the “one-time password”). This code is transmitted over telephone lines to the authentication server. The server uses the PIN to identify the user to compare the transmitted access code with its own current version for that user. In a different implementation of time-synchronous authentication, the user enters his or her secret PIN to activate the token, which then generates a true, one-time-use password based on the token time clock and a secret key value stored inside the token. This system is more secure, because the password generated does not include the PIN when it is transmitted over public telephone lines or networks. PINs should always remain secret to be considered a viable part of the “two-factor” authentication process. Twofactor refers to something secret that only the user knows (i.e., his or her PIN) and something held in the user’s possession (i.e., his or her token). For secret information to remain secret, it should not be transmitted in any way that allows unauthorized individuals to hack the information and use it at a later date. If someone captures a PIN as it is being transmitted over public telephone lines, it would be relatively easy to steal the token and use it to gain unauthorized access. It does not matter if the access code is considered a one-time-use password: if a thief has the PIN and the token, he or she has what is needed for unauthorized access to confidential information. 210
AU1253_ch17_Frame Page 211 Saturday, October 26, 2002 4:39 PM
Remote Access Authentication Window of Time. Time-only synchronous authentication systems are based on making available a “window of time” within which the password match must occur. The time clocks in the server and the token must remain “in sync” because the time is the variable on which the calculation depends. If the clocks are too far off, the user is denied access.
At this point, the technologies differ. When the token becomes out of sync with the server, there must be an efficient, cost-effective, user-transparent way to resynchronize the token. The user would be frustrated if he or she had to return his or her token for reprogramming before the information being requested is accessed. Centralized and remote token resetting capabilities should be considered, as well as the conditions under which tokens must be replaced. Replacing tokens or having to return them to a system administrator for resetting can be time consuming and expensive. Authentication tokens should be “unlocked” remotely, preferably with some pre-arranged signal or code that only the user and the network administrator know. Finally, the time on the token clocks gradually drifts, resulting in a lack of synchronization. If there are no provisions for unlocking or resetting, or for automatic switching of modes of operation (e.g., from synchronous to asynchronous) to back up the synchronous token, the authentication server, by necessity, will have to provide a larger “window of time” during which a user can be authenticated. Otherwise, too many tokens would go out of sync too often. The larger the window of time, the greater the security risk that someone will intercept passwords or PINs (if they are part of the transmission). Synchronous Event–Plus–Time Authentication. In event-plus-time synchronous authentication, the token also uses an algorithm and a secret key to generate passwords. However, it is based on two dynamic variables, instead of one, which increases the level of password security. The two variables are an event counter (i.e., the primary variable), and a time clock (i.e., the secondary variable). In one particular implementation of synchronous event–plus–time authentication, there is also a third variable — a unique secret key that is calculated each time a password is generated by the token. This key becomes the secret key used to generate the succeeding password, the next time the user activates the token. The first variable, “event,” refers to the number of times a password has been generated by the token. The second variable, “time,” refers to the clock counter in the token. The third variable — the new, unique key generated each time a password is issued — makes these event–plus–time-synchronous passwords the strongest on the market.
For all synchronization authentication systems, questions should be asked about overall system management and token secret parameter 211
AU1253_ch17_Frame Page 212 Saturday, October 26, 2002 4:39 PM
SECURITY programming. For example, network administrators should be able to maintain control not only of locking-unlocking procedures, but also of the user database, the setting of security parameters, and token programming. To comply with internationally recognized computer security standards, there should always be a “barrier” between the factory, which produces the tokens, and the customer, who operates those tokens. Specifically, secret parameters should be set by the customer, not by the vendor. Tokens that are programmed at the factory (or by the vendor) should be viewed with caution. It is possible that such products may result in people outside the organization having access to secret key values, user databases, and other basic token operations. These functions form the basis of secure user authentication. Such operations should remain under the auspices of the network administrators at all times. A final point to consider with synchronous authentication systems is system management. Managing sites with a large number of users can become a daunting task under certain conditions. Questions should be asked about how the technology is going to handle distributed or centralized authentication system and token management, and how many servers will be necessary for the variety of access points or geographical locations that be must secured. The answers to these should be compared with other solutions. In the case of some technologies, cost-effective, efficient authentication system management can be impossible to achieve, and it may be necessary to purchase a larger number of authentication servers with one technology than with another. The cost of the overall user authentication system should be considered, not just the cost of the tokens, whether they are hardware or software. Finally, when considering the cost of tokens, the frequency of replacement should be considered. CONCLUSION This chapter has discussed several methods of authenticating users: time– based–only synchronous authentication; event–plus–time–based synchronous authentication; and challenge–response asynchronous authentication. Each offers a different level of security and reliability when it comes to user authentication. The choice depends on the organization’s overall security policy and the depth of user authentication required. The technology of the different types of user authentication tokens should be carefully compared. The authentication technology requirements may be quite simple if security requirements are limited. On the other hand, an organization may require more reliable technology, such as two-factor, challenge–response asynchronous, or event–plus–time–based synchronous authentication. In an Internet atmosphere headed toward universal standards, the scalability and reliability of authentication systems based on technology that is not standards based, or authentication based on a time clock only, should be considered highly suspect. 212
AU1253_ch18_Frame Page 213 Saturday, October 26, 2002 4:40 PM
Chapter 18
Security Risks in Telecommuting Pirkka Palomaki*
Although a growing number of people work outside traditional offices, telecommuting does not come without a price. The challenge of managing configurations, software versions, and security settings can easily become a burden unless it is carefully designed and implemented. The increased number of telecommuters also means that personal computers outside the office are processing more sensitive and valuable corporate data. Because of this, a growing number of notebook computers and the data stored within them are subject to outright theft. As demonstrated in the recent theft of portable computers at the U.S. State Department, the most valuable asset in a laptop system is typically its data — not the system itself. Security concerns outside the office are typically caused by traditional thieves, hackers, high-tech criminals, viruses, and other malicious users and uses of code. The targets for attacks are the files stored on hard drives and other media, data transferred between remote clients and the internal networks, or the remote system itself, when used to gain access to the corporate networks. There are many common-sense means of lowering security risks, such as never leaving the laptop alone; but this is neither practical nor an absolute deterrent. In addition, the data needs to be inaccessible by third parties when transmitted over the network or in case the hardware is stolen. When users are traveling, the most obvious protective systems include encrypting all the data that is stored as well as transferred, and checking for malicious code when a file is opened, moved, or saved. Users do not want security to make accessing data more complex, nor do they want to remember to take extra steps to be protected. That is why the security solution must enforce the corporate security policy transparently, regardless of users’ actions. Also, the systems must be updated remotely to contain the latest protective measures without any
*©2003 by Pirkka Palomaki. All rights reserved.
213
AU1253_ch18_Frame Page 214 Saturday, October 26, 2002 4:40 PM
SECURITY user intervention. By making security measures transparent, the users are not inconvenienced by them, nor can they counteract them. TELECOMMUTING IN TODAY’S DISTRIBUTED ENTERPRISE More and more companies are allowing developers, support staff, and other groups of employees to work from home. Companies see telecommuting as a way to offer more flexibility and as a tool to increase productivity with available resources. Telecommuters have a variety of needs when connecting to the corporate network. The most common needs are remote access to corporate e-mail, as well as file and intranet servers. From the telecommuter’s perspective, the goal is to connect to the corporate internal networks on the road or at home as easily as if they were at the office. As the number of telecommuters grows, the challenge of managing the configurations, software versions, and security settings can easily become a burden unless they are carefully designed. From the information technology (IT) perspective, telecommuting poses many additional challenges in creating connectivity and managing a widely distributed base of software and equipment. In addition, there are many data security risks involved with telecommuters. WHO AND WHAT POSES SECURITY RISKS Traditional Thieves The proliferation of portable computers has resulted in increasing occurrences of laptop theft. It is big business, and some have estimated that as many as 10 percent of all laptops are stolen. Although the hardware can be easily replaced, the downtime and the effort of getting a new system up and running and recovering data can be frustrating. Industrial Espionage Corporate strategies, budget figures, customer lists, and new product designs are usually many times more valuable than the loss of any hardware that is stolen. In some cases, the loss of this data can bankrupt a company. Because users cannot watch their laptops all the time, unprotected data from these machines is vulnerable. Hardware repairs and upgrades performed by third parties can give company outsiders access to disks and the information stored in them. Hackers There are many hackers who, as a hobby, try to break into corporate systems. Contrary to common belief, many of them do not have great skills and are not creative; they simply use hacking software for their exploits. 214
AU1253_ch18_Frame Page 215 Saturday, October 26, 2002 4:40 PM
Security Risks in Telecommuting Unfortunately, the Internet has made these types of software products commonplace and easily available. The motivation behind hacking could be the challenge, but once in the system, the opportunity might allure the hacker into stealing information or destroying it; either action damages the organization. And, while internal networks are still the largest place where information is stolen, proprietary information is also increasingly being stolen via hacking. High-Tech Criminals If the transactions between telecommuters and corporate networks are very valuable, the telecommuters and their access points could easily become tempting targets for high-tech criminals. Altering a transaction and impersonating a company executive are among the easy methods of attack. In any event, potential losses due to computer-based financial fraud are devastating, whether perpetrated by intruders or dishonest employees. Viruses and Other Types of Malicious Code A virus is a program that is intended to spread within hosts by, for example, infecting program files and documents. Viruses originate from various programmers who try to conceal their identities. Typically, these people are rebel teenagers or adult macro experts. Viruses are not the only harmful programs. In fact, malicious programs come in many forms. In addition to viruses, there are worms, which spread independently over the network, for example; logic bombs, which are harmful hidden features in programs; and Trojan horses, which are harmful programs that appear harmless. Viruses spread when people exchange data (e.g., programs, documents, and diskettes). They may use encryption to hide, and may lay dormant — only to restart spreading when activated. When and if a virus activates, it may show text, animations, or music; delete data; modify data; and, as of late, steal data by sending or posting it to someone somewhere. Macro viruses currently cause about 80 percent of the infections, and e-mail attachments are the source in 80 percent of cases. The most likely method to get infected is to receive an infected Word document in e-mail from a known party. Viruses and other types of malicious programs are the most common computer security threat to corporate networks. TYPES OF SECURITY RISKS IN TELECOMMUTING Computers and data stored within them face a multitude of security threats. Laptops can be stolen, unauthorized persons can access files, and the system can be contaminated by viruses from CDs, diskettes, or the 215
AU1253_ch18_Frame Page 216 Saturday, October 26, 2002 4:40 PM
SECURITY Internet. In addition, network data could be listened to, and the system could be actively attacked when connected to the network. Files Stored on Laptops A variety of data is stored on hard drives and portable media, including floppy disks, zip drives and CD-ROMs. The data ranges from corporate strategy to customer lists, and from new product ideas to personal files. Despite the greater need for PC security, Windows 95/98 does not include security features such as encryption or access control. The Windows 95 user log-on feature, often mistaken for access control, merely allows the user to invoke a predefined user profile of screen options and preferences, and to log on to workgroups and networks. This log-on feature does not provide security for that system. An unauthorized user could circumvent this feature simply by hitting the ESC key. Windows NT provides a little better protection with its access control. However, even the NT File System (NTFS) can be accessed in a matter of seconds with freely available software without any passwords. The malicious person need only have physical access to the computer, and can then boot the system from a floppy disk. In addition, access control on Windows servers and workstations is vulnerable to several types of attacks due to its implementation weakness. Data Transferred between Remote Systems and Internal Networks The data transferred between remote stations and corporate networks is in many cases the weak link for gaining unauthorized access to information. Many companies use private remote access services that the telecommuters dial in. Increasingly, these dedicated modem pools are being replaced by the Internet because telecommuters prefer to use the built-in Ethernet connections of hotels, cable TV Internet connections, and asymmetric digital subscriber lines (ADSL) for getting high-speed access to corporate resources, as compared with traditional modem lines. In either case, whether the data is transferred over traditional modem lines to corporate private modem pools, or if it is transferred over the Internet, the data is subject to eavesdropping and man-in-the-middle attacks. The thief usually tries to capture e-mail conversations, documents, and other pieces of data transferred over the network. Extremely tempting targets are, of course, the user names and passwords that many applications transfer unencrypted. Even the Windows NT user names and passwords that include built-in protective measures can be easily cracked, if one listens to the traffic from the network, with tools easily available from the Internet. If the user names and passwords are used as the authentication method and they are compromised, an unauthorized person 216
AU1253_ch18_Frame Page 217 Saturday, October 26, 2002 4:40 PM
Security Risks in Telecommuting can have easy entry to the corporate networks before the password is changed or the account is disabled. Access Control Some organizations that rely heavily on laptops for traveling employees will set up a fully automated connection so that the owner need not provide any passwords to log on to the system and to the network. While this promotes ease of use, it also allows anyone possessing the laptop — whether legitimately or through theft — to look like a legitimate user and masquerade as the laptop owner. Impersonating a company executive and sending e-mail in his or her name could cause potential havoc in the organization. Compromised Systems Laptops can also be exploited as an access point to the corporate network over the Internet. When a user logs on the corporate network, the device is then trusted as part of the internal network. The attacker could exploit a weakness in the operating system, or a network-aware virus could open a security hole in the system that allows a malicious person to use the remote system as a point of entry. A Trojan program could capture the user names and passwords and send them to someone over the Internet. A network-aware virus could also send documents to unwanted recipients over the network. In these ways, a remote system could easily be compromised if it has no anti-virus software, or the software is not frequently updated. MINIMIZING SECURITY RISKS Common-sense tips can help companies avoid security pitfalls. Thus, users should never leave their laptops unattended, nor should they carry a laptop in a bag that easily indicates that it contains a laptop. When traveling, they should always back up their data and programs both before leaving on a trip, and immediately upon their return. Even if the laptop is not stolen, its hard drive could be damaged when transferred. Even when people are trying to be careful, unwanted things can happen. Fortunately, there are many extra measures that users can take to protect the assets when telecommuting. Encrypting Stored Data Because no access control system is foolproof, all users have a primary need for powerful yet easy-to-use encryption software combined with access control options. Encrypting files improves security considerably in Windows NT 4.0 and Windows 95/98 environments, protecting against professional criminals’ stealing confidential information and hiding personal secrets from unintended eyes. 217
AU1253_ch18_Frame Page 218 Saturday, October 26, 2002 4:40 PM
SECURITY The data needs to be encrypted whenever it is stored and encrypted to memory on an as-needed basis. The encryption and decryption process should not require any additional steps from the user, but the process must be on-the-fly whenever a document is opened, saved, or moved after the valid user is authenticated. Many applications also store open documents, backup documents, and other potentially sensitive data files as temporary files. Some of these files can remain on the hard disk for a long time. On-the-fly encryption ensures that the temporary files are also protected, and nobody else can gain access to them. In addition, should the computer accidentally run out of batteries, the data remains encrypted on the hard drive because only the unencrypted copy is stored in the computer’s memory. A good solution to protect locally stored data is to authenticate the user and offer on-the-fly encryption for locally stored data on Windows 95/98 and Windows NT systems. Encrypting Data When Transferred Whenever any data is transferred between a remote computer and the corporate network, the network security software should authenticate the corporate security gateway, and the corporate security gateway should authenticate the remote user to prevent a man-in-the-middle attack. All data should also be encrypted and authenticated to prevent eavesdropping and malicious people from inserting information into the data streams. A good solution to strongly authenticate users and devices, as well as encrypt data between remote systems and corporate networks, uses X.509 certificates, IPSec, and IKE for encryption and authentication. Controlling the Types of Connections Once connected to the Internet, it is good to limit connections that can be made to the remote system. The security software should selectively filter out incoming connections and only allow authenticated and encrypted connections to the corporate networks, while maintaining connectivity to the Internet. The corporate security policy should control the connections allowed and the connection methods. Controlling these types of connections can prevent an attacker from exploiting vulnerabilities that the operating system or other installed software might have. In addition to strong encryption and authentication, policy-based control can remotely manage the types of allowed and disallowed connections. Protecting Encryption Keys The keys used to authenticate users over networks and to protect the actual encryption keying material both require locally stored secrets. The 218
AU1253_ch18_Frame Page 219 Saturday, October 26, 2002 4:40 PM
Security Risks in Telecommuting strength of the encryption relies on the unpredictability of these keys, key length (which makes it too costly and time intensive to try every key combination), and the fact that the keys are not directly accessible. Well-designed encryption software will encrypt the keys when they are stored on the hard drive. Optionally, the keys can be stored and processed in removable, media-like smart cards. However, the storage device for keys is itself an attractive target and must be carefully protected. The process of encrypting and decrypting the encryption and authentication keys should be done automatically at the session log-in and log-out times, using a key derived from a passphrase that the user supplies. It is best to use a software approach that protects the encryption and authentication keys stored on the hard drive, although there is a movement toward utilizing external authentication devices, including smart cards. Checking for Malicious Code Any time a document is received or a floppy disk or CD-ROM is inserted, malicious code can enter the system. That is why the security software must check the files any time before they are executed, moved, or copied. New viruses are created on a daily basis. Therefore, it is essential that the antivirus products be updated frequently and that virus signatures be updated daily. Integrating Security Functions Encryption and antivirus products must be aware of each other. Otherwise, the antivirus product might be inspecting encrypted files, leaving the malicious code undetected. The various aspects of data security must be integrated into one functional package. Some antivirus suites integrate network encryption, file encryption, and malicious code protection into one complete solution. Enforcing the Corporate Security Policy Security software is of no benefit if it is not used according to corporate security policy. Typical users tend not to enforce security, especially if there are additional steps to take to encrypt data, scan for viruses, or update the software. Therefore, the security solution should be as transparent to the user as possible, and the security software should automatically enforce the corporate security policy. Because system administrators might not have physical access to laptops and other remote systems, software installations, updates, and security policy changes should be carried out over the network from a central location. A centrally managed package can provide protection both in and outside the office, with low operating costs and a low total cost of ownership. 219
AU1253_ch18_Frame Page 220 Saturday, October 26, 2002 4:40 PM
SECURITY CONCLUSION With the increasing number of systems and data being used outside of offices, it is essential to protect the systems against loss of information. To cover the majority of the security risks associated with telecommuting, all data should be encrypted when it is stored or moved across the network, and all data should be checked for viruses and other types of malicious content before it is opened or saved. For a security solution to be effective, it must be transparent to users and automatically enforce the corporate security policy. With encryption and content checking automatically performed, users need not learn new features or steps. The different security solutions must be aware of each other so they can work effectively to avoid any security holes between the applications. For example, an antivirus solution should be aware of encryption solutions so that the inspection happens after the data is decrypted. Managing the remotely used system is another area of concern. Even when computers are used on the road, the software and security policy settings should be periodically updated and system status reports should be viewed. Security solutions for telecommuters should have remote management capabilities that allow systems administrators to perform their maintenance operations over the network.
220
AU1253_ch19_Frame Page 221 Saturday, October 26, 2002 4:41 PM
Chapter 19
Secure External Network Communications John R. Vacca
This chapter explores and defines issues and terms surrounding secure external network communications with regards to remote access, control, and management of the networked information and communications devices that are at the heart of virtually all enterprises today. It describes how mouse, keyboard, and video (MKV) signals have been used for remote access and control. It further identifies two critical areas of concern: physical access as well as possible electronic intrusion (hacking, theft, or corruption of data) via the remote access system. This chapter also discusses how other enterprise-class MKV and secure external network communications device management systems that are being developed uniquely address these issues and concerns. INTRODUCTION Most Windows or UNIX type servers are basically high-powered and specialized PCs that require a mouse, keyboard, and video (MKV) to operate. Although many server management functions can be performed externally or remotely through secure network management systems (NMS) tools such as TIVOLI, CA Unicenter, or HP OPENView, some specific tasks and server configurations can only be done through MKV access. An example of this is the boot process in which the basic input/output system (BIOS) and the operating system configuration and set-up take place. This process occurs before the secure external networking communications layer is operational on that system, so that network-based tools cannot be used. Some other tasks and functions that MKV access provides are: • Initial operating system configuration • Reboot server after system crash
0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
221
AU1253_ch19_Frame Page 222 Saturday, October 26, 2002 4:41 PM
SECURITY
Exhibit 1.
Simple Mouse, Keyboard, and Video Control
• Monitor system boot • Monitor server performance • Access BIOS to alter server hardware configuration Once servers are up and running, the need to utilize the system-level access, while crucial to maintaining high availability, is relatively infrequent. Therefore, allocating the facility space for a keyboard, video display, and a mouse for each server is unacceptably expensive. To solve this, the market proposes systems that allow sharing those MKV apparatus among several servers. The basic objective of an MKV system is to provide access to more than one server, reducing the real estate requirement within the data center by removing the need for individual mouse, keyboard, and video. While simple MKV switching systems (see Exhibit 1) are capable of meeting this objective for a few servers, they are not scaled to meet the needs of the data center or server farm environment. Advanced server management systems that utilize MKV switching provide additional security, scalability, and productivity capabilities beyond this basic objective. By adding true management capabilities, these advanced MKV-based tools must be considered mandatory for the implementation of a server farm. A modern MKV-based remote server management provides dramatically improved productivity and external security and remote site support. Dramatically Improved Productivity and External Security An advanced MKV-based solution enables support staff to be grouped into a standard work environment suitable for support of all contracts and for many services (e.g., help desk, server support, etc.) while enabling people to assume multiple roles. It also enables and facilitates the redeployment or consolidation of staff across multiple contracts into a centralized support location. This limited, centralized headcount obviously decreases the security risks present when larger numbers of uncontrolled users are allowed into the data center or server farm area. 222
AU1253_ch19_Frame Page 223 Saturday, October 26, 2002 4:41 PM
Secure External Network Communications
System Administrators
Exhibit 2.
Server Farm
The MKV Free-For-All: Virtual Chaos
REMOTE SITE SUPPORT An extension of this architecture facilitates complete lights-out support for remote servers, including remote power-on, power-off, and reboot capabilities. Remote server management enables secure, lights-out, and access of sites with a small number of servers. DATA CENTERS WITH MKV: A VIRTUAL CHAOS Traditional MKV switches are simple devices. They are typically located in each server rack or next to a bank of servers. Along with a switch, each rack or storage unit contains a keyboard, monitor, and mouse that will be connected to the servers in that rack. Therefore, in a traditional MKV environment, a user must get up from his or her desk, walk over to the data center, find the server to be used (see Exhibit 2), and stand while they type in front of the enclosure. Some environments eliminate the MKV from the rack, but use a “crash cart,” a cart with keyboard, video display, and mouse on it. This cart gets rolled up to a rack when a server crashes, and the technician identifies the faulting server, plugs in the cart’s MKV, and takes local control of the server. These work environments are not only uncomfortable and insecure, they also result in higher support costs from reduced productivity; higher facilities costs from storing numerous monitors, keyboards, mice, and switches in each rack; and increased risk of physical hazard due to rolling a cart through and around racks. In addition, these work environments also have the following problems: 223
AU1253_ch19_Frame Page 224 Saturday, October 26, 2002 4:41 PM
SECURITY • • • •
Security at risk just from the physical complexity Administration, audit, and management tools almost nonexistent Virtually zero flexibility in architecture (lack of scalability) Highly complex, difficult to install and maintain cabling infrastructure
An advanced MKV-based server access and control solution should allow any authorized individual to have direct access to any server with no single point of contention without having to move from his or her desk. It should also carry MKV (or serial console) signals from each server or device to a sophisticated intelligent matrix switch, which is in turn connected to system users. Users should be able to connect only to the servers that are specified in a SQL server database, and only after successful domain identification, providing outstanding external system security. A network operator should be able to have immediate access from his or her desktop and connect to any server within the data center. Any number of external network communications operations personnel should be able to have access to any number of servers without impacting and limiting the workload of others by reducing any downtime to your client’s servers. An MKV free-for-all server management system (SMS) architecture could not be simpler (see Exhibit 3). The MKV signals are delivered from a variety of active transmit devices over a single Category 5 twisted pair cable to the switch. This allows fast and easy connection of servers over
Server Management System
System Administrators
Server Farm
Exhibit 3.
224
Virtual Control
AU1253_ch19_Frame Page 225 Saturday, October 26, 2002 4:41 PM
Secure External Network Communications a simple, cost-effective and de facto standard cabling infrastructure. From the switch, the connection to each desktop receiver that connects to the MKV is again, a single Category 5 twisted pair cable connection The intelligence of an MKV free-for-all SMS is delivered by a single NT server with an SQL database that translates the key commands from the operator and switches servers to requested users. The role of the SQL database is twofold; it holds all the access rights for users and servers for external security and it logs all transactions made by the switch. The hardware and software work together to deliver a global, enterprise-class solution. Virtual Proximity An MKV free-for-all SMS puts control into the hands of specialists through MKV access of distant or external devices. The performance and quality of these external sessions is so good that no matter how distant the operator or administrator is from the target device, the look and feel and control are as if he or she is sitting at the target device. By providing this robust, high-quality connection, there are fewer reasons to physically visit the target device. Reduced visits clearly equal greater external security. THE DILEMMA: PROVIDE ACCESS, BUT PREVENT ACCESS No one argues against the need for secure external network communications device management, just as no one argues against the need for network security. A dilemma arises because access for management provides a possibility for access for mischief, vandalism or even terrorism. An effective solution must ensure that the remote device access system includes additional layers or levels of external security functionality to eliminate risk of intrusion through the system (see Exhibit 4). RISKING THE ENTERPRISE Much of the early concern for external security on network communications centered on protecting the proprietary data that flows across the network from storage to user and from user to user. The second area of concern has been to protect the data from corruption, usually by a virus. Effective encryption and ever-vigilant virus protection applications have generally done an excellent job (when vigilantly applied!) in preventing serious widespread damage. More recently, as enterprises have become increasingly dependent upon the performance, reliability, and integrity of the network, other concerns have come to the forefront. Direct attacks, such as denial of service (DoS), have temporarily, but expensively, crippled well-known Web-based enterprises. Today all external secure network communications management is in a heightened state of awareness to the vulnerabilities of their 225
AU1253_ch19_Frame Page 226 Saturday, October 26, 2002 4:41 PM
SECURITY
System Administrators
Video Wall
Server Farm Network Operations Center
Exhibit 4.
Optimum Security: Lights Out Environment
architecture and infrastructure as a result of the pervasive and incomprehensible threat of irrational terrorist behavior. According to a 2001 survey and study of 360 Fortune 1000 companies by The Standish Group, losses due to downtime average between $2000 and $38,000 per minute. Gartner/ Dataquest found that downtime in general varied between $22,000 and up to $8 million an hour. In times of tight operating profits, risking downtime for any cause, especially due to potential external security breaches, may very well be putting the entire enterprise at risk An effective external device access and management system must not provide an opportunity for breaching the network. It must, however, add to, not diminish, the overall external security of the network communications environment. SOME UNIQUE CONCERNS IN THE DATA CENTER ENVIRONMENT As mentioned, external network communications security has been a concern from the earliest days of simple print and file sharing. But, along with the many technical and enterprise benefits that are achieved by centralizing and consolidating network communications assets into a data center environment, some additional security concerns emerge. The first is the inadvertent, accidental bump or trip into a device while legitimately accessing another proximate device. While connecting a local keyboard, video, and mouse from a “crash cart” to reboot a racked server, for example, 226
AU1253_ch19_Frame Page 227 Saturday, October 26, 2002 4:41 PM
Secure External Network Communications a technician might accidentally nudge a cable on the next device in the rack. Despite the “domino effect” this has—causing another device to fault, alerts to be sent, trouble tickets to be generated, and another dispatch of a technician into the data center (not to mention service disruption and possible Service Level Agreement (SLA) implications)—that unintentional disconnect is, perhaps, the least worrisome Of greater concern is the enormous potential for damage to enterprisecritical devices concentrated in rows of racks and cages with common physical access. Once in, someone with malicious intent could wreak havoc. The common thread in both these scenarios is physical access. The ideal data center strives to achieve “lights out” security as shown in Exhibit 4. Simply defined, lights out refers to a condition not requiring lighting, because there is no staff needed in the operating data center itself, except under extraordinary circumstances. That condition requires an external system for accessing and managing the devices in the data center, eliminating, as much as possible, the need for staff to enter. The external access system has to allow “smart hands” to have any time, anywhere “global reach.” The relationship between the number of people physically accessing the data center and the risk is direct: the more people, the greater the risk. Providing an effective offsite external device management strategy can add significantly to the security of the data center site itself. An effective and secure external device management system allows the data center to be situated distant from high-risk urban areas, providing an additional barrier to physical access as a layer of protection ELECTRONIC INTRUSION Clearly not every potential risk is that of unauthorized or inadvertent physical contact with the devices on the network. The financial cost both in terms of revenue and loss of customers (and their confidence), caused by recent massive denial of service (DoS) attacks has been enormous, as well as virus and worm dissemination that has been well-documented elsewhere. Externally securing against unauthorized electronic access becomes paramount, especially as the data center itself becomes more physically secure and Internet access becomes so widely and readily available. The external secure network communications device management system must be built so that no additional access risk is incurred. EXTERNAL SECURITY IS A CORNERSTONE OF DEVELOPMENT Enhancing external security is a key goal in the ongoing development of an MKV free-for-all SMS. Acronymic protocols such as C2 and SSL and operating system and applications protocols such as log-on and password protection are among those development approaches. 227
AU1253_ch19_Frame Page 228 Saturday, October 26, 2002 4:41 PM
SECURITY NCSC Class C2 Class C2 is a rating granted by the National Computer Security Center (NCSC) for products that have been evaluated against the Department of Defense Trusted Computer System Evaluation Criteria (TCSEC). The standard TCSEC evaluation is frequently referred to as the “Orange Book. These criteria are the measurement against which products are evaluated for degrees of trust that can be placed on any given computer system to provide a level of confidence for government offices and enterprises that process classified or other secure information. The Class C2 evaluation criteria are the minimum security rating required by many government agencies and offices (branches of the military, IRS, Federal Reserve, intelligence agencies, etc.), and by many enterprises. Products achieving a Class C2 security rating have been evaluated and tested by an independent third party against a known criterion. Here, the third party is the United States federal government. This independent evaluation allows customers to make good purchasing decisions with a basis of trust established by an objective analysis, not just on claims of the vendor.* An MKV free-for-all SMS utilizes access control, consistent with C2 Classification, to ensure that users only “see” or access servers and devices for which they are authorized. Based on feedback from enterprise customers and service provider customers, Class C2 meets the needs of an enterprise’s customer base for commercial systems. OS LOG-ON/PASSWORD An MKV free-for-all SMS application should run on a client PC or workstation under Windows NT, 2000, or XP. The user workstation is protected by the operating system, requiring both a log-on and password to access the machine, even before attempting access to any of the applications on the machine. Furthermore, with regard to the application log-on/password, the MKV free-for-all SMS application itself should utilize a Windows application standard log-on/password to open the application itself. SECURE SOCKET LAYER FOR EXTERNAL IP CONNECTIONS Secure Sockets Layer (SSL) is a protocol developed by Netscape for transmitting private documents via the Internet. SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely. SSL works by using a public key to encrypt data that is transferred over the SSL connection. Both Netscape Navigator and Internet Explorer
* The NCSC grants several levels of security ratings. For additional information on these security ratings, contact the NCSC at http://www.radium.ncsc.mil/tpep/epl or by calling + 1 410-859-4458.
228
AU1253_ch19_Frame Page 229 Saturday, October 26, 2002 4:41 PM
Secure External Network Communications
HTTP
LDAP
IMAP
Secure Sockets Layer
Application Layer Network Layer
TCP/IP Layer
Exhibit 5.
SSL Runs above TCP/IP and below High-Level Application Protocols
support SSL, and many Web sites use the protocol to obtain and protect sensitive and confidential user information, such as credit card numbers. The SSL protocol runs above TCP/IP and below higher-level protocols such as HTTP or IMAP as shown in Exhibit 5. It uses TCP/IP on behalf of the higher-level protocols, and in the process, allows an SSL-enabled server to authenticate itself to an SSL-enabled client; allows the client to authenticate itself to the server; and allows both machines to establish an encrypted connection. The following capabilities address fundamental concerns about communication over the Internet and other TCP/IP networks: • SSL server authentication • SSL client authentication • An encrypted SSL connection SSL Server Authentication SSL server authentication allows a user to confirm a server’s identity. SSL-enabled client software can use standard techniques of public-key cryptography to check that a server’s certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the client’s list of trusted CAs. This confirmation might be important if the user, for example, is sending a credit card number over the network and wants to check the receiving server’s identity. SSL Client Authentication SSL client authentication allows a server to confirm a user’s identity. By using the same techniques as those used for server authentication, SSLenabled server software can check that a client’s certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the server’s list of trusted CAs. This confirmation might be important if the server, for example, is a bank sending confidential financial information to a customer and wants to check the recipient’s identity. An Encrypted SSL Connection An encrypted SSL connection requires all information sent between a client and a server to be encrypted by the sending software and decrypted by the 229
AU1253_ch19_Frame Page 230 Saturday, October 26, 2002 4:41 PM
SECURITY receiving software, thus providing a high degree of confidentiality. In addition, all data sent over an encrypted SSL connection is protected with a mechanism for detecting tampering, that is, for automatically determining whether the data has been altered in transit. The SSL protocol includes two subprotocols: the SSL record protocol and the SSL handshake protocol. The SSL record protocol defines the format used to transmit data. The SSL handshake protocol involves using the SSL record protocol to exchange a series of messages between an SSL-enabled server and an SSL-enabled client when they first establish an SSL connection. This exchange of messages is designed to facilitate the following actions: • Authenticate the server to the client. • Allow the client and server to select the cryptographic algorithms, or ciphers, that they both support. • Optionally authenticate the client to the server. • Use public-key encryption techniques to generate shared secrets. • Establish an encrypted SSL connection (http:developer.netscape.com/ docs/manuals/security/sslin/contents.htm). SYSTEM ARCHITECTURE The MKV free-for-all SMS is engineered to deliver mouse, keyboard, video (MKV), and serial console signals over industry standard Category 5/6 unshielded twisted pair (UTP) cable. However, it operates “out-of band,” that is, off the data network. It is not connected to the hubs, the routers, or the switches that move sensitive organizational data. Therefore, only MKV or serial console display signals are traveling on the “maintenance network” — the separate CAT5 cabling dedicated to managing the external secure network communications devices. This architecture allows access to the content of each screen, but prevents access to the content of disk drives or memory. Finally, the “non-blocked” architecture previously described provides maximum flexibility in assigning server assets to users, relying on significant software techniques to secure and manage users and servers. Implementing a blocked or blocking architecture (as shown in Exhibit 6) by deploying smaller satellite feeder and blocking switches reduces flexibility, but increases external security by creating a “hardwired” connection between specific servers and users. CONCLUSION AND SUMMARY Because the network, its infrastructure, and the data that passes over it are elemental to the enterprises that deploy them, attention must be given to external security at every point on and connected to the network. Enterprise network managers are responsible for “managing” this enterprise 230
AU1253_ch19_Frame Page 231 Saturday, October 26, 2002 4:41 PM
Secure External Network Communications
Receiver Matrix Server Switch
Server Racks
Work Area
Satellite 8:2 Switch
Exhibit 6.
Simple “Blocked” Configuration
critical asset. Traditional device access tools, such as MKV switches, must be viewed in a new light. And, when put to the test, they cannot meet the rigid standards for access prevention (unauthorized access prevention), while providing a seamless management tool. Finally, given this evergreater need to ensure the continuity of the enterprise by assuring the integrity of the network, the external security standards of the remote network device access and management system can uniquely be met by the only true enterprise solution – MKV free-for-all SMS.
231
AU1253_ch19_Frame Page 232 Saturday, October 26, 2002 4:41 PM
AU1253_ch20_Frame Page 233 Saturday, October 26, 2002 4:43 PM
Chapter 20
Dial-Up Security Controls Alan Berman Jeffrey L. Ott
As the need to provide information has grown, the capacity for unauthorized users to gain access to online dial-up computer systems has increased. This threat — and the consequences inherent in such an exposure — may have devastating results, from penetrating defense department computers to incapacitating large networks or shared computer facilities. Increased reliance on local area network- (LAN)-based microcomputers not only raises the threat of unauthorized modification or deletion of company critical data, but it also adds the possibility of infecting network users. Providing dial-in access is not limited to network or system access for the general user. There is often a greater exposure hidden in modems connected to maintenance ports on servers, routers, switches, and other network infrastructure devices. Any computing device with an attached modem is a potential target for someone looking for a device to hack. The problems associated with maintenance ports are the following: • Little attention is given to these ports because only one or two people use them, including vendors. • They provide immediate access to low-level administrative authority on the device. • Often they are delivered with default user IDs and passwords that are never changed. • Vendors have a notorious habit of using the same ID and password on all their machines. Look for modems directly attached to host systems, servers, switches, routers, PCs (both in offices and on the computer room floor), PBXs, and CBXs. Check with the department providing telecommunication services. They may have a list of phone numbers assigned to modems. However, do not count on this. At the very least, they should be able to provide a list of 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
233
AU1253_ch20_Frame Page 234 Saturday, October 26, 2002 4:43 PM
SECURITY analog lines. Most of these will be fax machines, but some will be modems. Finally, to ensure the identification of all modems, run a war dialer against the phone numbers in the company’s exchange. Although the threats are numerous and consequences great, very few organizations have complete security programs to combat this problem. This chapter describes the steps that need to be taken to ensure the security of dial-up services. TYPES OF DIAL-UP ACCESS Dial-up capability uses a standard telephone line. A modem, the interface device required to use the telephone to transmit and receive data, translates a digital stream into an analog signal. The modem at the user’s site converts computer data coded in bits into an analog signal and sends that signal over a telephone line to the computer site. The modem at the computer site translates the analog signal back to binary-coded data. The procedure is reversed to send data from the computer site to the user site. Dial-up capability is supplied through standard telephone company direct-dial service or packet-switching networks. Direct Dial With a direct-dial facility, a user dials a telephone number that connects the originating device to the host computer. The computer site maintains modems and communications ports to handle the telephone line. Standard dial-up lines can be inordinately expensive, especially if the transmission involves anything other than a local call. For example, a customer in California who needs access to a brokerage or bank service in New York would find the cost of doing business over a standard telephone company dial-up line prohibitive for daily or weekly access and two-way transmission. Packet Switching Packet-switching networks provide a solution to the prohibitive telephone costs of long-distance dial-up service. The California user, for example, need only install the same type of telephone and modem on a direct dial-up system. Instead of dialing a number with a New York area code, the user dials a local telephone number that establishes a connection to the switching node within the area. Internally, packet-switching data transmission is handled differently from direct dial-up message transmission. Rather than form a direct connection and send and receive streams of data to and from the host computer, packet-switching networks receive several messages at a node. Messages are then grouped into data packets. Each packet has a size limitation, and messages that exceed this size are segmented into several 234
AU1253_ch20_Frame Page 235 Saturday, October 26, 2002 4:43 PM
Dial-Up Security Controls packets. Packets are passed from node to node within the network until the assigned destination is reached. To indicate the destination of the message, the user enters an assigned ID code and a password. The entered codes correlate to authorization and specify the computer site addressed. For the user’s purposes, the connection to the host computer is the same as if a dial-up line had been used, but the cost of the call is drastically reduced. In both dial-up service and packet-switching networks, the host site is responsible for protecting access to data stored in the computer. Because packet-switching networks require a user ID and a password to connect to a node, they would appear to provide an extra measure of security; however, this is not always the case, and this should not be a reason to abrogate the responsibility for security to the packet-switching network vendor. For some time, users of certain vendor’s packet-switching network facilities have known that it is possible to bypass the user ID and password check. It has been discovered that with very little experimentation, anyone can gain access to various dial-up computer sites in the United States and Canada because the area codes of these computer site communications ports are prefaced with the three digits of the respective telephone network area codes. The remainder of the computer address consists of three numeric characters and one alphanumeric character. Therefore, rather than determine a ten-digit dial-up number, which includes the area code, a hacker must simply determine the proper numeric code sequence identifier. The alphabetic character search is simplified or eliminated by assuming that the first address within the numeric set uses the letter A, the second B, and so on, until the correct code is entered. Accessing a computer site requires only a local node number, and these numbers are commonly posted in packet-switching network sites. Use of the local node number also substantially reduces dial-up access line costs for the unauthorized user. Packet-switching network vendors have responded to this problem with varying degrees of success, but special precaution should be exercised when these networks are used. MINIMIZING RISKS Hackers have a myriad of ways to obtain the phone number that can provide them with access to computer systems. Attempts can be made to randomly dial phone numbers in a given area code or phone exchange using demon dialers or war dialers. These were popularized in the 1980 movie, War Games. These hacking programs can be very useful in locating all the authorized and unauthorized modems located on the premises. War dialers can be written using a scripting language, such as that provided by the 235
AU1253_ch20_Frame Page 236 Saturday, October 26, 2002 4:43 PM
SECURITY communications software package Procomm Plus, or several can be found at various sites on the Internet. Understanding these dialers is very helpful in understanding the requirements needed for securing dial-in connections. Simpler methods, such as calling a company and asking for the dial-up number, may meet with success if the caller is believable and persistent. Calling operational personnel at the busiest time of the day (e.g., end of the day, before stock market or bank closes) is more likely to get a response from a harried computer operator or clerk. Other methods consist of rummaging through trash to locate discarded phone records that may reveal the number of the dial-up computer. A hacker will try these numbers manually, hoping to find the right line. This will most likely be the one that has the longest duration telephone call. There are also less esoteric means by which phone numbers can be acquired. Online services for such applications as e-mail, ordering merchandise, bank access, stock trading, and bulletin boards often have their numbers published in the sample material that they mail. In fact, it is often possible to look over the shoulder of someone demonstrating the service and watch him or her dial the number. If the demonstration is automated, the number may appear on the screen. Although the practice of listing the number in the phone directory or having it available from telephone company information operators has been curtailed, this remains a potentially effective method. No matter how it is obtained, the phone number can be quickly spread throughout the hacker community by means of underground bulletin boards. Once the number is disseminated, the phreaker’s game begins. It is now a matter of breaking the security that allows users to log on. Despite the fact that there are physical devices (e.g., tokens, cards, PROMS) that can be used to identify users of remote computer systems, almost all of these systems rely on traditional user identification and password protection mechanisms for access control. IDENTIFICATION The primary means of identifying dial-up users is through the practice of assigning user IDs. Traditionally, the user ID is six or seven alphanumeric characters. Unfortunately, user IDs tend to be sequential (e.g., USER001, USER002), which provides an advantage to hackers. For example, hacker bulletin boards will report that company XYZ’s user ID starts at XYZ001 and runs consecutively. The hacker who posted the note will state that he is attacking ID XYZ001. The first hacker who reads the notice will leave a note saying that she will try to log on as user XYZ002, and the next hacker will take XYZ003. The net result is that multiple hackers will attack simultaneously, 236
AU1253_ch20_Frame Page 237 Saturday, October 26, 2002 4:43 PM
Dial-Up Security Controls each targeting a different user ID. This significantly increases their chances of penetrating the system. Unknowingly, some security software can actually aid in identifying valid user IDs. When a hacker attempts to enter the user ID and password, the system may respond to the entry of an invalid user ID with the message “Invalid ID, Please Reenter.” This allows the hacker to focus his efforts on finding a valid ID, without having to deal with the far more complex effort of obtaining a valid ID and password. The same type of security system will invariably tell the intruder that he has found a valid user ID by issuing the error message “Invalid Password, Please Reenter.” This in effect tells the hacker that he has found a valid ID. He may then proceed to try to find the user ID sequence pattern (to post on the bulletin board) or focus his attention on trying to break the password protection. Log-ons that request a valid user ID before requesting the password can also provide system attackers with a major advantage. The best security system requires entry of both user ID and password at the same time. The system attempts to validate the combination; if it is found invalid, it responds with “User ID/Password Invalid, Please Reenter.” This is the only error message sent, regardless of which item is not valid. PASSWORDS Use of passwords is the most widely employed method of authenticating the identity of a computer system user. Passwords are easy to design and can be implemented quickly without requiring additional hardware. When the proper methodology is used, password security provides a significant deterrent to unauthorized system access without major expenditure. Certain rules should be followed to make password identification and authentication an effective security tool: • Passwords should be of sufficient length to prevent their discovery by manual or automated system attack or pure guesswork. • Passwords should not be so long that they are difficult to remember and must therefore be written down. • Passwords should be derived by algorithm or stored on a one-way encrypted file. • Passwords are most effective when they are arbitrarily assigned. • Passwords should be distributed under tight controls, preferably online. • An audit trail of previously issued passwords should be established. • Individual passwords should be private. • The use of portable token-generated random passwords should be encouraged. The tokens are relatively inexpensive and highly reliable. 237
AU1253_ch20_Frame Page 238 Saturday, October 26, 2002 4:43 PM
SECURITY If sufficient time is not available for an in-depth study of password identification methodology, a basically sound password structure can be created using a six-character password that has been randomly selected and stored on an encrypted file. Such a procedure provides some measure of security, but should be taken to design and implement a more substantial methodology. Multiple passwords can be used for accessing various levels of secured data. This system requires that the user have a different password for each increasingly sensitive level of data. Even using different passwords for update and inquiry activities provides considerably more security than one password for all functions. Computer and network security systems have made some gains over the last decade. Former problems that resulted from accessing a dropped line and reconnecting while bypassing log-on security have been resolved. Even direct connect (i.e., addressing the node and bypassing user ID and password validation) has been corrected. Aside from obtaining telephone numbers, user IDs, and password information from other hackers through bulletin boards or other means, hackers have three basic ways of obtaining information necessary to gain access to the dial-up system: 1. Manual and computer-generated user ID and password guessing 2. Personal contact 3. Wiretaps Given a user ID, the hacker can attempt to guess the password in either of two ways: by trying commonly used passwords or programming the computer to attack the password scheme by using words in the dictionary or randomly generated character sets. The hacker can have the computer automatically dial the company system he wishes to penetrate, and attempt to find a valid user ID and password combination. If the host system disconnects him, the computer redials and continues to try until the right combination is found and access is gained. This attack can continue uninterrupted for as long as the computer system remains available. The drawback to this approach is that the call can be traced if the attempts are discovered. A simpler approach is for the hacker to personally visit the site of the computer to be attacked. Befriending an employee, he or she may be able to gain all the information needed to access the system. Even if the hacker is only allowed on the premises, he or she will often find a user ID and password taped to the side of a terminal, tacked on the user’s bulletin board, or otherwise conspicuously displayed. Basic care must be taken to protect user IDs and passwords. For example, they should never be shared or discussed with anyone. 238
AU1253_ch20_Frame Page 239 Saturday, October 26, 2002 4:43 PM
Dial-Up Security Controls Potentially the most damaging means of determining valid user IDs and passwords is the use of the wiretapping devices on phone lines to record information. Plaintext information can be recorded for later use. Wiretapping indicates serious intent by the hacker to commit a serious act. It exposes the hacker to such risk that it is often associated with theft, embezzlement, or espionage. Even encryption may not thwart the wiretapping hacker. The hacker can overcome the inability to interpret the encrypted data by using a technique called replay. This tactic involves capturing the cipher text and retransmitting it later. Eventually, the hacker captures the log-on sequence cipher and replays it. The data stream is recognized as valid, and the hacker is therefore given access to the system. The only way to combat a replay attack is for the ciphered data to be timed or sequence stamped. This ensures that the log-in can be used only once and will not be subject to replay. The best defense against wiretapping is physical security. Telephone closets and rooms should be secured by card key access. Closed-circuit cameras should monitor and record access. If the hacker cannot gain access to communications lines, he cannot wiretap and record information. Microcomputer Password Problems The use of microcomputer and communications software packages has presented another problem to those who rely on passwords for security. These packages enable the user to store and transmit such critical information as telephone numbers, user identification, and passwords. Many remote access programs, such as Microsoft Windows 95 Dial-Up Network program or Symantec’s pcAnywhere, give the user the option of saving the user ID, password, and dial-in phone number for future use. This practice should be strongly discouraged, especially on laptop computers. Laptop computers are prime targets for theft, both for the physical item and for the information contained on them. If a thief were to steal a laptop with the dial-up session information (phone number, user ID, and password) saved, they would have immediate full access to whatever system the owner had access. The discussion of laptop security is worthy of an entire section in and of itself; however, for the purposes of this discussion, suffice it to say that users should be thoroughly educated in the proper way of using and securing dial-up applications. An effective but more cumbersome way to enhance security is to obscure the visible display of destination and identification information. The user can either reduce the display intensity until it is no longer visible, or turn off the monitor until the sign-on is completed and all security 239
AU1253_ch20_Frame Page 240 Saturday, October 26, 2002 4:43 PM
SECURITY information is removed from the screen. Some software packages alert the user when the sign-on process is completed by causing the computer to issue an audible beep. Even software packages that do not issue an audible signal can be enhanced by this blackout technique. An estimation of the amount of time required to complete the sign-on process can give an idea of when to make the information visible again. A BRIEF AUTHENTICATION REQUIREMENTS REVIEW Throughout human history and lore, a person has been authenticated by demonstrating one of the following: • Something you know • Something you have • Something you are Whether it was Ali Baba saying, “Open Sesame” (something you know), Indiana Jones with the crystal on the staff (something you have), or “Rider coming in … It’s Dusty!! Open the gates! Open the gates!!” (physical recognition — something you are), one person has permitted or denied access to another based on meeting one of these “factors of identification.” Satisfying only one factor, such as knowing a password (something you know), can easily be defeated. In secure environments, it is better to meet at least two of the three factors of identification. This can best be seen in the application of a bank ATM card. To use the card — to access an account — one must have an ATM card (something you have) and know the PIN assigned to that card (something you know). Only when one can meet both factors of identification can one access the money in the account. The third factor of identification is represented today through the use of biometrics, such as retinal scans, fingerprints, and voiceprints. Secure dial-in in today’s market is the ability to meet at least two of these three factors of identification. Physical Devices Whereas passwords are a relatively inexpensive means of providing identification and authentication security in the dial-up environment, physical devices involve capital expenditure. The cost depends on the intricacy of the device. Determining which device is best suited to a particular environment requires careful analysis of the consequences of unauthorized dial-up penetration. The market is constantly changing in response to the available technology and market forces. Currently, one technology is dominant in protecting dialin resources: dynamic password generators. In its most basic form, there are two components to a dynamic password generator authentication system: (1) the host system, which could be a server executing vendor-supplied 240
AU1253_ch20_Frame Page 241 Saturday, October 26, 2002 4:43 PM
Dial-Up Security Controls remote access code, or (2) a vendor-supplied hardware/software front-end and a handheld device, often resembling a calculator or credit card. There are two variations in this field, time–synchronous and challenge–response. Time–Synchronous One vendor prevails in this market, Security Dynamics Technologies, Inc. (http://www.securid.com/). Their product line incorporates proprietary software that generates a new six-digit password every 60 seconds, based, in part, on Greenwich Mean Time (GMT). A user is issued a small credit card-sized “token” that has been registered in a central database on the remote access device. When a user dials in, he or she reaches the remote access device, which authenticates the user based on the user ID and the password displayed at that moment on the token. After authentication, the user is granted access to the target device or network. Security Dynamics has several types and implementations of their tokens (credit card-sized, key fobs, PCMCIA cards, and software based) and many different implementations of their authentication “kernel” or code. Additionally, many third-party products have licensed Security Dynamics code in their remote access authentication products. Challenge–Response Several vendors have implemented another dial-in authentication method that also utilizes handheld tokens and PC software. Whereas the time–synchronous tokens rely on a password generated based on the current GMT, challenge–response tokens utilize a shared algorithm and a unique “seed” value or key. When a dial-in user accesses a remote access device using a challenge–response token, he or she is authenticated based on the expected “response” to a given “challenge” generated by the user’s token. Challenge–response technology also comes in different types and implementations of tokens, software, and hardware. Major vendors of challenge–response technology include AssureNet Pathways, Inc. (http://www.assurenetpathways.com/) and LeeMah Datacom Security Corporation (http://www.leemah.com/). Dial-Up/Callback Systems To protect against the kind of system penetration possible when only precoded identifiers are used, manufacturers have developed dial-up/callback systems. With this technique, two telephone calls must be completed before access is granted. After dialing the host computer, the user must enter a valid password. On receipt of the password, the host computer terminates the connection and automatically places a call to the telephone number associated with the password. If an authorized terminal is being used, the connection is established and the user can proceed. Some 241
AU1253_ch20_Frame Page 242 Saturday, October 26, 2002 4:43 PM
SECURITY dial-up/callback systems place the return call through least-cost routing on local lines, WATS lines, and other common carrier facilities, thereby reducing the cost of the callback procedure. One problem associated with dial-up/callback systems is that the authorized caller is restricted to a single predetermined location. This restriction prohibits the use of portable terminals for travel assignments. It also requires multiple IDs for use at different sites. Other Technologies This field is changing. An organization may wish to investigate newer or less popular technologies, depending on their organizational requirements. Included are devices that attach to a serial or parallel port of a PC or laptop, PCMCIA cards, and biometrics. If dynamic password generators are the authentication of choice today, biometrics will be the authentication of choice tomorrow. Recent developments have increased reliability considerably and lowered costs. Expect to see more product offerings in biometric authentication in the next few years. The decision to purchase any of these devices depends on such factors as cost of installation and cost of labor to monitor the hardware. Encryption. If an unauthorized dial-up user penetrates the identification and authentication defenses of a computer system, encryption can forestall if not prevent data modification and theft. Encryption is technically a privacy measure, as opposed to a pure security precaution. It is intended to make the information unintelligible to anyone who does not have the proper decryption capability (key, algorithm, or decryption device). This prevents unauthorized personnel who do access a system from being able to read the data that they may want to alter, destroy, or circulate.
For data communications, messages are encrypted at the point of transmission and can only be decrypted at a terminal supplied with the key used in the encryption process. Various encryption algorithms are available, and the complexity of the algorithm should depend on the value of the data being protected. The National Institute of Standards and Technology’s Data Encryption Standard (DES), which is the only encryption method to be used by civilian agencies of the federal government, is widely used and highly resistant to automated attack. Encryption should be considered for microcomputer transmissions, especially when it is likely that cellular communications will be used. This eliminates sending cleartext over open airwaves. Although the encryption and decryption process is primarily used in data transmission, it can also protect critical files and programs from external threats. Encryption data and program source code make it very 242
AU1253_ch20_Frame Page 243 Saturday, October 26, 2002 4:43 PM
Dial-Up Security Controls difficult for an unauthorized user to determine what information or code is contained in a file. Encrypting files also protects file relationships that can be determined by reading the source code of programs that use such files. For the intruder unfamiliar with an organization’s data components and flow, such an obstacle can discourage any further unauthorized activity. Even for authorized users, encrypted files bear no relationship to the information the users are accustomed to seeing. In addition, if used only for key files and programs, encryption does not involve significant use of storage. THE FINAL DEFENSE Hackers are becoming more and more proficient in accessing computer systems, despite the best efforts to stop them. There is a good chance that any system’s security may be breached. If this happens, it is imperative that effective security measures be in place to identify the hacker and either trace the call or disconnect. After the unauthorized access is halted, the security administrator needs to determine how access was gained and the nature and extent of the damage. This is necessary for repairing damage and strengthening defenses from further attack. One of the ways to identify an unauthorized user is to monitor users’ attempts to access transactions, files, and data that are not in their security profile. If there are repeated violations (e.g., five consecutive denied accesses), some security action should be taken. This could be in the form of disconnecting the line, invalidating the user ID, or at a minimum logging the violations for further discussion with the user. A major credit reference firm uses postintrusion monitoring software equipped with artificial intelligence to establish a normal pattern of activity for how a user accesses information. For example, user XYZ001 may usually access customer information through searching by social security number. User XYZ002 may access information using a person’s name and address. When a user logs on, that person’s activity pattern is monitored and compared to the user’s normal activity profile. Should major discrepancies arise, the company attempts to contact the customer to ensure the validity of his or her requests. Such activity monitoring has thwarted many unauthorized users. Ultimately, it is every user’s responsibility to help protect systems from unauthorized access. The best way to help is to be wary. End users should check the last log-on time and date displayed during a successful log-on. If the user has any doubts that this was a valid log-on, he or she should contact the appropriate authority. This not only protects the system, it also relieves the authorized user of the liability created when an intruder uses another person’s ID. 243
AU1253_ch20_Frame Page 244 Saturday, October 26, 2002 4:43 PM
SECURITY SUMMARY The security method chosen to protect central data sources has great impact on the organization’s resources and procedures. Initial costs, implementation time, client reaction, and related factors can be addressed only by performing a thorough risk analysis that examines current as well as future needs. The measures described in this chapter should be interpreted not as an isolated set of precautions, but as components of an overall security umbrella designed to protect the organization from all internal and external threats. The data security administrator must ensure that the first step provides a basis for establishing an organizational awareness that will lead to a more secure environment for dealing with all dial-up users. Specifically, the administrator should ensure that: • A complete list of valid dial-up users and their current status is maintained, eliminating all employees who are no longer with the company or whose position no longer requires access. • Protection is provided for all password schemas and files. • A minimum of two factors of identification are provided. • A test machine (not connected to any network) is used to validate newly downloaded software. • All users are regularly reminded of security policies, and current versions of such policies are distributed to employees. These steps, combined with a thorough set of policies and an educated user community, can significantly enhance the security of a dial-up environment.
244
AU1253_ch21_Frame Page 245 Saturday, October 26, 2002 4:44 PM
Chapter 21
Top 10 Dial-In Security Mistakes Heather Smartt
A constant barrage of information about hackers bombards companies. There are hundreds if not thousands of books about computer security, network security, and operating system security. There are a number of security products on the market — some keep people out, some keep people in, some track people down. All of the Big Five accounting firms and many small, boutique firms are offering security consulting services. It is fair to say that computer security is a hot topic in society. As an information security consultant for one of the Big Five accounting firms, the author has participated in many penetration projects. Although every client is different, certain findings are uncovered in nearly all dial-in reviews. If an organization would take some time to fix the most common mistakes, it would go a long way toward preventing hackers. Here are the most common security risks that are found during a dial-in review. TOP TEN 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
Data lines in same prefix as voice lines Enticement information — “Welcome to…” Direct dial-in systems (i.e., no authentication at all) Lack of controls on default accounts Accounts with easily guessed passwords Help files pcAnywhere Lack of monitoring Trust Unlimited access attempts
TOP TEN EXPLAINED 1. Data Lines In Same Prefix as Voice Lines In a dial-in attack, the first thing the hacker has to do is find the modem lines. How does a hacker decide which numbers to dial? First, the hacker 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
245
AU1253_ch21_Frame Page 246 Saturday, October 26, 2002 4:44 PM
SECURITY looks up the company’s main number in the Yellow Pages (on the Internet, of course), along with information on the company’s other main locations. Next, a hacker may call the various branches to get the voice numbers. The final step is to set up a war dialer, such as Toneloc and to dial these numbers. If the company’s data lines are in the same prefix as the voice lines, the hacker has hit paydirt. After all the numbers in the range are dialed, the hacker has a list of every number that responded with a carrier tone (i.e., modem lines) and a whole list of targets to attack. Recommendation. Modem lines should not share the same prefix as voice or fax lines. In addition, these numbers should be unpublished and distributed only as necessary.
2. Enticement Information — “Welcome to…” What could be more reassuring to a hacker (or industrial spy) than a banner that says, “Welcome to the Company under Attack!” This banner not only assures the hacker that the system just dialed actually belongs to the targeted company, but also it says, “Welcome.” Legally, this could be interpreted as an invitation to enter and use the system, and the company under attack could be held liable for any further damages a hacker causes to interconnected networks. Recommendation. System banners should never include enticement information, such as company name, operating system type, and version. Instead, banners should prominently display a warning such as “Unauthorized use strictly prohibited and will be prosecuted to the fullest extent of the law.”
3. Direct Dial-In Systems (i.e., No Authentication at All) One of the most serious security mistakes encountered is that of systems that allow one to access the system directly, with no authentication whatsoever. The author has accessed numerous pcAnywhere connections, DEC terminal servers, Cisco routers, PBX systems, environmental control systems, and a Tandem mainframe in this manner. This access has allowed her to run applications, steal password files, map out the network, perform denial-of-service attacks, launch additional attacks, and actually physically damage heat-sensitive systems. Although she did not actually turn up the heat, she could have which would have caused great physical damage to these systems as several of these environmental control systems controlled the heating and cooling of the mainframes. By accessing many of these direct dial-in systems, the outside hacker becomes an insider. Recommendation. Ensure that systems are password protected and that controls are in place to terminate the connection when a user hangs up the modem line. For additional insurance, regularly scan the network with a 246
AU1253_ch21_Frame Page 247 Saturday, October 26, 2002 4:44 PM
Top 10 Dial-In Security Mistakes war dialer and perform a mock penetration on each modem line dialed to test password controls. 4. Lack Of Controls on Default Accounts With all the publicity surrounding hacking and hackers, an alarming number of default accounts still have no passwords or only default passwords. There are sites all over the Internet that contain lists of well-known accounts and the corresponding default password. When conducting a penetration study, the author dials each number once to look for direct dial-in systems and to obtain system identification information. This allows her to identify and hack into the most vulnerable systems first and to classify the modem lines by their underlying operating systems. Next she attempts to break into well-known operating systems (i.e., UNIX, NT, VAX/VMS, Cisco routers) with a list of default user IDs and passwords. She has been able to break into at least one system in this manner at least 90 percent of the time. With the exception of the direct dial-in systems, this is the fastest way into a company’s network. Recommendation. Remove, rename, or lock all unused default accounts. If the account must be used, change the password. Periodically review the systems to ensure that these defaults are still secure, especially after operating system upgrades and application installations.
5. Accounts with Easily Guessed Passwords After trying the list of all known default accounts, the author starts doing some educated guessing. If lucky enough to obtain a password file, she runs it through a password cracker. Normally, once she has the password file, she has access to systems across the entire network. Even without the password file, there is still a pretty strong chance of getting in. A hacker can use the enticement information that he has gathered along the way. He tries the account name as the password and the account name with no password. If he has a list of system names, he tries each of these as an ID and password. A list of potential passwords is compiled based on the company and location. For example, the hacker tries the company’s name, the company’s nickname, the month, major sports teams, and so forth. He also tries common accounts and passwords such as training/training and demo/demo. Invariably, he guesses correctly and obtains access to the internal network. With the need for so many passwords today, users generally have passwords that are easy for them to compose and remember. This makes the hacker’s job an easy one. Recommendation. Users need to be educated on what is and is not a good password and why it is important to be creative. In addition, system administrators should routinely run password crackers. They should notify and counsel any user whose password was cracked. 247
AU1253_ch21_Frame Page 248 Saturday, October 26, 2002 4:44 PM
SECURITY 6. Help Files Online help is a wonderful thing — especially on unfamiliar systems. For a hacker, it is even better when the system helps one gain access before authenticating. VAX/VMS systems generally provide a help feature for users when they reach the LOCAL> prompt. Generally, a user does not have to authenticate to reach this level. That means the user may have full access to the help function and can discover all sorts of interesting commands to try. Because of this user-friendly help feature, the LOCAL> prompt often provides an excellent jump-off point for further penetration. Targets can be obtained from the Show node and Show hosts commands, and connections can be attempted through the connect command. Recommendation. Restrict help files to authenticated users only. If users are fairly proficient in the use of the system, completely disable the help feature. In this case, ignorance may be bliss.
7. pcAnywhere pcAnywhere is a nice application that can be fairly secure. In the author’s experience though, it is often unprotected. She has nicknamed it pcEverywhere and estimates that three out of five pcAnywhere prompts are unprotected (i.e., no user ID and no password). Often, users do not even ask permission to use remote access software — they just buy it and load it. They reason that no one would ever find their modem number. If it is an unlisted number, why should they use a password? Fortunately for the hackers, Toneloc (a freely available war dialer) finds the number quite easily in the range of telephone numbers it dials. When accessing an unprotected pcAnywhere host, the hacker becomes an internal user. Screen savers with passwords that might stop or slow down the hacker rarely are used. So when dialed in, he or she has full access to the user’s desktop. Even worse are the users who do not log out of the network before going home and leave the applications they have been working on totally accessible. The hacker has been able to send and read e-mail, copy confidential data, obtain passwords, download corporate phone directories, and launch further network attacks from these users’ desktops. Recommendation. Implement strict policy on and enforcement of remote access software use, such as pcAnywhere. Ensure that users are aware of the potential security risks and ensure that IDs and strong passwords protect all accounts.
8. Lack of Monitoring Monitoring is an important part of information security, yet it often is overlooked. Many administrators say they are just too busy to review stacks of logs that probably contain nothing extraordinary. However, regular review 248
AU1253_ch21_Frame Page 249 Saturday, October 26, 2002 4:44 PM
Top 10 Dial-In Security Mistakes of the logs could alert a system administrator that an attack is in progress or that a penetration has occurred. During a dial-in audit, the auditor is generally quite noticeable because he or she normally does not try to hide tracks. The auditor will make repeated attempts to guess passwords and trigger several auditable events. The purpose is to test the administrator to find out if he or she is being watched. The auditor rarely gets caught! Imagine what could happen if a hacker did take care to hide their tracks — they could have unauthorized access for years before being caught accidentally. Recommendation. Review logs regularly — at least once a week and preferably every day. Commercially available security auditing tools help make the logs more manageable. A security auditing tool will log high-risk events such as failed log-in attempts and generate reports listing all questionable activities. Finally, be certain to log all superuser log-ins and log-outs.
9. Trust Several operating systems, most notably UNIX, have an inherent remote trust feature. This feature allows an authenticated user to log on remotely, without further authentication, to any system that trusts their current system. The ramifications of this feature are staggering. Once a consultant broke into a UNIX system through the use of a default user ID and password. Due to the trust relationships between the UNIX systems on the network, he was able to access remotely 936 UNIX hosts! To make matters worse, his initial account was a superuser-equivalent account, so he had, in effect, root access to 936 hosts. Recommendation. Trust relationships generally are configured for convenience. It is best to remove all trust relationships and force users to authenticate themselves each time they log into a host. There are justifiable business needs for trust. If this is the case, security controls should be tightened wherever possible. In UNIX, for example, .rhost files should be readable only to the user, and the hosts.equiv file should be readable only by root.
10. Unlimited Access Attempts Allowing unlimited access attempts on a system is begging for an automated password guesser to be set up. There are many programs that will dial a number and then guess passwords until the remote system hangs up the connection. The program then will redial the number and continue guessing. By not limiting the number of access attempts per account, the chances of guessing the correct password are increased greatly. Recommendation. Limit the number of chances users have to correctly input their passwords. After this number has been exceeded, lock the account until the system administrator can intervene. 249
AU1253_ch21_Frame Page 250 Saturday, October 26, 2002 4:44 PM
SECURITY SUMMARY A security program is like a dam. Once there is a leak, the hole just gets bigger and bigger. Each security administrator must do his or her best to ensure that there are no leaks. It is a daunting job. These recommendations may not stop a dedicated hacker from breaking into a network, but they will deter the casual hacker.
250
AU1253_ch22_Frame Page 251 Saturday, October 26, 2002 4:45 PM
Chapter 22
Virtual Private Network Security John R. Vacca
With the explosive growth of the Internet, enterprises are beginning to ask, “How can we best exploit the Internet for our enterprise?” Initially, enterprises were using the Internet to promote their image, products, and services by providing World Wide Web access to enterprise Web sites. Today, however, to improve overall efficiency and gain a competitive advantage, enterprises are moving toward Internet-enabled enterprise processes. As a result, enterprises are considering virtual private network (VPN) solutions that take advantage of the Internet’s extensive, cost-effective access, while ensuring data security. In this chapter, one will learn how to help enterprises transition to this Internet-enabled enterprise model, and how to obtain standards-based secure access to enterprise computing resources. One will also learn how to securely and cost-effectively extend the reach of applications and data across the world through the implementation of VPN solutions. Finally, this chapter will cover public key encryption and public keybased certificates (since these will play a role in the new EAP and IPSec security features now in development by Microsoft, IBM, Cisco, and other software suppliers). Security for VPNs must go beyond simply controlling secure access to network resources. It must also provide mechanisms for managing the implementation and enforcement of the policies that define partitioning between VPNs. Most VPN-aware networks extend traditional VPN concepts of intranet and extranet service to enable valuable services based on sophisticated policies of separation and designated intercommunication; security policy management becomes a valuable component to the success of VPN deployment. New standards are being set by tools that enable easy specification, implementation, management, and enforcement of security policies. While initially focused on intra-VPN separation and intercommunication, network management functionality will be enhanced to support other value-added services such as encryption, data sharing, and broadcast distribution between customers and secure remote access. 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
251
AU1253_ch22_Frame Page 252 Saturday, October 26, 2002 4:45 PM
SECURITY Generally, provider operators need to control access and visibility into network elements, control points, management systems, and data so that their networks cannot be sabotaged and sensitive information compromised. VPN services that support network management add a new twist to security management functional requirements in that visibility and control of a VPN subset of the provider network can now extend beyond the provider to the subscriber. Traditionally, only service provider operators required authorization to their own network management systems and data. However, regular network management subscribers need access to information that provides insight into how they use VPN services. Customers want to know the performance of the transport over the provider backbone and receive indicators when, or before, there are problems with the service. As network management applications mature, customers will control how they use the service (e.g., how service responds to data classification), and they will be able to change or procure new services. To ensure correct partitioning of management data such that visibility, delivery, control, and access of the appropriate information are given only to authorized customers or owners of the data, and because the Internet facilitates the creation of VPNs from anywhere, networks need strong security features to prevent unwelcome access to private networks and to protect private data as it traverses the public network. User authentication and data encryption are strong security features, but there are stronger authentication and encryption capabilities that will be available with Extensible Authentication Protocol (EAP) and Internet protocol security (IPSec). WHY VPN SECURITY? A VPN is an extension of an enterprise’s private intranet across a public network such as the Internet, creating a secure private connection, essentially through a private tunnel. VPNs securely convey information across the Internet, connecting remote users, branch offices, and enterprise partners/suppliers into an extended enterprise network, as shown in Exhibit 1. Internet service providers (ISPs) offer cost-effective access to the Internet (via direct lines or local telephone numbers), enabling enterprises to eliminate their current, expensive leased lines, long-distance calls, and toll-free telephone numbers. A 1997 VPN Research Report by Infonetics Research, Inc. (based in San Jose, California), estimates savings from 20 to 47 percent of wide area network (WAN) costs by replacing leased lines to remote sites with VPNs. And, for remote access VPNs, savings can be 60 to 80 percent of enterprise remote access dial-up costs. Additionally, Internet access is available worldwide, where other connectivity alternatives may not be available. The technology to implement these VPNs, however, is 252
AU1253_ch22_Frame Page 253 Saturday, October 26, 2002 4:45 PM
Virtual Private Network Security
Exhibit 1.
Virtual Private Network
just becoming standardized. Some networking vendors today are offering non-standards-based VPN security solutions that make it difficult for an enterprise to incorporate all its employees or enterprise partners and suppliers into an extended enterprise network. However, VPN security solutions based on Internet Engineering Task Force (IETF) standards will provide support for the full range of VPN security scenarios, with more interoperability and expansion capabilities. The key to maximizing the value of VPN security is the ability of enterprises to evolve their VPNs as their enterprise needs change and to easily upgrade to future TCP/IP technology. Vendors that support a broad range of hardware and software VPN security products provide the flexibility to meet these requirements. VPN security solutions today run mainly in the IPv4 environment, but it is important that they have the capability of being upgraded to IPv6 to remain interoperable with an enterprise partner’s or supplier’s VPN security solutions. Perhaps equally critical is the ability to work with a vendor that understands the issues of deploying VPN security. The implementation of a successful VPN security solution involves more than technology. The vendor’s networking experience plays heavily into this equation. Now consider the role that software suppliers like IBM and Microsoft are playing with regard to the VPN security solution. Public key encryption and public key-based certificates will also be considered because they play a role in the new EAP and IPSec security features now in development by Microsoft, IBM, Cisco, and other software suppliers. 253
AU1253_ch22_Frame Page 254 Saturday, October 26, 2002 4:45 PM
SECURITY UNDERSTANDING IBM VPN SECURITY IBM uses IPSec (an open, IETF-standard security technology) as an integral element in its eNetwork VPN security solutions. IPSec provides cryptographybased protection of all data at the IP layer of the communications stack. It provides secure communications transparently, with no changes required to existing applications. IPSec is the IETF-chosen, industry-standard network security framework for use in both the IPv4 and IPv6 environments. It is also currently the technology of choice for more than a dozen networking vendors, such as Sun, Attachmate, and Bay Networks. IPSec protects data traffic in three ways, using robust cryptographic techniques: 1. Authentication: the process by which the identity of a host or endpoint is verified 2. Encryption: the process of hiding information while in transit across the network in order to ensure privacy 3. Integrity checking: the process of ensuring that no modifications were made to the data while in transit across the network In addition, as described next, IPSec can address the security requirements of all key VPN enterprise security scenarios and provide a growth path covering VPN expansion and security requirement changes. In 1997, the IETF Security Working Group completed the initial work on IPSec extensions that provide automated Internet Security Association and Key Management Protocol (ISAKMP) capabilities combined with a key distribution protocol (Oakley). This solution includes both a mechanism for negotiating security associations to achieve the degree of protection needed (enabling automated tunnel setup) and a mechanism for automated secure distribution and refresh of strong cryptographic keys. According to IBM, by supporting IPSec with ISAKMP/Oakley, IBM eNetwork VPN security offerings will minimize manual configuration and thus provide a more robust, user-friendly, maintenance-free solution. At the April 1998 IETF meeting, the IPSec Working Group agreed to advance all of the base IPSec documents to proposed standards. Having completed work on the base IPSec functions (authentication, encryption, integrity, key management, and security association management), the IPSec Working Group will now turn its attention to developing new protocols to complement the base set. For example, it will consider ease-of-use issues such as VPN policy databases, extended authentication methods for use with ISAKMP/ Oakley, and interoperability across several certificate authorities. IPSec can also be used in conjunction with security protocols that may already exist in other layers of the communications stack. According to IBM, they also support the Secure Electronic Transaction (SET) protocol, Secure Sockets Layer (SSL), and a variety of other security technologies that can be incorporated into an IPSec-based VPN security solution. 254
AU1253_ch22_Frame Page 255 Saturday, October 26, 2002 4:45 PM
Virtual Private Network Security Object-layer security such as SET can be used to secure electronic payment transactions over the Internet, and SSL technology can be used to secure specific applications. However, independent of whether any application-level security such as SSL has been implemented, IPSec can provide an authenticated and encrypted tunnel that protects all IP traffic. IPSec can also provide robust security in conjunction with other tunneling protocols, such as the Layer 2 Tunneling Protocol (L2TP) used in remote access dial-up configurations. L2TP, which is also an IETF standard, has the capability of establishing dial-up connections from clients using the Pointto-Point Protocol (PPP). In addition, L2TP can be used to carry multiprotocol traffic, such as NetBIOS. However, L2TP lacks strong security properties. When IPSec is used in conjunction with L2TP, cryptographically strong access control is provided. IPSec will provide authentication, integrity checking, and encryption for each packet transmitted. It also provides automated key management functions and can protect data all the way to the target server. According to IBM, its VPN customer security scenarios (IBM eNetwork VPN offerings) are designed to allow enterprises to easily construct solutions that meet its enterprise needs. Consider three enterprise scenarios well suited to the implementation of a VPN security solution: 1. Enterprise partner/supplier network 2. Branch office connection network 3. Remote access network ENTERPRISE PARTNER/SUPPLIER NETWORK Industry-leading enterprises will be those that can communicate inexpensively and securely with their enterprise partners, subsidiaries, and vendors. Many enterprises have chosen to implement frame relay or purchase leased lines to achieve this interaction. But this is often expensive, and geographic reach may be limited. VPN security technology offers an alternative for enterprises to build a private and cost-effective extended enterprise network with worldwide coverage, exploiting the Internet or other public network. Suppose one is a major parts supplier to a manufacturer. Because it is critical to have the specific parts and quantities at the exact time required by the manufacturing firm, one always needs to be aware of the manufacturer’s inventory status and production schedules. If one handles this interaction manually, and finds it to be time consuming, expensive, and maybe even inaccurate, perhaps there is an easier, faster, and more effective way of communicating. However, given the confidentiality and timesensitive nature of this information, the manufacturer does not want to publish this data on its enterprise Web page or distribute this information monthly via an external report. 255
AU1253_ch22_Frame Page 256 Saturday, October 26, 2002 4:45 PM
SECURITY
Exhibit 2.
Enterprise Partner/Supplier Network
To solve these problems, the parts supplier and manufacturer can implement an eNetwork secured VPN, as shown in Exhibit 2. A secured VPN can be built directly between a client workstation (in the parts supplier’s intranet) and the server residing in the manufacturer’s intranet. The clients can authenticate themselves either to the firewall protecting the manufacturer’s intranet, directly to the manufacturer’s server (validating that they are who they say they are), or to both, depending on the supplier’s security policy. Then a tunnel could be established, encrypting all data packets from the client, through the Internet, to the required server. With the establishment of this secured VPN, the parts supplier can have global, online access to the manufacturer’s inventory plans and production schedule at all times during the day or night, minimizing manual errors and eliminating the need for additional resources for this communication. In addition, the manufacturer can be assured that the data is securely and readily available to only the intended parts supplier(s). According to IBM, one way to implement this scenario is for the enterprises to purchase Internet access from an ISP (such as IBM Global Services, etc.). Then, given the lack of security of the Internet, either an IPSec-enabled firewall or a server with firewall functionality can be deployed as required to protect the intranets from intruders. If end-to-end protection is desired, then both the client and server machines need to be IPSec enabled as well. Through the implementation of this VPN security technology, the manufacturer would easily be able to extend the reach of its existing enterprise intranet to include one or more parts suppliers — essentially building an extended enterprise network — while enjoying the cost-effective benefits of using the Internet as its backbone. And, with the flexibility of open IPSec technology, the ability for this manufacturer to incorporate more external suppliers is limitless. 256
AU1253_ch22_Frame Page 257 Saturday, October 26, 2002 4:45 PM
Virtual Private Network Security Yet, inherent in network expansion are concerns of manageability. Tools should be implemented to ensure that one’s network remains easy to maintain. Management functions to be included in eNetwork VPN security solutions are policy management, automated ISAKMP/Oakley key management capabilities (previously mentioned), certificate management, secure domain name server (DNS), and lightweight directory access protocol (LDAP) support. When implementing a VPN, a set of security configuration criteria must be established. Decisions such as which security algorithms are to be used by each IPSec-enabled box and when the keys are to be refreshed are all aspects of policy management. And, with respect to key technology, almost all of today’s currently popular security protocols begin by using public key cryptography. Each user is assigned a unique public key. Certificates, in the form of digital signatures, validate the authenticity of one’s identity and one’s encryption key. These certificates can be stored in a public key database, such as a secure DNS, that can be accessible via a simple protocol, such as LDAP. An automated IP address management system is especially important for secured VPNs in order to assign and manage one’s network’s IP addresses. Also, along the lines of managing IP addresses is the network address translation (NAT) (available today in IBM AIX firewall). It allows one to use a globally unique (public) address on the Internet, while enabling the use of private IP addresses within one’s own intranet. BRANCH OFFICE CONNECTION NETWORK The branch office scenario, unlike the enterprise partner/supplier network scenario, securely connects two trusted intranets within an enterprise. This is a key difference, because the security focus is on both protecting the enterprise’s intranet against external intruders and securing the enterprise’s data while it flows over the public Internet. This differs from the enterprise partner/supplier network, where the focus is on enabling the enterprise partners/suppliers access to data in the enterprise intranet. For example, suppose an enterprise headquarters wants to minimize the costs incurred from communicating to and among its own branches. Today, the enterprise might use frame relay or leased lines, but it wants to explore other options for transmitting its internal confidential data that will be less expensive, more secure, and globally accessible. By exploiting the Internet, branch office connection secured VPNs can easily be established to meet the enterprise’s needs. As shown in Exhibit 3, one way to implement this VPN security connection between the enterprise headquarters and one of its branch offices is for the enterprise to purchase Internet access from an ISP (such as IBM Global Services). According to IBM, eNetwork firewalls, or routers with 257
AU1253_ch22_Frame Page 258 Saturday, October 26, 2002 4:45 PM
SECURITY
Exhibit 3.
Branch Office Connection Network
integrated firewall functionality, would be placed at the boundary of each of the intranets to protect the enterprise traffic from Internet hackers. With this scenario, the clients and servers need not support IPSec technology because the IPSec-enabled firewalls (or routers) would be providing the necessary data packet authentication and encryption. With this approach, the inventory and pricing information would be hidden from untrusted Internet users, with the firewall denying access to potential attackers. And, as previously described in the secured VPN enterprise partner/supplier network scenario, eNetwork secured VPN management functions can also be used to manage the VPN branch office connection network. With the establishment of branch office connection secured VPNs, the enterprise headquarters will be able to communicate securely and cost effectively with its branches, whether located locally or miles away. Through VPN security technology, each branch can also extend the reach of its existing intranet to incorporate the other branch intranets, building an extended, enterprise-wide network. And, as in the enterprise partner/supplier network scenario, this enterprise can easily expand this newly created environment to include its enterprise partners, suppliers, and remote users — through the use of open IPSec technology. REMOTE ACCESS NETWORK A remote user, whether at home or on the road, wants to be able to communicate securely and cost effectively back to his or her enterprise intranet. Although many still use expensive long-distance and toll-free telephone numbers, this cost can be greatly minimized by exploiting the Internet. For example, the user is at home or on the road but needs a confidential file on a server within the intranet. By obtaining Internet access in the form of a dial-in connection to an ISP, the user can communicate with the server in the intranet and access the required file. 258
AU1253_ch22_Frame Page 259 Saturday, October 26, 2002 4:45 PM
Virtual Private Network Security
Exhibit 4.
Remote Access
One way to implement this scenario is to use an eNetwork VPN IPSecenabled remote client and firewall, as shown in Exhibit 4. The client accesses the Internet via dial-up to an ISP, and then establishes an authenticated and encrypted tunnel between itself and the firewall at the intranet boundary. By applying IPSec authentication between the remote client and the firewall, one can protect the intranet from unwanted and possibly malicious IP packets. And by encrypting traffic that flows between the remote host and the firewall, one can prevent outsiders from eavesdropping on the information. Once again, the previously described eNetwork VPN security management capabilities can also be utilized. UNDERSTANDING MICROSOFT VPN SECURITY Microsoft VPN uses proven Windows NT RAS security. Enterprises can ensure secure communication between remote users and the private network using Windows NT RAS encryption and authentication protocols. Windows NT RAS supports password authentication protection (PAP), the more sophisticated Challenge Handshake Authentication Protocol (CHAP), and a special Microsoft adaptation called MS-CHAP, as well as RSA RC4 and DES encryption technologies. Authentication and Encryption Client accounts are validated against the Windows NT 4.0 and Windows 2000 (formerly Windows NT 5.0) user database, and only those with valid permissions are allowed to connect. The keys used to encrypt data are derived from user credentials and are not transferred on the wire. When authentication is completed, the user’s identity is verified, and the authentication key is used for encryption. Windows 2000 uses 40-bit RC4 encryption. For the United 259
AU1253_ch22_Frame Page 260 Saturday, October 26, 2002 4:45 PM
SECURITY States and Canada, Microsoft will provide an optional add-on pack for 128-bit encryption, which provides security so tight that exporting it elsewhere is prohibited today by U.S. law. Understanding PPTP Security Point-to-Point Tunneling Protocol (PPTP) extends the strict authentication and encryption security available to computers running RAS under Windows 2000 Server and Windows 2000 Workstation to PPTP clients on the Internet. PPTP can also protect the PPTP server and the VPN by ignoring all but PPTP traffic. Despite the strict security, it is very simple to use PPTP with existing firewalls. This section will help understand and plan the following: • • • •
Authentication and access control Data encryption PPTP packet filtering Using third-party firewalls
Authentication Initial dial-in authentication may be required by an ISP network access server. If this authentication is required, it is strictly to log on to the ISP network access server. It is not related to Windows 2000-based authentication. Check with the ISP for its authentication requirements. One applies these requirements in the Dial-Up Networking entry for that ISP. On the other hand, if the Windows 2000 Server is configured as a PPTP server, it controls all access to the VPN. That is, the PPTP server is a gateway to the VPN. The PPTP server requires a standard Windows 2000-based log-on. All PPTP clients must supply a user name and password. Therefore, remote access log-on using a computer running under Windows 2000 Server or Windows 2000 Workstation is as secure as logging on from a Windows 2000-based computer connected to the local LAN. Authentication of remote PPTP clients is accomplished using the same PPP authentication methods used for any RAS client dialing directly to a Remote Access Service (RAS) server. Microsoft’s implementation of the RAS supports CHAP, Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), and PAP authentication schemes. As with all user accounts, the accounts of remote users reside in the Windows 2000 Server directory service and are administered through User Manager for Domains. This provides centralized administration that is integrated with the existing user accounts on the VPN. Only accounts that have been granted specific access to the network through a trusted domain are permitted. Careful user accounts management is necessary to reduce security risks. Having a secure password model in place is critical to the successful deployment of PPTP because Internet connections are more susceptible to 260
AU1253_ch22_Frame Page 261 Saturday, October 26, 2002 4:45 PM
Virtual Private Network Security speed or demon dialer programs, which can literally crunch through thousands of password and username combinations. The only way to minimize this type of attack is to implement secure password policies. Passwords should be difficult to guess. For example, one can require passwords to contain upper case letters, lower case letters, numbers, and special characters. It is recommended that at least three different types of characters be required in order to ensure password uniqueness. Access Control After authentication, all access to a private LAN continues to use the Windows 2000-based security model. Access to resources on NTFS drives, or to other network resources, requires the proper permissions. It is recommended that the NTFS file system be used for file resources that are accessed by PPTP clients. Data Encryption For data encryption, PPTP uses the RAS shared-secret encryption process. It is referred to as a shared secret because both ends of the connection share the encryption key. In the Microsoft implementation of RAS, the shared secret is the user password. Other encryption methods base the encryption on some key available in public. This second method of encryption is known as public key encryption. PPTP uses the PPP encryption and PPP compression schemes. The Compression Control Protocol (CCP) used by PPP is used to negotiate encryption. The user name and password of the PPTP client is available to the PPTP server and supplied by the PPTP client. An encryption key is derived from the hashed password stored on both the client and server. The RSA RC4 standard is used to create this 40-b session key, based on the client password. This key is used to encrypt all data that is passed over the Internet, keeping the remote connection private and secure. The data in PPP packets is encrypted. The PPP packet containing a block of encrypted data is then encapsulated into a larger IP datagram for routing over the Internet to the PPTP server. If an Internet hacker intercepted your IP datagram, he or she would find only media headers, IP headers, and then the PPP packet containing a block of encrypted data. It would be indecipherable. PPTP Packet Filtering PPTP filtering is an important security feature. An administrator can decide to only allow PPTP-enabled users to connect to the enterprise network from the Internet. Filtering out non-PPTP packets avoids the risk of somebody attacking the enterprise network through the PPTP gateway server. Network security from malicious activity can be enhanced by enabling PPTP filtering on the PPTP server. When PPTP filtering is enabled, the 261
AU1253_ch22_Frame Page 262 Saturday, October 26, 2002 4:45 PM
SECURITY PPTP server on the VPN accepts and routes only PPTP packets from authenticated users. This prevents all other packets from entering the PPTP server and the VPN. In conjunction with PPP encryption, this ensures that only authorized encrypted data enters or leaves the private LAN. PPTP filtering is enabled on the PPTP server using the Protocols tab in the Network option of Control Panel. Using PPTP with Firewalls and Routers PPTP traffic uses TCP port 1723, and IP protocol uses ID 47, as assigned by the Internet Assigned Numbers Authority (IANA). PPTP can be used with most firewalls and routers by enabling traffic destined for port 1723 to be routed through the firewall or router. Firewalls ensure enterprise network security by strictly regulating data that comes into the VPN from the Internet. An enterprise can deploy a PPTP server running Windows 2000 Server behind its firewall. The PPTP server accepts PPTP packets passed to the VPN from the firewall and extracts the PPP packet from the IP datagram, decrypts the packet, and forwards the packet to the computer on the VPN. FRONT-END PROCESSORS PPTP is designed to allow front-end processors (FEPs) to be connected with Windows 2000 servers, so clients that call into the FEP have transparent access to the server’s network. This means the client will not notice whether it is going straight to the server, or to an FEP that is tunneling through the server. According to Microsoft, because its secure VPN provides transparent access to a PPP client, it can work with UNIX, Win 16, MS-DOS®, Macintosh, and other clients. FEPs can be operated by telephone companies because FEPs do not allow access to the data exchange between the client and the server. The FEP is just a pass-through that lacks the intelligence to evaluate the information passing through it. From a security standpoint, this means an enterprise will not lose control of who gets access to its network. Data privacy is maintained. This is very important for enterprises that outsource dial-up access because they need their data to be secure. Another important point is to keep control of who has access to the server on the server itself, rather than on the FEP. The server authenticates the clients calling in; the FEP only looks at the caller’s identity and establishes the tunnel to the server. Because the FEP has a passive role, security is tight. ADVANCED VPN SECURITY FEATURES Because the Internet facilitates the creation of VPNs from anywhere, networks need strong security features to prevent unwelcome access to 262
AU1253_ch22_Frame Page 263 Saturday, October 26, 2002 4:45 PM
Virtual Private Network Security private networks and to protect private data as it traverses the public network. User authentication and data encryption have already been discussed. This final part of the chapter provides a brief look ahead to the stronger authentication and encryption capabilities that will be available with EAP and IPSec. One can begin with an overview of public key encryption and public key-based certificates because these will play a role in the new EAP and IPSec security features now in development by Microsoft and other software suppliers. Symmetric Encryption versus Asymmetric Encryption (Private Key versus Public Key) Symmetric, or private key, encryption (also known as conventional encryption) is based on a secret key that is shared by both communicating parties. The sending party uses the secret key as part of the mathematical operation to encrypt (or encipher) plaintext to ciphertext. The receiving party uses the same secret key to decrypt (or decipher) the ciphertext to plaintext. Examples of symmetric encryption schemes are the RSA RC4 algorithm (which provides the basis for Microsoft point-to-point encryption (MPPE), Data Encryption Standard (DES), the International Data Encryption Algorithm (IDEA), and the Skipjack encryption technology proposed by the U.S. government (and implemented in the Clipper chip)). Asymmetric or public key encryption uses two different keys for each user: one is a private key known only to one user; the other is a corresponding public key, which is accessible to anyone. The private and public keys are mathematically related by the encryption algorithm. One key is used for encryption and the other for decryption, depending on the nature of the communication service being implemented. In addition, public key encryption technologies allow digital signatures to be placed on messages. A digital signature uses the sender’s private key to encrypt some portion of the message. When the message is received, the receiver uses the sender’s public key to decipher the digital signature as a way to verify the sender’s identity. Certificates With symmetric encryption, both sender and receiver have a shared secret key. The distribution of the secret key must occur (with adequate protection) prior to any encrypted communication. However, with asymmetric encryption, the sender uses a private key to encrypt or digitally sign messages, while the receiver uses a public key to decipher these messages. The public key can be freely distributed to anyone who needs to receive the encrypted or digitally signed messages. The sender needs to carefully protect the private key only. To secure the integrity of the public key, the public key is published with a certificate. A certificate (or public key certificate) is a data structure that 263
AU1253_ch22_Frame Page 264 Saturday, October 26, 2002 4:45 PM
SECURITY is digitally signed by a certificate authority (CA) — an authority that users of the certificate can trust. The certificate contains a series of values, such as the certificate name and usage, information identifying the owner of the public key, the public key itself, an expiration date, and the name of the CA. The CA uses its private key to sign the certificate. If the receiver knows the public key of the CA, the receiver can verify that the certificate is indeed from the trusted CA, and, therefore, contains reliable information and a valid public key. Certificates can be distributed electronically (via Web access or e-mail), on smart cards, or on floppy disks. Therefore, public key certificates provide a convenient, reliable method for verifying the identity of a sender. IPSec can optionally use this method for end-to-end authentication. Remote access servers can use public key certificates for user authentication, as described next. Extensible Authentication Protocol (EAP) As stated previously, most implementations of PPP provide very limited authentication methods. EAP is an IETF-proposed extension to PPP that allows for arbitrary authentication mechanisms to be employed for the validation of a PPP connection. EAP was designed to allow the dynamic addition of authentication plug-in modules at both the client and server ends of a connection. This allows vendors to supply a new authentication scheme at any time. EAP provides the highest flexibility in authentication uniqueness and variation. EAP is also implemented in Windows 2000. Transaction-Level Security (EAP-TLS) EAP-TLS has been submitted to the IETF as a draft proposal for a strong authentication method based on public key certificates. With EAP-TLS, a client presents a user certificate to the dial-in server, while at the same time, the server presents a server certificate to the client. The first provides strong user authentication to the server; the second provides assurance that the user has reached the intended server. Both systems rely on a chain of trusted authorities to verify the validity of the offered certificate. The user’s certificate could be stored on the dial-up client PC, or stored in an external smart card. In either case, the certificate cannot be accessed without some form of user identification (PIN or name/password exchange) between the user and the client PC. This approach meets the somethingyou-know-plus-something-you-have criteria recommended by most security experts. EAP-TLS is the specific EAP method that will be implemented in Windows 2000. Like MS-CHAP, EAP-TLS will return an encryption key to enable subsequent data encryption by MPPE.
264
AU1253_ch22_Frame Page 265 Saturday, October 26, 2002 4:45 PM
Virtual Private Network Security IP Security (IPSec) IPSec was designed by the IETF as an end-to-end mechanism for ensuring data security in IP-based communications. IPSec has been defined in a series of RFCs, notably RFCs 1825, 1826, and 1827, which define the overall architecture, an authentication header for verifying data integrity, and an encapsulation security payload (ESP) for both data integrity and data encryption. IPSec defines two functions that ensure confidentiality: data encryption and data integrity. As defined by the Internet Engineering Task Force, IPSec uses an authentication header (AH) to provide source authentication and integrity without encryption, and the ESP to provide authentication and integrity along with encryption. With IPSec, only the sender and recipient know the security key. If the authentication data is valid, the recipient knows that the communication came from the sender and that it was not changed in transit. IPSec can be envisioned as a layer below the TCP/IP stack. This layer is controlled by a security policy on each machine and a negotiated security association between the sender and receiver. The policy consists of a set of filters and associated security behaviors. If a packet’s IP address, protocol, and port number matches a filter, then the packet is subject to the associated security behavior. Negotiated Security Association The first such packet triggers a negotiation of a security association between the sender and receiver. ISAKMP/Oakley is the standard protocol for this negotiation. During an ISAKMP/Oakley exchange, the two machines agree on authentication and data security methods, perform mutual authentication, and then generate a shared key for subsequent data encryption. After the security association has been established, data transmission can proceed for each machine applying data security treatment to the packets that it transmits to the remote receiver. The treatment can simply ensure the integrity of the transmitted data, or it can encrypt it as well. These options are discussed next. Authentication Header Data integrity and data authentication for IP payloads can be provided by an authentication header located between the IP header and the transport header. The authentication header includes authentication data and a sequence number, which together are used to verify the sender, ensure that the message has not been modified in transit, and prevent a replay attack. The IPSec authentication header provides no data encryption. Clear text messages can be sent, and the authentication header ensures that they originated from a specific user and were not modified in transit.
265
AU1253_ch22_Frame Page 266 Saturday, October 26, 2002 4:45 PM
SECURITY Encapsulation Security Header For both data confidentiality and protection from third-party capture, the ESP provides a mechanism to encrypt the IP payload. ESP also provides data authentication and data integrity services. Therefore, ESP headers are an alternative to AH headers in IPSec packets. SUMMARY A primary concern must be whether the public Internet can possibly be secure enough to carry enterprise-sensitive information. The answer lies not in the network itself, but in the measures taken to secure information both at the boundaries of the enterprise and in transit across the Internet. There is a wide range of affordable security technologies that can protect the enterprise’s need for privacy and access control — while exploiting all the benefits of speed and global reach each offered by the worldwide network. Encryption products ensure privacy; authentication devices and techniques can prove user identities; and, there is a vast array of firewall products to give the customer detailed access control. With a wide range of affordable security technologies on the market, an Internet VPN is certainly an attainable goal. Encryption products ensure privacy. Authentication devices and techniques can prove user identities. And there is a vast array of firewall products to give the customer detailed access control. Suppliers know that to get the enterprise community onto the Internet, security is an absolute priority. Conventional private WANs have attracted much less scrutiny than Internet-based solutions — and still tend to use insecure address-based authentication and access control for restricting user activity. With carefully designed architecture, Internet VPNs can be made as secure as traditional WAN implementations. One must not forget that most security breaches come from inside an enterprise’s own perimeters. This section has covered, in depth, the concepts behind the definition and the implementation of a secure VPN and described the value of IBM eNetwork VPN security solutions based on IPSec. However, given the multitude of network environments and enterprise needs, all scenarios are beyond the scope of this chapter. It is quite possible, for example, that an enterprise may require elements of all three VPN security scenarios described. For instance, what if one needs to run multiple VPNs — one for the enterprise’s internal communications (the branch office connection scenario) and another for the external enterprise communications (the enterprise partner/supplier network scenario)? Or, what if one wants to incorporate remote users into the supplier network? Or, what if one is a smaller enterprise and needs only a small firewall to protect employees 266
AU1253_ch22_Frame Page 267 Saturday, October 26, 2002 4:45 PM
Virtual Private Network Security from Internet hackers? Or, when might one require secure VPN-enabled routers in the network? These are all complex questions that should be discussed with experienced networking and security experts. According to IBM, the eNetwork VPN security solutions provide capabilities that can link IT assets with Web technology to build secure E-enterprise solutions. With the implementation of an eNetwork VPN security solution, one should be able to cost-effectively extend the reach of the network, the applications, and the data. One can easily incorporate enterprise partners and suppliers, remote branch offices, and remote users — enabling improved communication and enhanced enterprise processes. One can reduce enterprise expenses, both by exploiting the Internet or other public networks (instead of expensive private leased lines, dial-up lines, or toll-free telephone numbers) and by using VPN security management capabilities to minimize VPN maintenance costs. On the other hand, Microsoft’s VPN security technology is based on the industry-standard PPTP. It allows users to achieve secure connectivity between remote clients and the VPN via the Internet or other public carriers. According to Microsoft, their VPN security provides enterprises with an economical and easy-to-implement strategy for securely using the Internet as an extension of their private network. The security, reliability, ease of use, and speed of PPTP-enabled Windows 2000 Servers, combined with the DNS infrastructure, provides significantly enhanced enterprise-to-enterprise communications across the Internet. The movement to the open PPTP protocol standard signals an opportunity for remote access system vendors, ISPs, and firewall vendors to provide great value-added benefits for their customers. PPTP-enabled systems can be deployed now with the confidence that they will ensure compatibility with the PPTP standard as it evolves through the IETF and into the future. Clearly, the future of VPN security activity must take account of these exciting developments. As Internet technology emerges, so does the compelling case for Internet-based VPN security.
267
AU1253_ch22_Frame Page 268 Saturday, October 26, 2002 4:45 PM
AU1253_ch23_Frame Page 269 Saturday, October 26, 2002 4:46 PM
Chapter 23
VPNs: Secure Remote Access over the Internet John R. Vacca
The components and resources of one network over another network are connected via a Virtual Private Network (VPN). As shown in Exhibit 1, VPNs accomplish this by allowing the user to tunnel through the Internet or another public network in a manner that lets the tunnel participants enjoy the same security and features formerly available only in private networks. Using the routing infrastructure provided by a public internetwork (such as the Internet), VPNs allow telecommuters, remote employees like salespeople, or even branch offices to connect in a secure fashion to an enterprise server located at the edge of the enterprise local area network (LAN). The VPN is a point-to-point connection between the user’s computer and an enterprise server from the user’s perspective. It also appears as if the data is being sent over a dedicated private link because the nature of the intermediate internetwork is irrelevant to the user. As previously mentioned, while maintaining secure communications, VPN technology also allows an enterprise to connect to branch offices or to other enterprises (extranets) over a public internetwork (such as the Internet). The VPN connection across the Internet logically operates as a wide area network (WAN) link between the sites. In both cases, the secure connection across the internetwork appears to the user as a private network communication (despite the fact that this communication occurs over a public internetwork), hence the name virtual private network. VPN technology is designed to address issues surrounding the current enterprise trend toward increased telecommuting, widely distributed global operations, and highly interdependent partner operations. Here, workers must be able to connect to central resources and communicate with each other, and enterprises need to efficiently manage inventories for just-in-time production. 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
269
AU1253_ch23_Frame Page 270 Saturday, October 26, 2002 4:46 PM
SECURITY
Exhibit 1.
Virtual Private Network
An enterprise must deploy a reliable and scalable remote access solution to provide employees with the ability to connect to enterprise computing resources regardless of their location. Enterprises typically choose one of the following: • An IT department-driven solution, where an internal information systems department is charged with buying, installing, and maintaining enterprise modem pools and a private network infrastructure • Value-added network (VAN) solutions, where an enterprise pays an outsourced enterprise to buy, install, and maintain modem pools and a telco infrastructure The optimum solution in terms of cost, reliability, scalability, flexible administration and management, and demand for connections is provided by neither of these traditional solutions. Therefore, it makes sense to find a middle ground where the enterprise either supplements or replaces its current investments in modem pools and its private network infrastructure with a less-expensive solution based on Internet technology. In this manner, the enterprise can focus on its core competencies with the assurance that accessibility will never be compromised and that the most economical 270
AU1253_ch23_Frame Page 271 Saturday, October 26, 2002 4:46 PM
VPNs: Secure Remote Access over the Internet
Exhibit 2.
Using a VPN to Connect a Remote Client to a Private LAN
solution will be deployed. The availability of an Internet solution enables a few Internet connections (via Internet service providers, or ISPs) and deployment of several edge-of-network VPN server computers to serve the remote networking needs of thousands or even tens of thousands of remote clients and branch offices, as described below. VPN COMMON USES The next few subsections of this chapter describe in more detail common VPN situations. Secure Remote User Access over the Internet While maintaining privacy of information, VPNs provide remote access to enterprise resources over the public Internet. A VPN that is used to connect a remote user to an enterprise intranet is shown in Exhibit 2. The user first calls a local ISP Network Access Server (NAS) phone number, rather than making a leased-line, long-distance (or 1–800) call to an enterprise or outsourced NAS. The VPN software creates a virtual private network between the dial-up user and the enterprise VPN server across the Internet using the local connection to the ISP. Connecting Networks over the Internet To connect LANs at remote sites, there exist two methods for using VPNs: using dedicated lines to connect a branch office to an enterprise LAN, or a dial-up line to connect a branch office to an enterprise LAN. Using Dedicated Lines to Connect a Branch Office to an Enterprise LAN. Both the branch office and the enterprise hub routers can use a local dedicated circuit and local ISP to connect to the Internet, rather than using an expensive long-haul dedicated circuit between the branch office and the enterprise hub. The local ISP connections and the public Internet are used by 271
AU1253_ch23_Frame Page 272 Saturday, October 26, 2002 4:46 PM
SECURITY
Exhibit 3.
Using a VPN to Connect Two Remote Sites
the VPN software to create a virtual private network between the branch office router and the enterprise hub router. Using a Dial-Up Line to Connect a Branch Office to an Enterprise LAN. The router at the branch office can call the local ISP, rather than having a router at the branch office make a leased-line, long-distance or (1–800) call to an enterprise or outsourced NAS. Also, in order to create a VPN between the branch office router and the enterprise hub router across the Internet, the VPN software uses the connection to the local ISP as shown in Exhibit 3.
The facilities that connect the branch office and enterprise offices to the Internet are local in both cases. To make a connection, both client/server and server/server VPN cost savings are largely predicated on the use of a local access phone number. It is recommended that the enterprise hub router that acts as a VPN server be connected to a local ISP with a dedicated line. This VPN server must be listening 24 hours per day for incoming VPN traffic. Connecting Computers over an Intranet. Departmental data is so sensitive that the department’s LAN is physically disconnected from the rest of the enterprise internetwork in some enterprise internetworks. All of this creates information accessibility problems for those users not physically connected to the separate LAN, although the department’s confidential information is protected.
VPNs allow the department’s LAN to be separated by a VPN server (see Exhibit 4) but physically connected to the enterprise internetwork. One should note that the VPN server is not acting as a router between the enterprise internetwork and the department LAN. A router would interconnect the two networks, thus allowing everyone access to the sensitive LAN. The network administrator can ensure that only those users on the enterprise internetwork who have appropriate credentials (based on a need-to-know policy within the enterprise) can establish a VPN with the 272
AU1253_ch23_Frame Page 273 Saturday, October 26, 2002 4:46 PM
VPNs: Secure Remote Access over the Internet
Exhibit 4.
Using a VPN to Connect to Two Computers on the Same LAN
VPN server and gain access to the protected resources of the department by using a VPN. Additionally, all communication across the VPN can be encrypted for data confidentiality. Thus, the department LAN cannot be viewed by those users who do not have the proper credentials. Basic VPN Requirements Normally, an enterprise desires to facilitate controlled access to enterprise resources and information when deploying a remote networking solution. In order to easily connect to enterprise LAN resources, the solution must allow freedom for authorized remote clients. And, in order to share resources and information (LAN-to-LAN connections), the solution must also allow remote offices to connect to each other. Finally, as the data traverses the public Internet, the solution must ensure the privacy and integrity of data. Also, in the case of sensitive data traversing an enterprise internetwork, the same concerns apply. A VPN solution should therefore provide all of the following at a minimum: • Address management: the solution must assign a client’s address on the private net and must ensure that private addresses are kept private. • Data encryption:data carried on the public network must be rendered unreadable to unauthorized clients on the network. • Key management: the solution must generate and refresh encryption keys for the client and server. • Multiprotocol support: the solution must be able to handle common protocols used in the public network; these include Internet Protocol (IP), Internet Packet Exchange (IPX), etc. • User authentication: the solution must verify a user’s identity and restrict VPN access to authorized users; in addition, the solution must provide audit and accounting records to show who accessed what information and when. 273
AU1253_ch23_Frame Page 274 Saturday, October 26, 2002 4:46 PM
SECURITY Furthermore, all of these basic requirements are met by an Internet VPN solution based on the Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP). The solution also takes advantage of the broad availability of the worldwide Internet. Other solutions meet some of these requirements but remain useful for specific situations, including the new IP Security Protocol (IPSec). Point-to-Point Tunneling Protocol (PPTP). PPTP is a Layer 2 protocol that encapsulates PPP frames in IP datagrams for transmission over an IP internetwork, such as the Internet. PPTP can also be used in private LAN-to-LAN networking. PPTP is documented in the draft RFC, “Point-to-Point Tunneling Protocol.”
This draft was submitted to the IETF in June 1996 by the member enterprises of the PPTP Forum, including Microsoft Corporation, Ascend Communications, 3Com/Primary Access, ECI Telematics, and U.S. Robotics (now 3Com). PPTP uses generic routing encapsulation (GRE)-encapsulated Point-toPoint Protocol (PPP) frames for tunneled data and a TCP connection for tunnel maintenance. The payloads of the encapsulated PPP frames can be compressed as well as encrypted. How a PPTP packet is assembled prior to transmission is shown in Exhibit 5. The illustration shows a dial-up client creating a tunnel across an internetwork. The encapsulation for a dial-up client (PPP device driver) is shown in the final frame layout. Layer 2 Forwarding (L2F). L2F (a technology proposed by Cisco Systems, Inc.) is a transmission protocol that allows dial-up access servers to frame dial-up traffic in PPP and transmit it over WAN links to an L2F server (a router). The L2F server then unwraps the packets and injects them into the network. Unlike PPTP and L2TP, L2F has no defined client. Layer 2 Tunneling Protocol (L2TP). A combination of PPTP and L2F makes up L2TP. In other words, the best features of PPTP and L2F are incorporated into L2TP. L2TP is a network protocol that encapsulates PPP frames to be sent over asynchronous transfer mode (ATM), IP, X.25, or frame relay networks. L2TP can be used as a tunneling protocol over the Internet when configured to use IP as its datagram transport. Without an IP transport layer, L2TP can also be used directly over various WAN media (such as frame relay). L2TP is documented in the draft RFC, Layer 2 Tunneling Protocol “L2TP” (draft-ietf-pppext-l2tp-09.txt). This document was submitted to the IETF in January 1998.
For tunnel maintenance, L2TP over IP internetworks uses UDP and a series of L2TP messages. As the tunneled data, L2TP also uses UDP to send L2TP-encapsulated PPP frames. The payloads of encapsulated PPP frames 274
AU1253_ch23_Frame Page 275 Saturday, October 26, 2002 4:46 PM
VPNs: Secure Remote Access over the Internet
Exhibit 5.
Construction of a PPTP Packet
can be compressed as well as encrypted. Assembly of an L2TP packet prior to transmission is shown in Exhibit 6. A dial-up client creating a tunnel across an internetwork is shown in the exhibit. The encapsulation for a dial-up client (PPP device driver) is shown in the final frame layout. L2TP over IP is assumed in the encapsulation. L2TP Compared to PPTP. PPP is used to provide an initial envelope for the data for both PPTP and L2TP. Then, it appends additional headers for transport through the internetwork. The two protocols are very similar.
There are differences between PPTP and L2TP, however. For example, • L2TP provides for header compression. When header compression is enabled, L2TP operates with four bytes of overhead, as compared to six bytes for PPTP. • L2TP provides for tunnel authentication, while PPTP does not. However, when either protocol is used over IPSec, tunnel authentication is provided by IPSec so that Layer 2 tunnel authentication is not necessary. 275
AU1253_ch23_Frame Page 276 Saturday, October 26, 2002 4:46 PM
SECURITY
Exhibit 6.
Construction of an L2TP Packet
• PPTP can only support a single tunnel between endpoints. L2TP allows for the use of multiple tunnels between endpoints. With L2TP, one can create different tunnels for different qualities of service. • PPTP requires that the internetwork be an IP internetwork. L2TP requires only that the tunnel media provide packet-oriented pointto-point connectivity. L2TP can be used over IP (using UDP), frame relay permanent virtual circuits (PVCs), X.25 virtual circuits (VCs), or ATM VCs. Internet Protocol Security (IPSec) Tunnel Mode. The secured transfer of information across an IP internetwork is supported by IPSec (a Layer 3 protocol standard). Nevertheless, in the context of tunneling protocols, one aspect of IPSec is discussed here. IPSec defines the packet format for an IP over an IP tunnel mode (generally referred to as IPSec tunnel mode), in addition to its definition of encryption mechanisms for IP traffic. An IPSec tunnel consists of a tunnel server and tunnel client. These are both configured to use a negotiated encryption mechanism and IPSec tunneling. 276
AU1253_ch23_Frame Page 277 Saturday, October 26, 2002 4:46 PM
VPNs: Secure Remote Access over the Internet For secure transfer across a private or public IP internetwork, IPSec tunnel mode uses the negotiated security method (if any) to encapsulate and encrypt entire IP packets. The encrypted payload is then encapsulated again with a plaintext IP header. It is then sent on the internetwork for delivery to the tunnel server. The tunnel server processes and discards the plaintext IP header and then decrypts its contents to retrieve the original payload IP packet. Upon receipt of this datagram, the payload IP packet is then processed normally and routed to its destination on the target network. The following features and limitations are contained within the IPSec tunnel mode: • It is controlled by a security policy — a set of filter-matching rules. This security policy establishes the encryption and tunneling mechanisms available in order of preference and the authentication methods available, also in order of preference. As soon as there is traffic, the two machines perform mutual authentication and then negotiate the encryption methods to be used. Thereafter, all traffic is encrypted using the negotiated encryption mechanism and then wrapped in a tunnel header. • It functions at the bottom of the IP stack; therefore, applications and higher level protocols inherit its behavior. • It supports IP traffic only. The remainder of this chapter discusses VPNs and the use of these technologies by enterprises to do secure remote access (e.g., by traveling employees and sales reps) over the Internet in greater detail. EASY TO MANAGE AND USE While squeezing the maximum possible from budget and support staffs, today’s enterprises are asking their Information Technology groups (ITGs) to deliver an increasing array of communication and networking services. It appears that the situation is no different at Microsoft Corporation (Redmond, Washington). The Microsoft ITG needed to provide secure, Internet-based remote access for its more than 35,000 mobile sales personnel, telecommuters, and consultants around the world. Microsoft’s ITG is currently using and deploying a custom Windows-based remote dial-up and virtual private networking (VPN) solution by using Windows-based clients and enhanced Windows 2000 RAS (remote access server) technology available in the Windows 2000 Option Pack (formerly named Windows NT 5.0). Users are given quick, easy, and low-cost network access. Additional user services are provided with new Windows-based network services from UUnet Technologies, Inc. Integrated RAS-VPN Clients. According to Microsoft, its ITG has learned that the widespread adoption and use of technology largely depends on how easy and transparent the experience is for the end user. Likewise, 277
AU1253_ch23_Frame Page 278 Saturday, October 26, 2002 4:46 PM
SECURITY Microsoft’s ITG has learned not to deploy technologies for which complexity results in an increased support burden on its limited support staff. Microsoft’s ITG provided a single client interface with central management to simultaneously make the remote access solution easy to use and manage. Single Client. A single client is used for both the direct dial-up and VPN
connections. Users utilize the same client interface for secure transparent access, whether dialing directly to the enterprise network or connecting via a VPN, by using Windows integrated dial-up networking technology (DUN) and Microsoft Connection Manager. In fact, users do not need to concern themselves with which method is employed. Central Management. Central management is used for remote dial-up and VPN access phone numbers. According to Microsoft, its ITG has found that one of the most common support problems traveling users face is determining and managing local access phone numbers. This problem translates into one of the principal reasons for support calls to Microsoft’s user support centers. Using the Connection Manager Administration Kit (CMAK) wizard (which is part of Microsoft’s remote access solution), Microsoft’s ITG preloads each client PC with an electronic phone book that includes every dial-up remote access phone number for Microsoft’s network. The Windows solution also allows phone books to be centrally integrated and managed from a single remote location and allows clients to be updated automatically.
Windows Communication Platform In order to provide a flexible and comprehensive network solution, the open extensibility of the Windows 2000 allows Microsoft’s ITG to preserve its current hardware network investments while partnering with UUnet Technologies, Inc. According to Microsoft, the Windows platform enabled its ITG to integrate the best-of-breed network services and applications to best meet its client and network administration needs. High-Speed Internet Access on the Road. Microsoft employees can also connect to high-speed Internet access by plugging into public IPORT jacks in hotels, airports, cafes, and remote locations. The Microsoft ITG integrates the IPORT pay-per-use Internet access features into its custom remote access solution. According to Microsoft, this high-bandwidth, easily available connection helps Microsoft employees be more productive and have a better online experience while on the road. Secure Internet Access and VPN. Microsoft’s ITG, like its counterparts at every enterprise, must ensure that the edge of its network is secure while still providing all employees with the freedom needed to access information worldwide. Microsoft’s ITG has also deployed Microsoft Proxy Server to securely separate the LAN from the Internet to meet this need. 278
AU1253_ch23_Frame Page 279 Saturday, October 26, 2002 4:46 PM
VPNs: Secure Remote Access over the Internet To ensure that no intruders compromise the edge of network, the Microsoft Proxy Server firewall capabilities protect Microsoft’s network from unauthorized access from the Internet by providing network address translation and dynamic IP-level filtering. Microsoft’s ITG uses the powerful caching services in Microsoft Proxy Server to expedite the delivery of information at the same time. The Proxy Server is able to service subsequent user requests of alreadyrequested information without having to generate additional network traffic by reusing relevant cached information. In addition, in order to operate at peak efficiency with the utmost security, ITG uses Microsoft Proxy Server to enable the Microsoft intranet and remote employees. RAS Reporting and Internal Usage Chargeback (Billing). Microsoft pays a sub-
stantial amount for remote access fees due to the need to maintain private leased lines and dedicated 800 numbers like many large enterprises with a multitude of branch offices and remote employees. In addition, according to Microsoft, the sheer number of LAN entry points and autonomy afforded its international divisions made centralized accounting and retail reporting for remote access use and roaming users important. Microsoft’s ITG is deploying a VPN solution — bolstered with centralized accounting and reporting of enterprisewide remote access and VPN use — by using Windows 2000, integrated user domain directory, and RADIUS services. As part of this solution, Microsoft is also deploying TRU RADIUS Accountant for Windows 2000 from Telco Research. Furthermore, Microsoft’s ITG is also able to generate detailed reporting of remote access and VPN network use for internal cost-accounting purposes while using familiar Windows 2000 management tools by using Telco Research’s product. In addition, Microsoft’s ITG is able to quickly and easily deploy a turnkey reporting solution built on the intrinsic communication services of Windows 2000 in this manner. According to Microsoft, while maintaining the flexibility to accommodate future change, they receive better security as a result, reduced implementation costs, and enhanced reporting to improve remote access management and chargeback service. VIP Services: Economical Internet Access and VPN. By working with UUnet Technologies, Inc. (the largest ISP in the world), the Microsoft ITG supplemented its private data network infrastructure and RAS with VPN services. Microsoft’s VPN solution is integrated with the UUnet Radius Proxy servers through the Windows 2000 native support for RADIUS under this relationship.
Through the Windows 2000 Remote Access Service integrated RADIUS support, Microsoft’s ITG made reliable and secure local access to UUnet Technologies IP network available to all Microsoft mobile employees. This 279
AU1253_ch23_Frame Page 280 Saturday, October 26, 2002 4:46 PM
SECURITY resulted in the delivery of high-quality VPN services over the UUnet Technologies, Inc. infrastructure at a reduced cost. The ITG conservatively estimates that this use of VPN service as an alternative to traditional remote access will save Microsoft more than $7 million per year in remote access fees alone. Additional savings are expected from the elimination of call requests for RAS phone numbers and greatly reduced remote access configuration support. The ITG utilized the integrated support for RADIUS-based authentication available from the Windows Directory in Windows 2000. This allowed them to retain all existing authentication rights for both Internet and LAN access, avoiding change or redundant replication of directory, and provided for enhanced network security. According to Microsoft, their ITG was able to instantly extend network access to its more than 50,000 employees in more than 100 countries through its relationship with UUnet Technologies, Inc. To ensure that Microsoft employees can access information locally anywhere with reliability guarantees and the support of UUnet, UUnet Technologies’ transcontinental backbone provides access throughout North America, Europe, and the Asia–Pacific region. Planning for the Future Finally, Microsoft’s ITG wanted to ensure that its current investment in the remote access infrastructure would not only be able to meet today’s needs, but also enable it to make the most of opportunities provided by the digital convergence of network-aware applications in the near future. Evidence of an increased need or higher degrees of client/server network application integration is found in the momentum of Windows 2000 as a platform for IP telephony, media-streaming technologies, and the migration to PBX systems based on Windows 2000. The flexibility needed to economically address current and future needs of Microsoft’s ITG is provided through the use of Windows 2000 as the backbone of the remote access solution. Through partnerships with multiple service providers such as UUnet Technologies, the selection of a Windows-based solution allows ITG the freedom to both centrally manage and incrementally extend the Microsoft direct-dial and VPN infrastructure at a controlled pace and in an open manner. In order to connect Microsoft subsidiaries, branch offices, and extranet partners securely to the enterprise network over private and public networks, Windows 2000 Routing, RAS, and VPN services — along with tight integration with Microsoft Proxy Server — are already enabling Microsoft’s ITG to seamlessly extend its RAS–VPN infrastructure. Furthermore, to meet Microsoft’s enterprise needs into the future, the broad application support 280
AU1253_ch23_Frame Page 281 Saturday, October 26, 2002 4:46 PM
VPNs: Secure Remote Access over the Internet enjoyed by the Windows communication platform ensures that ITG will continue to have access to a host of rich application services made available by developers and service providers, such as ATCOM, Inc., Telco-Research, and UUnet Technologies, Inc. SUMMARY As explained in this chapter, Windows 2000 native VPN services allow users or enterprises to reliably and securely connect to remote servers, branch offices, or other enterprises over public and private networks. Despite the fact that this communication occurs over a public internetwork in all of these cases, the secure connection appears to the user as a private network communication. Windows VPN technology is designed to address issues surrounding the current enterprise trend toward increased telecommuting and widely distributed global operations, where workers must be able to connect to central resources and where enterprises must be able to efficiently communicate with each other. This chapter provided an in-depth discussion of virtual private networking and described the basic requirements of useful VPN technologies — user authentication, address management, data encryption, key management, and multiprotocol support. It discussed how Layer 2 protocols, specifically PPTP and L2TP, meet these requirements, and how IPSec (a Layer 3 protocol) will meet these requirements in the future. Every VPN solution needs to address the technological issues cited in the preceding text and provide the flexibility to address enterprise issues like network interoperability, rich application integration, and infrastructure transparency. Enterprise infrastructure decisions need to be made in a manner that empowers client access to local connections and client utilization of the network in a transparent manner to bolster economy and productivity. Furthermore, escalating remote access and telecommuting needs and an increase in the use of distributed enterprise models like extranets require pragmatic remote access solutions that are easy to use, economical, and flexible enough to meet the changing needs of every enterprise. To support its 50,000+ employees worldwide with best-of-breed remote access and virtual private networking (VPN) services, Microsoft capitalizes on the built-in communication services included in Windows, integrated VPN firewall and caching support from Microsoft Proxy Server, and complementary services from partners such as UUnet Technologies, Inc., Telco Research, and ATCOM, Inc. The remote access infrastructure that Microsoft’s Redmond, Washington headquarters uses for its 15,000 HQ employees consists of four dedicated VPN server computers running the Windows 2000 network operating 281
AU1253_ch23_Frame Page 282 Saturday, October 26, 2002 4:46 PM
SECURITY system. Each machine runs three 400-MHz new Pentium III processors, with 204 Mb of RAM, 3×3 Gb of local storage, and three 200-Mbps network interface cards. The UUnet Technologies, Inc. network that supports Microsoft’s wholesale remote access and VPN services provides access to one of the largest IP networks in the world. UUnet’s backbone infrastructure features a fully meshed network that extends across both the Atlantic and Pacific and includes direct fiber optic connections between Europe, North America, and Asia. UUnet also provides satellite access services for remote areas that lack Internet connections. Telco Research’s TRU RADIUS Accountant™ for Windows 2000 provides Microsoft’s ITG with a single source for reporting internal usage and chargeback (billing) information required to control remote access costs. TRU RADIUS’ easy-to-use applications provide a turnkey analysis of remote access usage and the data needed to proactively manage Microsoft’s remote employee costs across its enterprise. Microsoft’s use of UUnet infrastructure to provision its VPN services to its sales force and mobile users is a testament to the quality and reliability of UUnet’s multinational IP network. Using Windows 2000 integrated communication services, both UUnet and Microsoft ITG can centrally update Microsoft remote users with the latest local points of presence (POPs) and RAS connection points as soon they become available around the world.
282
AU1253_ch24_Frame Page 283 Saturday, October 26, 2002 4:49 PM
Chapter 24
Wireless Internet Security Dennis Seymour Lee
Recalling the early days of the Internet, we can recount several reasons why the Internet came about. Some of these include: • Providing a vast communication medium to share electronic information • Creating a multiple-path network that could survive localized outages • Providing a means for computers from different manufacturers and different networks to talk to one another Commerce and security, at that time, were not high on the agenda (with the exception of preserving network availability). The thought of commercializing the Internet in the early days was almost unheard of. In fact, it was considered improper etiquette to use the Internet to sell products and services. Commercial activities and their security needs are a more recent development on the Internet, having come about strongly in the last few years. Today, in contrast, the Wireless Internet is being designed from the very beginning with commerce as its main driving force. Nations and organizations around the globe are spending millions, even billions of dollars, to buy infrastructure, transmission frequencies, technology, and applications in the hopes of drawing business. In some ways, this has become the “land rush” of the new millennium. It stands to reason, then, that security must play a critical role early on as well — where money changes hands, security will need to accompany this activity. Although the wireless industry is still in its infancy, the devices, the infrastructure, and the application development for the Wireless Internet are rapidly growing on a worldwide scale. Those with foresight will know that security must fit in early into these designs. The aim of this chapter is to highlight some of the significant security issues in this emerging industry that need addressing. These are concerns that any business wishing to deploy a Wireless Internet service or application will need to consider to protect their own businesses and their customers and to safeguard their investments in this new frontier. 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
283
AU1253_ch24_Frame Page 284 Saturday, October 26, 2002 4:49 PM
SECURITY Incidentally, the focus of this chapter is not about accessing the Internet using laptops and wireless modems. That technology, which has been around for many years, is in many cases an extension of traditional wired Internet access. Neither will this chapter focus on wireless LANs and Bluetooth, which are not necessarily Internet-based but deserve chapters on their own. Rather, the concentration will be on portable Internet devices, which inherently have far less computing resources than regular PCs, such as cell phones and PDAs (personal digital assistants). Therefore, these devices require different programming languages, protocols, encryption methods, and security perspectives to cope with the different technology. It is important to note, however, that despite their smaller sizes and limitations, these devices have a significant impact on information security mainly because of the electronic commerce and Intranet-related applications that are being designed for them. WHO IS USING THE WIRELESS INTERNET? Many studies and estimates are available today that suggest the number of wireless Internet users will soon surpass the millions of “wired” Internet users. The assumption is based on the many more millions of worldwide cell phone users that are already out there, a population that grows by the thousands every day. If every one of these mobile users chose to access the Internet through cell phones, indeed that population could easily exceed the number of wired Internet users by several times. It is this very enormous potential that has many businesses devoting substantial resources and investments in the hopes of capitalizing on this growing industry. The wireless Internet is still very young, though. Many mobile phone users do not have access to the Internet through their cell phones yet. Many are taking a “wait and see” attitude to see what services will be available. Most who do have wireless Internet access are early adopters who are experimenting with the potential of what this service could provide. Because of the severe limitations in the wireless devices — the tiny screens, the extremely limited bandwidth, as well as other issues — most users who have both wired and wireless Internet access will admit that, for today, the wireless devices will not replace their desktop computers and notebooks anytime soon as their primary means of accessing the Internet. Many admit that “surfing the Net” using a wireless device today could become a disappointing exercise. Most of these wireless Internet users have expressed the following frustrations: • It is too slow to connect to the Internet. • Mobile users can be disconnected in the middle of a session when they are on the move. • It is cumbersome to type out sentences using a numeric keypad. • It is expensive using the wireless Internet, especially when billed on a “per minute” basis. 284
AU1253_ch24_Frame Page 285 Saturday, October 26, 2002 4:49 PM
Wireless Internet Security • There are very little or no graphics display capabilities on the wireless devices. • The screens are too small and users have to scroll constantly to read a long message. • There are frequent errors when surfing Web sites (mainly because most Web sites today are not wireless Internet-compatible yet). At the time of this writing, the one notable exception to these disappointments is found in Japan. The telecommunications provider, NTT DoCoMo, has experienced phenomenal growth in the number of wireless Internet subscribers, using a wireless application environment called i-mode (as opposed to Wireless Application Protocol, or WAP). For many in Japan, connection using a wireless phone is their only means of accessing the Internet. In many cases, wireless access to the Internet is far cheaper than wired access, especially in areas where the wired infrastructure is expensive to set up. i-mode users have the benefit of “always online” wireless connections to the Internet, color displays on their cell phones, and even graphics, musical tones, and animation. Perhaps Japan’s success with the wireless Internet will offer an example of what can be achieved in the wireless arena, given the right elements. WHAT TYPES OF APPLICATIONS ARE AVAILABLE? Recognizing the frustrations and limitations of today’s wireless technology, many businesses are designing their wireless devices and services not necessarily as replacements for wired Internet access, but as specialized services that extend what the wired Internet could offer. Most of these services highlight the attractive convenience of portable informational access, anytime and anywhere, without having to sit in front of a computer — essentially, Internet services you can carry in your pocket. Clearly, the information would have to be concise, portable, useful, and easy to access. Examples of mobile services available or being designed today include: • Shopping online using a mobile phone by comparing online prices with store prices while inside an actual store • Getting current stock prices, trading price alerts, trade confirmations, and portfolio information anywhere • Performing bank transactions and obtaining account information • Obtaining travel schedules and booking reservations • Obtaining personalized news stories and weather forecasts • Receiving the latest lottery numbers • Obtaining the current delivery status for express packages • Reading and writing e-mail “on the go” • Accessing internal corporate databases such as inventory, client lists, and so on • Getting map directions 285
AU1253_ch24_Frame Page 286 Saturday, October 26, 2002 4:49 PM
SECURITY • Finding the nearest ATM machines, restaurants, theaters, and stores, based on the user’s present location • Dialing 911 and having emergency services quickly triangulate the caller’s location • Browsing a Web site and speaking live with the site’s representative, all within the same session Newer and more innovative services are in the works. As any new and emerging technology, wireless services and applications are often surrounded by much hope and hype, as well as by some healthy skepticism. But as the technology and services mature over time, yesterday’s experiments can become tomorrow’s standards. The Internet is a grand example of this evolving progress. Development of the Wireless Internet will probably go through the same evolutionary cycle, although probably at an even faster pace. Like any new technology, however, security and safety issues can damage its reputation and benefits if they are not included intelligently into the design from the very beginning. It is with this purpose in mind that this chapter is written. Because the wireless Internet covers a lot of territory, the same goes for its security as well. We will cover security issues as they relate to the wireless Internet in a few select categories here, starting from the transmission methods to the wireless devices, and ending with some of the infrastructure components themselves. HOW SECURE ARE THE TRANSMISSION METHODS? For many years, it was public knowledge that analog cell phone transmissions are fairly easy to intercept. It has been a known problem for as long as analog cell phones have been available. They are easily intercepted using special radio scanning equipment. For this reason, as well as many others, many cell phone service providers have been promoting digital services to their subscribers and reducing analog to a legacy service. Digital cell phone transmissions, on the other hand, are typically more difficult to intercept. It is on these very same digital transmissions that most of the new wireless Internet services are based. However, there is no single method for digital cellular transmission. In fact, there are several different methods for wireless transmission available today. For example, in the United States, providers such as Verizon and Sprint use largely code division multiple access (CMDA)), whereas AT&T uses largely time division multiple access (TMDA), and Voicestream uses Global Systems for Mobile (GSM) communications. Other providers like Cingular offer more than one method (TDMA and GSM), depending on the geographic location. All these methods differ in the way they use the 286
AU1253_ch24_Frame Page 287 Saturday, October 26, 2002 4:49 PM
Wireless Internet Security radio frequencies and the way they allocate users on those frequencies. We will cover each of these in more detail. Cell phone users are generally not concerned with choosing a particular transmission method if they want wireless Internet access, nor do they really care to. Instead, most users select their favorite wireless service provider when they sign up for service. It is generally transparent to the user which transmission method their provider has implemented. It is an entirely different matter for the service provider, however. Whichever method they implement has significant bearing on its infrastructure. For example, the type of radio equipment they use, the location and number of transmission towers to deploy, the amount of traffic they can handle, and the type of cell phones to sell to their subscribers, are all directly related to the digital transmission method chosen. FDMA All cellular communications, analog or digital, are transmitted using radio frequencies that are purchased by, or allocated to, the wireless service provider. Each service provider typically purchases licenses from the respective government to operate a spectrum of radio frequencies. Analog cellular communications typically operate on what is called frequency division multiple access (FDMA) technology. With FDMA, each service provider divides its spectrum of radio frequencies into individual frequency channels. Each channel is a specific frequency that supports a one-way communication session; and each channel has a width of 10 to 30 kHz. For a regular two-way phone conversation, every cell phone caller would be assigned two frequency channels, one to send and one to receive. Because each phone conversation occupies two channels (two frequencies), it is not too difficult for specialized radio scanning equipment to tap into a live analog phone conversation once the equipment has tuned into the right frequency channel. There is very little privacy protection in analog cellular communications if no encryption is added. TDMA Digital cellular signals, on the other hand, can operate on a variety of encoding techniques, most of which are resistant to analog radio frequency scanning. (Please note that the word “encoding” in wireless communications does not mean encryption. “Encoding” here usually refers to converting a signal from one format to another, for example, from a wired signal to a wireless signal.) One such technique is called time division multiple access, (TDMA). Like FDMA, TDMA divides the radio spectrum typically into multiple 30-kHz frequency channels (sometimes called frequency carriers). Every two-way 287
AU1253_ch24_Frame Page 288 Saturday, October 26, 2002 4:49 PM
SECURITY communication requires two of these frequency channels, one to send and one to receive. But, in addition, TDMA subdivides each frequency channel further into three to six time slots called voice/data channels, so that now up to six digital voice or data sessions can take place using the same frequency. With TDMA, a service provider can handle more calls at the same time, compared to FDMA. This is accomplished by assigning each of the six sessions a specific time slot within the same frequency. Each time slot (or voice/data channel) is about 7 ms in duration. The time slots are arranged and transmitted over and over again in rapid rotation. Voice or data for each caller is placed into the time slot assigned to that caller and then transmitted. Information from the corresponding time slot is quickly extracted and reassembled at the receiving cellular base station to piece together the conversation or session. Once that time slot, or voice/data channel, is assigned to a caller, it is dedicated to that caller for the duration of the session until it terminates. In TDMA, a user is not assigned an entire frequency but shares the frequency with other users, each with an assigned time slot. As of the writing of this chapter, there have not been many publicized cases of eavesdropping of TDMA phone conversations and data streams as they travel across the wireless space. Access to special types of equipment or test equipment would probably be required to perform such a feat. It is possible that an illegally modified TDMA cell phone could also do the job. However, this does not mean that eavesdropping is unfeasible. If we are talking about a wireless Internet session, consider the full path that such a session takes. For a mobile user to communicate with an Internet Web site, a wireless data signal from the cell phone will eventually be converted into a wired signal before traversing the Internet itself. As a wired signal, the information can travel across the Internet in clear-text until it reaches the Web site. Although the wireless signal itself may be difficult to intercept, once it becomes a wired signal, it is subject to the same interception vulnerabilities as all unencrypted communications traversing the Internet. As a precaution, if there is confidential information being transmitted over the Internet, regardless of the method, it is always necessary to encrypt that session from end to end. We will discuss encryption in a later section. GSM Another method of digital transmission is Global Systems for Mobile communications (GSM). GSM is actually a term that covers more than just the transmission method alone. It covers the entire cellular system, from the assortment of GSM services to the actual GSM devices themselves. GSM is used largely in the European nations. As a digital transmission method, GSM uses a variation of TDMA. Like FDMA and TDMA, the GSM service provider divides the allotted radio frequency spectrum into multiple frequency channels. This time, each 288
AU1253_ch24_Frame Page 289 Saturday, October 26, 2002 4:49 PM
Wireless Internet Security frequency channel has a much larger width of 200 kHz. Again like FDMA and TDMA, each GSM cellular phone uses two frequency channels, one to send and one to receive. Like TDMA, GSM further subdivides each frequency channel into time slots called voice/data channels. However, with GSM, there are eight time slots, so that now up to eight digital voice or data sessions can take place using the same frequency. Again, as with TDMA, once that time slot (or voice/data channel) is assigned to a caller, it is dedicated to that caller for the duration of the session. GSM has additional features that enhance security. Each GSM phone uses a subscriber identity module (SIM). A SIM can look like a credit card–sized smart card or a postage-stamp sized chip. This removable SIM is inserted into the GSM phone during usage. The smart card or chip contains information pertaining to the subscriber, such as the cell phone number belonging to the subscriber, authentication information, encryption keys, directory of phone numbers, and short saved messages belonging to that subscriber. Because the SIM is removable, the subscriber can take this SIM out of one phone and insert it into another GSM phone. The new phone with the SIM will then take on the identity of the subscriber. The user’s identity is not tied to a particular phone but to the removable SIM itself. This makes it possible for a subscriber to use or upgrade to different GSM phones without changing phone numbers. It is also possible to rent a GSM phone in another country, even if that country uses phones that transmit on different GSM frequencies. This arrangement works, of course, only if the GSM service providers from the different countries have compatible arrangements with each other. The SIM functions as an authentication tool because the GSM phones are useless without it. Once the SIM is inserted into a phone, the user is prompted to put in the personal identification number (PIN) associated with that SIM (if the SIM is PIN enabled). Without the correct PIN number, the phone will not work. Besides authenticating the user to the phone, the SIM is also used to authenticate the phone to the phone network itself during connection. By using the authentication (or Ki) key in the SIM, the phone authenticates to the service provider’s Authentication Center during each call. The process employs a challenge–response technique, similar in some respects to using a token card to log a PC remotely onto a network. The keys in the SIM have another purpose besides authentication. The encryption (or Kc) key generated by the SIM can be used to encrypt communications between the mobile phone and the service provider’s transmission equipment for confidentiality. This encryption prevents eavesdropping, at least between these two points. 289
AU1253_ch24_Frame Page 290 Saturday, October 26, 2002 4:49 PM
SECURITY GSM transmissions, like TDMA, are difficult but not impossible to intercept using radio frequency scanning equipment. A frequency can have up to eight users on it, making the digital signals difficult to extract. By adding encryption using the SIM card, GSM can add yet another layer of security against interception. However, when it comes to wireless Internet sessions, this form of encryption does not provide end-to-end protection. Only part of the path is actually protected. This is similar to the problem we mentioned earlier with TDMA Internet sessions. A typical wireless Internet session takes both a wireless and a wired path. GSM encryption protects only the path between the cell phone and the service provider’s transmission site — the wireless portion. The rest of the session through the wired Internet — from the service provider’s site to the Internet Web site — can still travel in the clear. You would need to add end-to-end encryption if you need to keep the entire Internet session confidential. CDMA Another digital transmission method is called Code Division Multiple Access (CDMA). CDMA is based on spread spectrum, a transmission technology that has been used by the U.S. military for many years to make radio communications more difficult to intercept and jam. QUALCOMM is one of the main pioneers incorporating CDMA spread spectrum technology into the area of cellular phones. Instead of dividing a spectrum of radio frequencies into narrow frequency bands or time slots, as described earlier, CDMA uses a very large portion of that radio spectrum — a frequency channel. The frequency channel has a wide width of 1.25 MHz. For duplex communication, each cell phone uses two of these wide CDMA frequency channels, one to send and one to receive. During communication, each voice or data session is first converted into a series of data signals. Next, the signals are marked with a unique code to indicate that they belong to a particular caller. This code is called a pseudorandom noise (PN) code. Each mobile phone is assigned a new PN code by the base station at the beginning of each session. These coded signals are then transmitted by spreading them out across a very wide radio frequency spectrum. As the channel width is very large, it has the capacity to handle many other user sessions at the same time; each session is again tagged by unique PN codes to associate them to the appropriate caller. A CDMA phone receives transmissions by using the appropriate pseudorandom noise code to pick out the data signals that are destined for it and ignores all the other encoded signals. With CDMA, cell phones communicating with the base stations all share the same wide frequency channels. What distinguishes each caller is not 290
AU1253_ch24_Frame Page 291 Saturday, October 26, 2002 4:49 PM
Wireless Internet Security the frequency used (as in FDMA), nor the time slot within a particular frequency (as in TDMA or GSM), but the pseudo-random noise code assigned to that caller. With CDMA, a voice/data channel is a data signal marked with a unique PN code. Intercepting a single CDMA conversation would be difficult because its digital signals are spread out across a very large spectrum of radio frequencies. The conversation does not reside on just one frequency alone, making it hard to scan. Also, without knowledge of the pseudo-random noise code, an eavesdropper would not be able to extract the relevant session from the many frequencies used. To complicate interception even more, the entire channel width is populated by many other callers at the same time, creating a vast amount of noise for anyone trying to intercept the call. However, as we saw earlier with the other digital transmission methods, Internet sessions using CDMA cell phones are not impossible to intercept. As before, although the CDMA digital signals themselves can be difficult to intercept, once these wireless signals are converted into wired signals, the latter signals can be intercepted as they travel across the Internet. Without using end-to-end encryption, wireless Internet sessions are as vulnerable as other unencrypted communications traveling over the Internet. Other Methods There are additional digital transmission methods, many of which are derivatives of the types we have already mentioned, and some of which are still under development. Some of these that are under development are called “third generation” or “3G” transmission methods. Second generation, or 2G technologies, like TDMA, GSM, and CDMA, offer transmission speeds of 9.6 to 14.4 kbps, which is slower than today’s typical modem speeds. 3G technologies, on the other hand, are designed to transmit much faster and carry larger amounts of data. Some will be capable of providing high-speed Internet access as well as video transmission. Below is a partial listing of other digital transmission methods, including those in the third 3G category: • iDEN (Integrated Digital Enhanced Network) — This is based on TDMA and is a 2G transmission method. Besides sending voice and data, it can also be used for two-way radio communications between two iDEN phones, much like “walkie-talkies”. • PDC (personal digital communications) — This is based on TDMA and is a 2G transmission method used largely in Japan. • GPRS (General Packet Radio Service) — This is a 2.5G (not quite 3G) technology based on GSM. It is a packet-switched data technology which provides “always online” connections, which means the subscriber can stay logged on to the phone network all day but uses it only if there is actual data to send or receive. Maximum data rates are estimated to be 115 kbps. 291
AU1253_ch24_Frame Page 292 Saturday, October 26, 2002 4:49 PM
SECURITY • EDGE (Enhanced Data rates for Global Evolution) — This is a 3G technology based on TDMA and GSM. Like GPRS, it features “always online” connections using packet-switched data technologies. Maximum data rates are estimated to be 384 kbps. • UMTS (Universal Mobile Telecommunications System) — This is a 3G technology based on GSM. Maximum data rates are estimated at 2 Mbps. • CDMA2000 and W-CDMA (wideband CDMA) — These are two 3G technologies based on CDMA. CDMA2000 is a predominantly North American design, whereas W-CDMA is more European and Japanese oriented. Both provide maximum data rates estimated at 384 kbps for slow-moving mobile units, and at 2 Mbps for stationary units. Regardless of the methods or the speeds, as we mentioned earlier, the need for end-to-end encryption will still be a requirement if confidentiality is needed between the mobile device and the Internet or intranet site. Since wireless Internet communications encompass both wireless and wiredbased transmissions, encryption features covering just the wireless portion of the communication is clearly not enough. For end-to-end privacy protection, the applications and the protocols have a role to play, as we will see later in this chapter. HOW SECURE ARE THE WIRELESS DEVICES? Internet security, as many of us have seen it applied to corporate networks today, can be difficult to implement on wireless phones and PDAs for a variety of reasons. Most of these devices have limited CPU, memory, bandwidth, and storage abilities. As a result, many have disappointingly slow and limited computing power. Robust security features that can take less than a second to process on a typical workstation can take potentially many minutes on a wireless device, making them impractical or inconvenient for the mobile user. Because many of these devices have merely a fraction of the hardware capabilities found on typical workstations, the security features on portable devices are often lightweight or even nonexistent, from an Internet security perspective. Yet these same devices are now being used to log into sensitive corporate intranets or to conduct mobile commerce and banking. Although these wireless devices are smaller in every way, their security needs are just as significant as before. It would be a mistake for corporate IT and information security departments to ignore these devices as they start to populate the corporate network. After all, these devices do not discriminate; they can be designed to tap into the same corporate assets as any other node on a network. We will examine some of the security aspects as they relate to these devices. Authentication The process of authenticating wireless phone users has gone through many years of implementation and evolution. It is probably one of the most 292
AU1253_ch24_Frame Page 293 Saturday, October 26, 2002 4:49 PM
Wireless Internet Security reliable security features digital cell phones have today, given the many years of experience service providers have had in trying to reduce the theft of wireless services. Since the service providers have a vested interest in knowing who to charge for the use of their services, authenticating the mobile user is of utmost importance. As we had mentioned earlier, GSM phones use SIM cards or chips, which contain authentication information about the user. SIMs typically carry authentication and encryption keys, authentication algorithms, identification information, phone numbers belonging to the subscriber, and so on. They allow the users to authenticate to their own phones and to the phone network that they subscribe to. In North America, TDMA and CDMA phones use a similarly complex method of authentication as in GSM. Like GSM, the process incorporates keys, Authentication Centers, and challenge–response techniques. However, since TDMA and CDMA phones do not generally use removable SIM cards or chips, these phones rely on the authentication information embedded into the handset. The user’s identity is therefore tied to the single mobile phone itself. The obvious drawback is that, for authentication purposes, TDMA and CDMA phones offer less flexibility when compared to GSM phones. To deploy a new authentication feature with a GSM phone, in many cases, all that is needed is to update the SIM card or chip. On the other hand, with TDMA and CDMA, deploying new authentication features would probably require users to buy new cell phones — a more expensive way to go. Because it is easier to update a removable chip than an entire cell phone, it is likely that you will find more security features and innovations being offered for GSM as a result. One important note, however, is that this form of authentication does not necessarily apply to Internet-related transactions. It merely authenticates the mobile user to the service provider’s phone network, which is only one part of the transmission if we are speaking about Internet transactions. For securing end-to-end Internet transactions, mobile users still need to authenticate the Internet Web servers to which they are connecting, to verify that the servers are indeed legitimate. Likewise, the Internet Web servers need to authenticate the mobile users that are connecting to it, to verify that they are legitimate users and not impostors. The wireless service providers, however, are seldom involved in providing full end-to-end authentication service, from mobile phone to Internet Web site. That responsibility usually falls to the owners of the Internet Web servers and applications. Several methods for providing end-to-end authentication are being tried today at the application level. Most secure mobile commerce applications are using IDs and passwords, an old standby, which of course has 293
AU1253_ch24_Frame Page 294 Saturday, October 26, 2002 4:49 PM
SECURITY its limitations because it provides only single-factor authentication. Other organizations are experimenting with GSM SIMs by adding additional security ingredients such as public/private key pairs, digital certificates, and other public key infrastructure (PKI) components into the SIMs. However, because the use of digital certificates can be process intensive, cell phones and handheld devices typically use lightweight versions of these security components. To accommodate the smaller processors in wireless devices, the digital certificates and their associated public keys may be smaller or weaker than those typically deployed on desktop Web browsers, depending on the resources available on the wireless device. Still other organizations are experimenting with elliptic curve cryptography (ECC) for authentication, digital certificates, and public key encryption on the wireless devices. ECC is an ideal tool for mobile devices because it can offer strong encryption capabilities, but it requires less computing resources than other popular forms of public key encryption. Certicom is one of the main pioneers incorporating ECC for use on wireless devices. As more and more developments take place with wireless Internet authentication, it becomes clear that, in time, these Internet mobile devices will become full-fledged authentication devices, much like tokens, smart cards, and bank ATM cards. If users begin conducting Internet commerce using these enhanced mobile devices, securing those devices themselves from loss or theft now becomes a priority. With identity information embedded into the devices or the removable SIMs, losing these could mean that an impostor can now conduct electronic commerce transactions using that stolen identity. With a mobile device, the user, of course, plays the biggest role in maintaining its overall security. Losing a cell phone that has Internet access and an embedded public/private key pair can be potentially as disastrous as losing a bank ATM card with its associated PIN written on it, or worse. If a user loses such a device, it is a must to contact the service provider immediately about the loss and suspending its use. Confidentiality Preserving confidentiality on wireless devices poses several interesting challenges. Typically when one accesses a Web site with a browser and enters a password to gain entry, the password typed is masked with asterisks or some other placeholder to prevent others from seeing the actual password on the screen. With cell phones and handheld devices, masking the password could create problems during typing. With cell phones, letters are often entered using the numeric keypad — a method that is cumbersome and tedious for many users. For example, to type the letter “R,” you need to press the number 7 key three times to get to the right letter. If the result is masked, it is not clear to the user what letter was actually submitted. Because of this inconvenience, some mobile Internet applications do away 294
AU1253_ch24_Frame Page 295 Saturday, October 26, 2002 4:49 PM
Wireless Internet Security with masking so that the entire password is displayed on the screen in the original letters. Other applications display each letter of the password for a few seconds first as they are being entered, before masking each with a placeholder afterwards. This gives the user some positive indication that the correct letters were indeed entered, while still preserving the need to mask the password on the device’s screen for privacy. The latter approach is probably the more sensible of the two, and should be the one the application designers adopt. Another challenge to preserving confidentiality is making sure confidential information such as passwords and credit card numbers are purged from the mobile device’s memory after they are used. Many times, such sensitive information is stored as variables by the wireless Internet application and subsequently cached in the memory of the device. There have been documented cases where credit card numbers left in the memory of cell phones were reusable by other people who borrowed the same phones to access the same sites. Once again, the application designers are the chief architects to preserving the confidentiality here. It is important that programmers design an application to clear the mobile device’s memory of sensitive information when the user finishes using that application. Although leaving such information in the memory of the device may spare the user of having to re-enter it the next time, it is as risky as writing the associated PIN or password on a bank ATM card itself. Still another challenge in preserving confidentiality is making sure that sensitive information is kept private as it travels from the wireless device to its destination on the Internet and back. Traditionally, for the wired Internet, most Web sites use secure sockets layer (SSL) or its successor, transport layer security (TLS), to encrypt the entire path end to end, from the client to the Web server. However, many wireless devices, particularly cell phones, lack the computing power and bandwidth to run SSL efficiently. One of the main components of SSL is RSA public key encryption. Depending on the encryption strength applied at the Web site, this form of public key encryption can be processor- and bandwidth-intensive and can tax the mobile device to the point at which the communication session itself becomes too slow to be practical. Instead, wireless Internet applications that are developed using the Wireless Application Protocol (WAP) use a combination of security protocols. Secure WAP applications use both SSL and wireless transport layer security (WTLS) to protect different segments of a secure transmission. Typically, SSL protects the wired portion of the connection and WTLS protects largely the wireless portion. Both are needed to provide the equivalent of end-to-end encryption. WTLS is similar to SSL in operation. However, although WTLS can support either RSA or elliptic curve encryption, elliptic curve is probably preferred 295
AU1253_ch24_Frame Page 296 Saturday, October 26, 2002 4:49 PM
SECURITY because the latter provides strong encryption capabilities but is more compact and faster than RSA. WTLS has other differences from SSL as well. WTLS is built to provide encryption services for a slower and less resource-intensive environment, whereas SSL could tax such an environment. This is because SSL encryption requires a reliable transport protocol, particularly Transmission Control Protocol (TCP), a part of TCP/IP. TCP provides error detection, communication acknowledgments, and re-transmission features to ensure reliable network connections back and forth. However, because of these features, TCP requires more bandwidth and resources than that which typical wireless connections and devices can provide. Most mobile connections today are low bandwidth, slow, and not designed to handle the constant, back-and-forth error-detection traffic that TCP creates. Realizing these limitations, the WAP Forum, the group responsible for putting together the standards for WAP, designed a supplementary protocol stack that is more suitable for the wireless environment. Because this environment typically has low connection speeds, low reliability, and low bandwidth, in order to compensate, the protocol stack uses compressed binary data sessions and is more tolerant of intermittent coverage. The WAP stack resides in layers 4, 5, 6, and 7 of the OSI reference model. The WAP protocol stack works with UDP (User Datagram Protocol) for IP-based networks and WDP (Wireless Datagram Protocol) for non-IP networks. WTLS, the security protocol from the WAP stack, can be used to protect UDP or WDP traffic in the wireless environment. Because of these differences between WTLS and SSL, as well as the different underlying environments within which they work, an intermediary device such as a gateway is needed to translate the traffic going from one environment into the next. This gateway is typically called a WAP gateway. We will discuss the WAP gateway in more detail in the infrastructure section below. Malicious Code and Viruses The number of security attacks on wireless devices has been small when compared to the many attacks against workstations and servers. Part of this is due to the very simple fact that most mobile devices, particularly cell phones, lack sufficient processors, memory, or storage for malicious code and viruses to exploit. For example, a popular method for spreading viruses today is hide them in file attachments to e-mail. However, many mobile devices, particularly cell phones, lack the ability to store or open e-mail attachments. This makes mobile devices relatively unattractive as targets because the damage potential is relatively small. However, mobile devices are still vulnerable to attack and will become increasingly more so as they evolve with greater computing, memory, and 296
AU1253_ch24_Frame Page 297 Saturday, October 26, 2002 4:49 PM
Wireless Internet Security storage capabilities. With greater speeds, faster downloading abilities, and better processing, mobile devices can soon become the equivalent of today’s workstations, with all their exploitable vulnerabilities. As of the writing of this chapter, cell phone manufacturers were already announcing that the next generation of mobile phones will support languages such as Java so that users can download software programs such as organizers, calculators, and games onto their Web-enabled phones. However, on the negative side, this also opens up more opportunities for users to unwittingly download malicious programs (or “malware”) onto their own devices. The following adage applies to mobile devices: “The more brains they have, the more attractive they become as targets.” HOW SECURE ARE THE NETWORK INFRASTRUCTURE COMPONENTS? As many of us who have worked in the information security field know, security is usually assembled using many components, but its overall strength is only as good as its weakest link. Sometimes it does not matter if you are using the strongest encryption available over the network and the strongest authentication at the devices. If there is a weak link anywhere along the chain, attackers will focus on this vulnerability and may eventually exploit it, choosing a path that requires the least effort and the least amount of resources. The wireless Internet world is still relatively young and a work in progress, and vulnerabilities abound depending on the technology you have implemented. We will focus in this section on some infrastructure vulnerabilities for those who are using WAP. The “Gap in WAP” Encryption has been an invaluable tool in the world of E-commerce. Many online businesses use TLS to provide end-to-end encryption to protect Internet transactions between the client and the Web server. When using WAP, however, if encryption is activated for the session, there are usually two zones of encryption applied, each protecting the two different halves of the transmission. SSL or TLS is generally used to protect the first path between the Web server and an important network device called the WAP gateway that we had mentioned earlier. WTLS is used to protect the second path between the WAP gateway and the wireless mobile device. The WAP gateway is an infrastructure component needed to convert wired signals into a less bandwidth-intensive and compressed binary format, compatible for wireless transmissions. If encryption such as SSL is used during a session, the WAP gateway will need to translate the SSL-protected transmission by decrypting this SSL traffic and re-encrypting it with WTLS, and 297
AU1253_ch24_Frame Page 298 Saturday, October 26, 2002 4:49 PM
SECURITY vice versa in the other direction. This translation can take just a few seconds, but during this brief period, the data sits in the memory of the WAP gateway decrypted and in the clear, before it is re-encrypted using the second protocol. This brief period in the WAP gateway — some have called it the “gap in WAP” — is an exploitable vulnerability. It depends on where the WAP gateway is located, how well it is secured, and who is in charge of protecting it. Clearly, the WAP gateway should be placed in a secure environment. Otherwise, an intruder attempting to access the gateway can steal sensitive data while it transitions in cleartext. The intruder can also sabotage the encryption at the gateway, or even initiate a denial-of-service or other malicious attack on this critical network component. Besides securing the WAP gateway from unauthorized access, proper operating procedures should also be applied to enhance its security. For example, it is wise not to save any of the cleartext data onto disk storage during the decryption and re-encryption process. Saving this data onto log files, for example, could create an unnecessarily tempting target for intruders. In addition, the decryption and re-encryption should operate in memory only and proceed as quickly as possible. Furthermore, to prevent accidental disclosure, the memory should be properly overwritten, thereby purging any sensitive data before that memory is reused. WAP Gateway Architectures. Depending on the sensitivity of the data and
the liability for its unauthorized disclosure, businesses offering secure wireless applications (as well as their customers) may have concerns about where the WAP gateway is situated, how it is protected, and who is protecting it. We will examine three possible architectures and discuss the security implications behind each. WAP Gateway at the Service Provider. In most cases, the WAP gateways are owned and operated by the wireless service providers. Many businesses that deploy secure wireless applications today rely on the service provider’s WAP gateway to perform the SSL-to-WTLS encryption translation. This implies that the business owners of the sensitive wireless applications, as well as their users, are entrusting the wireless service providers to keep the WAP gateway and the sensitive data that passes through it safe and secure. Exhibit 1 shows an example of such a setup, where the WAP gateway resides within the service provider’s secure environment. If encryption is applied in a session between the user’s cell phone and the application server behind the business’ firewall, the path between the cell phone to the service provider’s WAP gateway is typically encrypted using WTLS. The path between the WAP gateway to the business host’s application server is encrypted using SSL or TLS.
A business deploying secure WAP applications using this setup should realize, however, that they cannot guarantee end-to-end security for the 298
AU1253_ch24_Frame Page 299 Saturday, October 26, 2002 4:49 PM
Wireless Internet Security
Service Provider's Secure Environment Modem Business Host's Secure Environment
Base Station Mobile User
Internet Remote Access Server
WAP Gateway Application Server
ISP Network
Host Network Firewall
Firewall
Host's DMZ Host Network
Service Provider's Router
Host Router
Web Server
Web Server
Exhibit 1.
WAP Gateway at the Service Provider
data because it is decrypted, exposed in cleartext for a brief moment, and then re-encrypted, all at an outside gateway that is away from their control. The WAP gateway is generally housed in the wireless service provider’s data center and attended by those who are not directly accountable to the businesses. Of course, it is in the best interest of the service provider to keep the WAP gateway in a secure manner and location. Sometimes, to help reinforce that trust, the businesses may wish to conduct periodic security audits on the service provider’s operation of the WAP gateways to ensure that the risks are minimized. Bear in mind, however, that by choosing this path, the business may need to inspect many WAP gateways from many different service providers. A service provider sets up the WAP gateway primarily to provide Internet access to its own wireless phone subscribers. If users are dialing into a business’ secure Web site, for example, from twenty different wireless service providers around the world, then the business may need to audit the WAP gateways belonging to these twenty. This, unfortunately, is a formidable task and an impractical method of ensuring security. Each service provider may apply a different method for protecting their own WAP gateway, if they protect it at all. Furthermore, in 299
AU1253_ch24_Frame Page 300 Saturday, October 26, 2002 4:49 PM
SECURITY many cases, the wireless service providers are accountable to their own cell phone subscribers, not necessarily to the countless businesses that are hosting secure Internet applications, unless there is a contractual arrangement to do so. WAP Gateway at the Host. Some businesses and organizations, particularly in the financial, healthcare, or government sectors, may have legal requirements to keep their customers’ sensitive data protected. Having such sensitive data exposed outside of the organization’s internal control may pose an unnecessary risk and liability. To some, the “gap in WAP” presents a broken pipeline, an obvious breach of confidentiality that is just waiting to be exploited. For those who find such a breach unacceptable, one possible solution is to place the WAP gateway at the business host’s own protected network, bypassing the wireless service provider’s WAP gateway entirely. Exhibit 2 shows an example of such a setup. Nokia, Ericsson, and Ariel Communications are just a few of the vendors offering such a solution.
This approach has the benefit of keeping the WAP gateway and its WTLS–SSL translation process in a trusted location, within the confines of the same organization that is providing the secure Web applications. Using
Service Provider's Secure Environment
Business Host's Secure Environment Modem
PSTN/ISDN
Base Station Remote Access Server
Mobile User
Application Server
ISP Network Firewall
Internet
Exhibit 2. 300
WAP Gateway
WAP Gateway at the Host
Web Server
AU1253_ch24_Frame Page 301 Saturday, October 26, 2002 4:49 PM
Wireless Internet Security this setup, users are typically dialing directly from their wireless devices, through their service provider’s Public Switched Telephone Network (PSTN), and into the business’ own remote access servers (RAS). Once they reach the RAS, the transmission continues onto the WAP gateway, and then onward to the application or Web server — all of these devices within the business host’s own secure environment. Although it provides better end-to-end security, the drawback to this approach, however, is that the business host will need to set up banks of modems and RAS so users have enough access points to dial in. The business will also need to reconfigure the users’ cell phones and PDAs to point directly to the business’ own WAP gateway instead of typically to the service provider’s. However, not all cell phones allow this reconfiguration by the user. Furthermore, some cell phones can point to only one WAP gateway, while others are fortunate enough to point to more than one. In either case, reconfiguring all those wireless devices individually to point to the business’ own WAP gateway may take significant time and effort. For users whose cell phones can point to only a single WAP gateway, this reconfiguration introduces yet another issue. If these users now want to access other WAP sites across the Internet, they still must go through the business host’s WAP gateway first. If the host allows outgoing traffic to the Internet, the host then becomes an Internet service provider (ISP) to these users that are newly configured to point to the host’s own WAP gateway. Acting as a makeshift ISP, the host will inevitably need to attend to serviceand user-related issues, which to many businesses can be an unwanted burden because of the significant resources required. Pass-Through from Service Provider’s WAP Gateway to Host’s WAP Proxy. For those businesses who want to provide secure end-to-end encrypted transactions, yet want to avoid the administrative headaches of setting up their own WAP gateways, there are still other approaches. One such approach, as shown in Exhibit 3, is to keep the WTLS-encrypted data unchanged as it goes from the user’s mobile device and through the service provider’s WAP gateway. The WTLS–SSL encryption translation will not occur until the encrypted data reaches a second WAP gateway-like device residing within the business host’s own secure network. One vendor developing such a solution is Openwave Systems (a combination of Phone.com and Software.com). Openwave calls this second WAP gateway-like device the Secure Enterprise Proxy. During an encrypted session, the service provider’s WAP gateway and the business’ Secure Enterprise Proxy negotiate with each other, so that the service provider essentially passes the encrypted data unchanged onto the business that is using this proxy. This solution utilizes the service provider’s WAP gateway because it is still needed to provide proper Internet access for the mobile users, but it does not perform the WTLS–SSL encryption translation there, so it is not exposing confidential data. The decryption is passed 301
AU1253_ch24_Frame Page 302 Saturday, October 26, 2002 4:49 PM
SECURITY
Service Provider's Secure Environment Modem Business Host's Secure Environment
Base Station Mobile User
Internet Remote Access Server
WAP Gateway
Secure Enterprise Proxy
ISP Network
Host Network Firewall
Service Provider's Router Web Server
Firewall
Host Router Application Server
Exhibit 3. Pass-Through from Service Provider’s WAP Gateway to Host’s WAP Proxy
on and occurs instead within the confines of the business’ own secure network, either at the Secure Enterprise Proxy or at the application server. One drawback to this approach, however, is its proprietary nature. At the time of this writing, to make the Openwave solution work, three parties would need to implement components exclusively from Openwave. The wireless service providers would need to use Openwave’s latest WAP gateway. Likewise, the business hosting the secure applications would need to use Openwave’s Secure Enterprise Proxy to negotiate the encryption passthrough with that gateway. In addition, the mobile devices themselves would need to use Openwave’s latest Web browser, at least Micro-browser version 5. Although about 70 percent of WAP-enabled phones throughout the world are using some version of Openwave Micro-browser, most of these phones are using either version 3 or 4. Unfortunately, most of these existing browsers are not upgradable by the user, so most users would need to buy new cell phones to incorporate this solution. It may take some time before this solution comes to fruition and becomes popular. These are not the only solutions for providing end-to-end encryption for wireless Internet devices. Other methods in the works include applying encryption at the applications, adding encryption keys and algorithms to 302
AU1253_ch24_Frame Page 303 Saturday, October 26, 2002 4:49 PM
Wireless Internet Security cell phone SIM cards, and adding stronger encryption techniques to the next revisions of the WAP specifications, perhaps eliminating the “gap in WAP” entirely. SUMMARY Two sound recommendations for the many practitioners in the information security profession are: 1. Stay abreast of the wireless security issues and solutions. 2. Do not ignore the wireless devices. Many in the IT and information security professions regard the new wireless Internet devices diminutively as personal gadgets or executive toys. Many are so busy grappling with the issues of protecting their corporate PCs, servers, and networks, that they could not imagine worrying about yet another class of devices. Many corporate security policies make no mention about securing mobile handheld devices and cell phones, even though some of these same corporations are already using these devices to access their own internal e-mail. Because these devices are so small, the common fallacy heard is, “What harm can such a tiny device create?” Security departments have had to wrestle with the migration of information assets from the mainframe world to distributed PC computing. Many corporate attitudes have had to change during that evolution regarding where to apply security. In no exaggeration, corporate computing is undergoing yet another significant phase of migration. It is not so much that corporate information assets can be accessed through wireless means, as wireless notebook computers have been doing that for years. Rather, the means of access will become ever cheaper and hence, greater in volume. Instead of using a $3000 notebook computer, users (or intruders) may now tap into a sensitive corporate network from anywhere, using just a $40 Internet-enabled cell phone. Over time, these mobile devices will have increasing processing power, memory, bandwidth, storage, ease of use, and finally, popularity. It is this last item that will inevitably draw upon the corporate resources. Small as these devices may be, once they access the sensitive assets of an organization, they can do as much good or harm as any other computer. Ignoring or disallowing these devices from an information security perspective can have two probable consequences. First, the business units or executives within the organization will push, often successfully, to deploy wireless devices and services anyway, shutting out any involvement or guidance from the information security department. Inevitably, information security will be involved at a much later date, but reactively, and often too late to have any significant impact on proper design and planning. 303
AU1253_ch24_Frame Page 304 Saturday, October 26, 2002 4:49 PM
SECURITY Secondly, by ignoring the wireless devices and their capabilities, the information security department will give attackers just what they need — a neglected and unprotected window into an otherwise fortified environment. Such an organization will be caught unprepared when an attack using wireless devices surfaces. Wireless devices should not be treated as mere gadgets or annoyances. Once they tap into the valued assets of an organization, they are indiscriminate and equal to any other node on the network. To stay truly informed and prepared, information security practitioners should stay abreast of the news developments and security issues regarding wireless technology. In addition, they need to work with the application designers as an alliance to ensure that applications designed for wireless take into consideration the many points covered in this chapter. And finally, organizations need to expand the categories of devices protected under their information security policies to include wireless devices, since they are, effectively, yet another infrastructure component to the organization.
304
AU1253_ch25_Frame Page 305 Saturday, October 26, 2002 4:50 PM
Unit 4
Management
AU1253_ch25_Frame Page 306 Saturday, October 26, 2002 4:50 PM
AU1253_ch25_Frame Page 307 Tuesday, November 5, 2002 8:55 AM
Chapter 25
Telecommuting: Issues for the IS Manager Sheila M. Jacobs Mary Van Sell
Telecommuting — a term coined in the early 1970s— enables office employees to work effectively in nontraditional settings. Telecommuters work in remote locations, such as their homes or neighborhood satellite offices, one or more days a week. Using personal computers, these employees can link to their companies’ computer systems via telecommunications lines. The IS manager may be involved with telecommuting in the organization in three major ways: 1. Helping functional area managers establish and manage telecommuting in their departments 2. Deciding which products or technology the organization should use for telecommuting arrangements 3. Establishing and managing telecommuting in the IS department SOCIETAL BENEFITS OF TELECOMMUTING For millions of people in America and other high-technology nations, the work day is bracketed by stressful rush-hour commutes over clogged and often decaying highways or railways to congested urban centers where the costs of parking and office space rise continually. Mass transportation systems, where they are available, are overcrowded and often unpleasant. Recently, the efforts of many nations to ease traffic congestion and air pollution, or to curb spending on public roadways, have included the promotion of telecommuting programs. In 1989, for example, four southern California counties began requiring companies with more than 100 employees at one location to develop plans for cutting commuter traffic. Similar laws exist in other states, including Arizona, Hawaii, Texas, and Washington. 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
307
AU1253_ch25_Frame Page 308 Saturday, October 26, 2002 4:50 PM
MANAGEMENT If telecommuting could replace 10 to 20 percent of U.S. road trips, it could save as much as $23 billion per year in energy, transportation, and environmental costs. A telecommuting program can also help a company lower real estate costs in urban areas by allowing employees to share a smaller office space by spending different days in the main office. Telecommuting also facilitates employment for workers who have physical difficulty getting to an office, including employees who are disabled, recovering from illness or injury, or are on maternity leave. WHY EMPLOYEES WANT TO TELECOMMUTE Most telecommuters are successful professionals who want more from life than traditional corporate mobility. Employees who ask to telecommute often do so because telecommuting enables them to combine work with another valued goal. This goal may be related to personal enrichment, such as travel or enrollment in a graduate degree program, or balancing work and family commitments more effectively. Telecommuters value the flexibility to attend their children’s special needs (e.g., medical appointments, school visits) during normal work hours. Telecommuting gives employees the freedom to spend more time with their families. THE BENEFITS OF AUTONOMY Most telecommuters feel that working at home, rather than in the office, enhances their ability to concentrate on their work because there are fewer distractions. Other motivations for telecommuters are autonomy and control over their time. For example, telecommuters in IBM’s ninemonth telecommuting pilot program said that telecommuting had given them time to experiment, as well as the ability to increase job turnaround time, by scheduling their work at faster, off-shift times. Many telecommuters report that their primary motivation for working at home is that they can get more work done. The reason for this is not apparent. It may be that successful telecommuters are individuals with “night owl” circadian rhythms, who work after normal office hours when they are most energetic. ORGANIZATIONAL BENEFITS OF TELECOMMUTING Organizations, whether or not they allow telecommuting, want to minimize their labor and operating costs. At the same time, they want to increase levels of productivity. Having a telecommuting program makes it easier for an organization to attract top-quality employees who may not wish to move or commute. Telecommuting also helps reduce labor costs by lowering the rates of absenteeism and employee turnover.
308
AU1253_ch25_Frame Page 309 Saturday, October 26, 2002 4:50 PM
Telecommuting: Issues for the IS Manager Increased Productivity Telecommuters are not only more productive at home than they are in the office; they are also more productive than their in-office counterparts — by approximately 30 percent. Telecommuters are generally more effective because they: • • • • •
Work at times of day when they are most productive Are more likely to finish projects ahead of schedule Work for longer periods of time without interruptions Experience improved communication with the work group Are more available for consultation with clients and supervisors at home by phone than when in the office • Are more creative because they concentrate better at home
Reduced Costs Although 30 percent of cost savings attributed to telecommuting is due to decreased labor costs, 70 percent of cost savings result from reduced overhead expenses. Organizations save between $1500 and $6000 per telecommuting employee on reduced office space and related overhead expenses. Telecommuting also lowers the costs of using and maintaining equipment, such as mainframe computers that can be used by telecommuters at off-peak hours. Telecommuter Job Satisfaction Several studies have found that the majority of telecommuters are satisfied with their arrangements and prefer telecommuting to working full time in the office. Satisfied telecommuters also report: • • • • •
Higher self-rated productivity Satisfaction with the performance appraisal system for telecommuters Technical and emotional support from managers A lack of family disruptions Greater loyalty to the organization as a result of being trusted by managers
Predictions that telecommuting employees would become isolated from the organization and overlooked for promotions have not been supported. Telecommuters are usually more visible in their companies because they are almost always more productive than office workers. Some telecommuting employees report a feeling of missing daily social and professional interaction. The establishment of a neighborhood shared workspace, referred to as a “telecenter” or a satellite work center, can alleviate this problem.
309
AU1253_ch25_Frame Page 310 Saturday, October 26, 2002 4:50 PM
MANAGEMENT PREPARING THE ORGANIZATION FOR A TELECOMMUTING PROGRAM Not all companies are good candidates for telecommuting programs. The structure of the organization must be considered. Companies with little work autonomy that use time-based methods of work supervision, and whose decision-making processes are centralized and hierarchical, would find it virtually impossible to supervise the work of telecommuters without changing all these aspects of organizational structure. If the company is flexible and results oriented, then the organizational structure of the company is suitable for telecommuting. However, although most companies have more volunteers for telecommuting than they can use in a pilot program, there may still be resistance to telecommuting from managers who fear losing control of their employees or who do not trust employees. Telecommuting presupposes supervisors managing employees by results, communicating expected outcomes clearly, and controlling output and quality rather than time spent and processes used. JOBS SUITABLE FOR TELECOMMUTING Job tasks that are suitable for telecommuting have been classified as output tasks. Output tasks typically produce discrete pieces of work, such as project reports produced by one person working alone. Jobs that consist of information processing, that result in measurable output, and that do not involve physical contact are candidates for telecommuting programs. Telecommuting enhances productivity in jobs requiring creativity and analysis, where the need to interact with others is not critical. Many categories of jobs are suitable for telecommuting programs. Several of these jobs are in the information systems field, such as: • • • • • • • •
Computer programmer Software engineer Computer systems analyst Technical writer Data-entry clerk Consultant Technical supporter Word processor
Outside the IS department, the range of jobs that lend themselves to telecommuting includes: • • • • • • 310
Translator Sales representative News reporter Public relations professional Stockbroker Lawyer
AU1253_ch25_Frame Page 311 Saturday, October 26, 2002 4:50 PM
Telecommuting: Issues for the IS Manager • • • • • • • • • • •
Accountant Engineer Architect Real estate agent Travel agent Writer Insurance agent Purchasing agent Claims processor Marketing manager Customer service representative
Successful telecommuters tend to be technically skilled and often have substantial professional experience. Telecommuters often have to perform tasks that would be done for them by others in the office (e.g., quality testing, job completion time estimation), so they need a variety and depth of skills. Because telecommuters will have limited face-to-face contact with their supervisors and co-workers, good communication and organization skills are important. Telecommuters should also be adept at scheduling, preparing, and documenting their work. TECHNOLOGY REQUIREMENTS An organization does not need a large capital investment in equipment to initiate and support a telecommuting program. An employee can telecommute with a personal computer, a modem, and the appropriate software. Many prospective telecommuters already own these products. Computer Equipment Personal computers are the foundation of telecommuting. Laptop computers, portable computers that can send faxes, and client/server computing equipment are critical. Modems and printers are important, and fax/ modems are desirable for additional flexibility. LANs Remote access to the company’s local area network (LAN) is important. Some telecommuters need remote access to a LAN only for short time periods (e.g., for e-mail); others need their home computers to behave as nodes on the network. Remote software packages facilitate this arrangement. Telecommunications technology and services make it possible to network home computers to office computers. Sophisticated Phone Systems A customer or a co-worker should be able to reach a telecommuter at home or at the office by dialing the same phone number. Today’s phone systems can make the physical location of the telecommuter irrelevant. The phone 311
AU1253_ch25_Frame Page 312 Saturday, October 26, 2002 4:50 PM
MANAGEMENT technology in the telecommuter’s home (or satellite office) should include the same features found at the office, such as speed dialing, redialing, return dialing, caller ID, priority call, and select forward. Interactive voice services, which provide telephone recordings such as, “If calling for billing information, press 1,” may also be important. Voice Mail Voice mail, like e-mail, enables a telecommuter to remain informed about office activities and to communicate with the office effectively. Voice mail messages can be recorded and retrieved at any time of day, so telecommuters on flexible schedules are not disadvantaged. Videoconferencing Videoconferencing allows people at geographically separate locations to have face-to-face meetings. As the cost of videoconferencing drops, remote conferences will increase. A telecommuter may be able to participate in a videoconference with the company office by going to a telecenter or satellite office that has video equipment or by going to a videoconferencing facility at another location, such as a phone company office that provides this service. Desktop videophones, with small screens, are also available and may be placed in the homes of telecommuters. Other Products Other products, such as fax machines and cellular phones, can facilitate telecommuting programs. An electronic imaging system is another useful product. With this equipment, an employee at the office can scan a document onto the main computer. The telecommuter can then access this document using a home computer and a modem. FUTURE NEEDS Some of the future needs for products and services to support telecommuting include: • Equipment that is light, compact, and easily portable, such as portable fax machines and printers weighing less than 5 lb. • Better paging and remote access technologies • Client/server operating environments that use applications programming interfaces to better support remote access technologies • Remote access technologies with built-in security controls IMPLEMENTING A TELECOMMUTING PROGRAM A company’s first telecommuting program should be a pilot program, lasting six to eighteen months. The pilot program will help the company determine 312
AU1253_ch25_Frame Page 313 Saturday, October 26, 2002 4:50 PM
Telecommuting: Issues for the IS Manager needed training and equipment, program costs and benefits, and program management. At the beginning and end of the pilot program, levels of productivity and other outcomes, such as morale and overhead expenses, should be formally measured. When the actual program is launched, mandatory core times should be established. These are times when the telecommuter is to be available by phone or e-mail to customers or supervisors. Usually, telecommuting employees have scheduled days in the office to keep them in touch with their co-workers, managers, and the day-to-day affairs of the company, and to prevent feelings of isolation. TELECENTERS There is a growing trend to establish neighborhood telecenters as alternatives to employees working at home. A telecenter is somewhat like a branch office, except that its location is convenient for employees rather than for customers. Employees from a variety of departments, or even from a variety of companies, may work together in one telecenter. The telecenter may be set up by the company or by an independent organization that rents space to several companies. Telecenters can give a telecommuting employee a structured work environment while still saving on transportation, real estate, and overhead costs. A telecommuting employee can work at a convenient location without feeling isolated and without missing social interaction. Employees who do not have room at home to set up office equipment can still telecommute. A telecenter is advantageous economically because telecommuting employees share equipment. The telecenter may also serve as a pilot program before the company fully invests in telecommuting. MANAGING TELECOMMUTERS Although careful preparation for a telecommuting program is essential, the ultimate success of the program depends on the way it is carried out by both the telecommuting employees and their managers. Managers and telecommuting employees should agree on what work is expected, how it should look, and when it should be completed. A written agreement, signed by both parties, may be helpful. The most common reason for failure of a telecommuting program is inadequate communication between managers and employees. Managers of telecommuting employees need training in techniques of results-based management, job analysis, work specification, and performance appraisal. They may also need training in communications skills. IS managers must know how to prepare organizations for the changes induced by telecommuting. They should help functional managers establish 313
AU1253_ch25_Frame Page 314 Saturday, October 26, 2002 4:50 PM
MANAGEMENT telecommuting in their departments, and determine the technology requirements for telecommuting. Finally, IS managers should know how to implement telecommuting programs, meeting the information and communications needs of the telecommuters while monitoring and controlling telecommunications costs for the company. SUGGESTIONS FOR SUCCESSFUL IMPLEMENTATION Tips for implementing a successful telecommuting program include the following: • Start with a pilot program. • Decide in advance what the desired outcomes are (e.g., increased productivity, reduced turnover) and how to formally measure them. • Select employees who are motivated and qualified to work independently. • Consider both the personality of the employee and the needs of the company when deciding how many days per week the employee can telecommute. Decide each case on an individual basis. • Make sure the telecommuters can be reached by those working in the main office. • Schedule regular office visits for the telecommuters. • Be sure the supervisors of telecommuters have (or learn) management skills that focus on results and communication. • Give telecommuters regular feedback on quality control. • Try to avoid impromptu office meetings; telecommuters may feel excluded. • Do not assign telecommuters tasks that could cause delays or backlogs for in-office workers.
314
AU1253_ch26_Frame Page 315 Tuesday, November 5, 2002 8:42 AM
Chapter 26
Evaluating Organizational Readiness for Telecommuting Nancy Blumenstalk Mingus
People have been working from home for centuries, but during modern times, the return from the office to the home has been slowly gaining acceptance. The term “telecommuting” was coined by a scientist named Jack Nilles in the early 1970s. Nilles has written several books on the topic since then, and he continues to help businesses develop telecommuting programs. Throughout the last three decades, more and more organizations have acknowledged the benefits of telecommuting. As nations and companies continue to find more efficient means of linking workers to corporate computer systems, as more nontraditional workers join the workforce, and as smog and other pollution continue to threaten the environment, organizations without telecommuting policies are becoming the exceptions. BENEFITS OF TELECOMMUTING FOR THE WORKER There are several benefits of telecommuting to both the worker and the company. For the worker, these benefits include: • • • • • •
Lower commuting time Lower commuting expense Lower food expense Lower clothing costs Higher job satisfaction Higher productivity
Depending on the type of work involved and corporate locations, the benefits can also include: 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
315
AU1253_ch26_Frame Page 316 Saturday, October 26, 2002 4:51 PM
MANAGEMENT • More flexible work schedule • Less distractions • No need to relocate This chapter takes a look at each of these benefits in more detail. Lower Commuting Time People working traditional telecommuting jobs from their homes can cut their commute time significantly. With an average commute of one-half hour to and from work, workers can save one hour per day. This hour may be spent working, or it may be additional personal time. It is up to the worker. Lower Commuting Expense Commuting to work has several associated costs. If one drives, one needs gas, at the least; the commute may also require parking and tolls. If one takes public transportation, the commute requires fares. That half-hour drive may cover 10 to 30 miles, depending on the roads traveled. Saving 20 city-driving miles per day would save an average of one gallon of gas per day, which, at average U.S. rates, is more than $1.00 per gallon. Saving 60 highway-driving miles per day would save approximately two gallons per day; so in gas alone, one could save from $5 to $10 per week, or $20 to $40 per month. Add in parking at $5 per day and tolls of $2 per day, and the savings rise to $50 to $70 per month. Lower Food Expense Face it: lunches out are not cheap. Even lunches at the fast-food chains cost an average of $5 per day. Lunches at fancier places can run $10 to $15 per day. If one eats out every day, one could save $25 to $75 per week, or $100 to $300 per month. Even if one only eats out twice a week, one could save $10 to $30 per week, equating to $40 to $120 per month. Lower Clothing Costs If one works at an organization that still requires business suits for work attire, one needs at least five suits averaging $100 to $300 each. Suits last for one to three years with regular use, so telecommuting can save $500 to $1500 over a three-year period. Even if one works at an organization that has gone to business casual or casual, clothing costs can be high. Business casual shirts and pants or skirts average $20 to $50 per piece, and they also last for one to three years with regular use. Not replacing these could save $200 to $500 over a three-year period. Higher Job Satisfaction Most people who telecommute feel more in control of their work and they enjoy it more. This keeps them happier in their work, with less burn-out. 316
AU1253_ch26_Frame Page 317 Saturday, October 26, 2002 4:51 PM
Evaluating Organizational Readiness for Telecommuting Higher Productivity Because there are generally fewer distractions and interruptions, people who telecommute have higher productivity. They may actually be able to work fewer hours and get more accomplished. More Flexible Work Schedule Depending on the type of telework, one may have a more flexible work schedule. One may be able to work for three hours in the early morning, then five hours late at night, scheduling work around family commitments. The only teleworkers who generally must stick to a schedule are those in customer-oriented roles who must be near phones for specific times of the day. Less Distractions Also depending on the type of work, telecommuting may provide fewer distractions. Generally, these include fewer phone calls, fewer drop-bys by co-workers, etc. No Need to Relocate Not too long ago, corporate promotions meant moving to headquarters. Today, however, it is not uncommon to live in Portland, Oregon, and work for a company with corporate headquarters in Omaha, Nebraska. This allows teleworkers to stay in their homes while still improving their positions in organizations. This increases job satisfaction and productivity. BENEFITS OF TELECOMMUTING FOR THE COMPANY The company can also reap tremendous benefits from telecommuting. These benefits include: • • • • • •
Less office space requirements Less time wasted with “office chat” Fewer attendance problems Capability to employ disabled or distant workers who cannot commute Higher job satisfaction Higher productivity
Depending on the type of work involved, the company benefits may also include: • Less employee turnover • Lower relocation expenses Now take a look at these corporate benefits in more detail. Less Office Space Requirements This is the major corporate benefit to telecommuting. Depending on the location, businesses pay anywhere from $6 per square foot of office space 317
AU1253_ch26_Frame Page 318 Saturday, October 26, 2002 4:51 PM
MANAGEMENT to $15 or more per square foot. With small cubicles averaging ten by ten, or 100 square feet, each worker costs $600 to $1500 per year in office space. For every ten workers, the company also needs approximately 200 square feet of meeting space and space for copiers, etc. Having ten people telecommute can save $7,200 to $18,000 per year. Having 200 people telecommute can save $144,000 to $360,000 per year. Less Time Wasted with “Office Chat” Hanging out by the water cooler does not happen often anymore; but whenever people share office space, they will find a place to congregate. Sometimes this congregation is work related, but all too often workers are simply gossiping or discussing past or future sports events. Estimates on this type of lost time vary from 1 to 2.5 hours per day. Workers earning $20 per hour cost the company $100 to $250 per week in “office chat” time, which equates to $400 to $1000 per month. Fewer Attendance Problems Childcare problems, sick children, and personal health often keep employees from work. Other attendance-type problems include perpetual tardiness, extended lunches, and the like. These problems are eliminated or significantly decreased when employees telecommute. Teleworkers can still work when their children are sick, and many can often work when they themselves are sick, but could not have come to an office. How does telecommuting prevent or avoid the problems of perpetual tardiness or extended lunches? It is doubtful that managers would be willing to have employees with these problems become telecommuters, but the issue should be addressed because the topic has been raised. Capability to Employ Disabled or Distant Workers Who Cannot Commute When employees telecommute, it opens up the potential labor pool. People who would require special adaptive equipment at work or who would have to move to a corporate location can easily telecommute. This lets the company hire the best workers for each position. Higher Job Satisfaction and Higher Productivity Higher job satisfaction and higher productivity have the same advantages to employers as they do to employees. Employees are happier and can generally get more work done in less time. Less Employee Turnover Because employees are happier, they stay longer on their jobs. Because hiring and training new workers can cost from $2000 to over $10,000 318
AU1253_ch26_Frame Page 319 Saturday, October 26, 2002 4:51 PM
Evaluating Organizational Readiness for Telecommuting per worker, the longer employees stay, the more money the company can save. Lower Relocation Expenses Technology has now reached the point at which workers do not have to move to corporate headquarters to work. This not only saves on office space, but conceivably saves $2000 to $10,000+ per worker for relocation as well. Note: The relocation number looks very low. An organization likely spends well over $50,000 on a relocation by the time housing differential, moving, etc. costs are paid. DRAWBACKS OF TELECOMMUTING There are also drawbacks to telecommuting for both the worker and the employer. For the worker, these drawbacks include: • Lack of physical contact • Potential to be “left out of the loop” • Potential to overwork While there are more benefits than there are drawbacks, these drawbacks are significant and need to be carefully evaluated. Take a look at each of these in more detail. Lack of Physical Contact Because humans are social animals, many people feel isolated without the daily contact with co-workers. Potential to be “Left out of the Loop” Without being on site on a daily basis, the old adage “out of sight, out of mind” tends to come true. Telecommuting workers must make sure they are included in group decisions and information distribution networks, as they would be when on site. Potential to Overwork Believe it or not, people are often so happy with their work that they work all the time. Telecommuters need to establish relatively regular work hours or they will burn themselves out by working 12 to 14 hours per day. For the employer, the drawbacks include: • • • •
More need for strong communications infrastructure More need for well-defined job duties, tasks, and requirements Jealousy on the part on nontelecommuting workers Managers feeling “lack of control” 319
AU1253_ch26_Frame Page 320 Saturday, October 26, 2002 4:51 PM
MANAGEMENT These drawbacks can be minimized as follows: • Need for strong communications infrastructure. Because telecommuters often feel left out, companies must make sure that the communications infrastructure includes them. If not, they will miss out, or feel like they are missing out, which has the same negative effects. Examples of tools for a strong infrastructure are dialing in for staff meetings and ensuring that all memos are distributed via e-mail. • Need for well-defined job duties, tasks, and requirements. Managers can no longer “manage by walking around” when workers telecommute, so workers need well-defined job duties and measurable tasks and deliverables. This is often difficult to set up initially, but it is key. • Jealousy on the part on nontelecommuting workers. If only selected people can telecommute, co-workers may envy those who do so. This means that managers must make it clear as to why certain individuals are allowed to telecommute. It is important to have clearly defined criteria for which jobs (and people) are eligible for telecommuting. Employees with performance or attendance problems would not normally be considered for telecommuting. • Managers feeling “lack of control.” Many managers have a hands-on management style and have a difficult time letting go of their employees. This may mean that organizations need to re-train managers who have telecommuters, or they may need to hire managers with different styles for these telecommuters. TELECOMMUTING ORGANIZATIONS Hundreds of organizations now have formal or informal telecommuting policies. These include banks, manufacturing companies, government agencies, educational institutions, and insurance companies. Some of the better-known organizations include the state of California, the city of Los Angeles, Pacific Bell, Travelers, Aetna, New York Life, and Key Bank. One of the largest telecommuting organizations is IBM. While IBM prefers to use the term “mobile workers,” it has one of the largest telecommuting staffs in the world. According to Bob Egan, Project Executive for Global Mobility and Productivity at IBM, the company has equipped 75,000 to 100,000 employees with their mobility tools. Of these 75,000 to 100,000 employees, about 60,000 use the tools on a regular basis, 27,000 in the United States and the rest worldwide. IBM had 10,000 mobile representatives in place by the end of 1995, and the program went worldwide in 1995. IBM is a prime example of the success of this type of working. IBM spent $41 million equipping these workers and has saved $75 million per year in real estate expenses alone; but the success has not been solely financial. 320
AU1253_ch26_Frame Page 321 Saturday, October 26, 2002 4:51 PM
Evaluating Organizational Readiness for Telecommuting Exhibit 1.
Readiness Checklist
Organization Checklist • • • • • •
Does management believe in telecommuting? Do the workers have clearly defined and measurable job duties/objectives? Do you have a strong company/team communication network in place? If not, are you willing to implement one? Do you have the technological infrastructure capable of supporting telecommuting? If not, are you willing to implement one?
Individual Checklist • • • •
Do you have a physically separated spot in your home to work? Do you have enough discipline to work when you would rather be doing something else? Do you have clearly defined and measurable job duties/objectives? Can you work in relative isolation from colleagues?
In in-house surveys, IBM has found that 87 percent of the teleworkers reported that they were more or much more productive than they were prior to telecommuting. Critical Success Factors While the benefits and drawbacks above and the readiness checklist (Exhibit 1) both allude to factors for success, Bob Egan (IBM) and most telecommuting organizations and employees agree that there are three critical success factors for implementing a telecommuting program. These are • Clearly defined, measurable objectives • Strong communication system • Belief in telecommuting Take a look at why these factors are critical. Clearly Defined, Measurable Objectives Because of all the drawback factors mentioned above, judging the success of telecommuting can be highly subjective. To make sure it is as objective as possible, the telecommuting policy and job descriptions must be clearly defined and measurable. It also helps to have a series of objectives for both the short and long terms. Strong Communication System Because telecommuters are not on site as frequently as other workers, there is a high potential for forgetting about them, leaving them out of the decision-making process and the results of those decisions. For these reasons, the organization needs a strong communication system. Internal and external documents need to be circulated to teleworkers; meeting dates and times need to be passed on to teleworkers; even office parties, 321
AU1253_ch26_Frame Page 322 Saturday, October 26, 2002 4:51 PM
MANAGEMENT birthdays, and other special occasions should be communicated to teleworkers. They may not need to be involved in the activities, but it is comforting to know about them. This information flow must also go both ways. When this type of information flow does not exist, both the organization and the workers suffer. The hardware and software tools of today allow for this — IBM even sells its secrets of success — but it is up to organizations to implement them correctly. Belief in Telecommuting It has been proven in countless ways that expectations influence final outcomes. If managers and employees expect telecommuting to fail, it most likely will. Both the managers and employees have to believe that telecommuting will produce the needed benefits. If not, then the success will be consciously or unconsciously undermined. Unfortunately, this lack of belief is also ingrained in most people. Touting the benefits will not convince skeptics. They may pretend to play along, but they will be pleased to say, “I told you so” in the end. Exhibit 1 allows one to judge whether an organization is ready for telecommuting. Answer the questions as things are now, not as one hopes they will be. When organizations implement telecommuting sooner than they are ready, they run the risk of failing.
322
AU1253_ch27_Frame Page 323 Saturday, October 26, 2002 4:51 PM
Chapter 27
Supporting Telework Heikki Topi
Since the industrial revolution, most organizations have been built around the model of bringing employees to centralized locations to perform work with a group of peers under the immediate supervision and control of management. For almost three centuries, the general assumption among managers and their employees has been that the employer assigns a place where the employee performs his or her work. Today, advances in telecommunications technology and transportation have freed many workers from the traditional model of a fixed place of work. Telework has become a widely implemented practice for two reasons. First, increasingly, many Americans have become telecommuters — spending at least a part of their regular business hours in home offices, satellite offices, or neighborhood work centers close to their homes. Current estimates of the percentage of Americans telecommuting either full- or part-time vary between 10 and 20 percent. Second, it has become increasingly common for work to be performed by virtual teams — where the membership of the team is not limited by the physical location of an employee’s primary workplace or a team member’s functional unit within the organization. Both of these kinds of telework require virtual work arrangements. Research and practical experiences from a large number of organizations have shown that various types of virtual work arrangements are advantageous for both organizations and their employees. When applied correctly, they provide the flexibility that allows companies to put together the best possible teams for various projects. They enable their employees to enjoy freedom from the restrictions set by a strictly defined place and time of work. Also, virtual work arrangements can provide significant cost reductions to both the employer and the employees. The purpose of this chapter is to identify the obstacles that organizations face in implementing virtual work arrangements and to offer some practical solutions to alleviate these problems. The intention is to present a balanced view that includes both technological and managerial solutions.
0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
323
AU1253_ch27_Frame Page 324 Saturday, October 26, 2002 4:51 PM
MANAGEMENT OBSTACLES OF VIRTUAL WORK ARRANGEMENTS The discussion that follows covers several categories of reasons why traditional work arrangements still are dominant. Some of these reasons are still valid but can be alleviated by advances in technology and management techniques. Other reasons are simply no longer valid. The extent to which obstacles exist naturally depends partially on the industry and the way the organization operates. Task- and Resource-Related Obstacles On many occasions, work has to be performed at a specific location because the physical objects being processed are there. Most manufacturing and construction jobs fall into this category; in most cases, it is either practically impossible or economically unjustifiable to spread the work among a large number of sites. Thus, the location of work is determined by the need to bring a team of workers together to a place that is suitable for the manufacturing operation or happens to be the site under construction. In many service jobs, the work has to be performed where customers are if face-to-face contact is valued. The traditional model for retail sales, banking, repair services, hotels, and restaurants is based on the idea of attracting a customer to a specific physical location, and in most cases it is essential that employees are available in these locations, too. Not only customers but also suppliers, financial institutions, government agencies, and other stakeholders assume that most organizations have a stable physical location where at least some of the employees can be found (naturally, this can be a location of a parent or custodian organization). This assumption will probably not be radically changed in the near future. Also, in many cases the physical presence of an organization is a status symbol, and both buildings and the number of employees working in them are still used as indicators of success. In other situations, however, a mobile sales force is assumed; sales personnel are expected to interface with their customers at their places of business. The location of work is also often constrained by the need for specialized equipment or other resources. This is obvious in manufacturing; often the work is where the machinery is. Also, in many industries, research and development work requires specialized laboratory equipment. For office workers, the location of work is often determined by the location of the documents that employees manipulate in their jobs. Much of office work still involves processing data on paper forms. Many times work takes place where access to physical archives of either organization-specific data or general knowledge is possible. Reasons related to the nature of tasks and the availability of resources still anchor employees strongly to a specific physical location, even if technology 324
AU1253_ch27_Frame Page 325 Saturday, October 26, 2002 4:51 PM
Supporting Telework significantly reduces these dependencies. For example, information technology can connect customers to virtual retail outlets or product experts and can make formerly location-specific resources (such as information sources and paper forms) available through networks. Management-Related Obstacles Many organizations require their employees to perform their jobs in a specific location even if they are not manipulating tangible objects in their jobs and they need no tangible resources to get their jobs done. This section will explore the reasons underlying these requirements. Perceived Performance Advantages. Often managers perceive that the aggregated performance of all the employees working together in a specific location is higher than the sum of individual performances if employees worked separately in different locations (i.e., that co-location per se will create clearly beneficial synergies). People are brought together to work in the same location because management assumes that the support that employees give to each other improves their joint performance. The assumption is that co-location enables unplanned informal meetings, quick answers to unanticipated questions, idea generation, and problem-solving sessions.
It is important, however, to note that with advantages come disadvantages. Disruptions and interruptions are all too typical in office environments and can result in a lack of concentration; these include background noise, events unrelated to work being performed, and unnecessary and unproductive planned and unplanned meetings. Whether or not continuous co-location of a team is truly beneficial depends on a large number of factors such as the nature of the project and tasks, the stage of the project, the number of people involved, the cohesiveness of the project team and its ability to work together in different environments, the nature of the facilities allocated to the team, and the alternative communication mechanisms that are available. No organization should assume automatically that one arrangement is always better than the other; flexibility and freedom to look for the best possible alternative for a particular project organization at a particular project stage is the key. Organizations’ Need to Manage. Many organizations and individual managers still feel that they need their employees in a location where “management by walking around” or “management by example” philosophies can be applied literally, and where work behavior can be directly observed. Many managers are still uncomfortable with the idea of being responsible for a team if they are not able to be in face-to-face contact with team members regularly. Unfortunately, the problem is often the lack of trust between team members; many managers still have an expectation that they should be able to control an employee’s contributions toward the goals of the team or the organization by observing his or her behavior. This is true 325
AU1253_ch27_Frame Page 326 Saturday, October 26, 2002 4:51 PM
MANAGEMENT specifically in cases in which the evaluation of results is difficult or the risk of failure is high. Workers’ Need to Be Managed. On the other hand, employees often feel the need to be managed, either because they want to show with their behavior that they are loyal and useful contributors to the organization’s goals (and thus, for example, worth a promotion or a place among those who keep their jobs if employees are laid off) or because they simply need somebody to organize their work for them to get it done. Some employees also feel safer if they have the option of moving the responsibility for the most demanding decisions to somebody else.
Therefore, the needs to manage and be managed are strong reasons underlying the tenacity of the traditional work arrangements. Naturally, an important question is the validity and relevance of these needs and our ability to overcome these concerns with technology. On one hand, at least in some cases, it is possible to use modern communication technologies to implement mechanisms that would effectively produce the same results as traditional management techniques that require physical vicinity. On the other hand, it is possible (and increasingly often essential) that employees can feel that their performance is not (only) evaluated based on their behavior but based on their contributions to the organization’s goals (i.e., their results). Social Contacts and Support. Organizations also bring their employees together into one or several locations because often this is what their employees want. The physical workplace is for many an important social environment; many simply do not want to work outside the workplace (e.g., at home). Fears of social isolation and life without the variety of human contacts offered by traditional work arrangements are true and serious factors affecting the models of work that organizations are able to use.
This is linked, in part, to the need to be accepted as a valuable member of an organization by managers and co-workers, and partially it is linked to how social relations at the workplace often become a natural social network in addition to the extended family and close friends. For many, it is essential to be able to leave the home regularly and enter a different social and physical sphere. Many employees also feel that the support given by co-workers in the immediate physical proximity is valuable and helps them perform their tasks better. A question or other request for help is at least interpreted to be less intrusive and more effective if presented in person than if presented using a communication technology such as phone, videoconferencing, or e-mail. Also, in an environment in which employees work in close physical proximity, it is easier to find support with complex or in other ways difficult decision making. 326
AU1253_ch27_Frame Page 327 Saturday, October 26, 2002 4:51 PM
Supporting Telework REMOVING OBSTACLES WITH TECHNOLOGY This section discusses a variety of technological tools and arrangements that can be used to enable virtual work arrangements and improve their utilization in organizations. Both tools and support of their usage are included because it is not sufficient to make technological resources available to employees; effective work arrangements require high-quality technology support. Later in the chapter we continue our discussion by emphasizing the importance of a variety of managerial actions. Even well-supported technology is not enough if it is not applied effectively. Technology Resources Virtual work arrangements are made possible by communication and computing technology. A well-functioning, efficient telecommunications infrastructure for voice, video, and data is one of the first requirements for a technology environment to support telework, whether telecommuting or virtual teams. In voice communication, the key characteristic of a support system for virtual workers is flexibility. The phone system of an enterprise should be able to connect a phone call to an employee with one number independent of his or her location, whether it is within company facilities, in the home office, or on the road with a wireless phone. Increasingly, wireless technologies form a natural basis for voice communication because they enable independence from location. In data communication, it is important that virtual workers have access to all the same services that are available to employees with a permanent office, although often not at the same speeds. Virtual private networking (VPN) and other remote access technologies have made possible a versatile way to access corporate data resources. The importance of sufficient bandwidth cannot be overemphasized; for any connection that is made regularly from the same location (as, for example, in telecommuting), Integrated Service Digital Network (ISDN) at 128 kbps is the minimum speed, and broadband options (asymmetrical digital subscriber line [ADSL], cable modems, satellite-based systems) should be used whenever possible. The additional cost compared to analog modem connections is small compared to the advantages. It does not make sense to lower the productivity of a highly paid professional because of low bandwidth and an unreliable connection if a faster and more reliable option is available at a marginal monthly cost of only $50 to $100. The promise of videoconferencing has not yet been fulfilled by widely available technologies except in large organizations, mostly because of the lack of sufficient bandwidth. Useful videoconferencing requires a circuitswitched or dedicated connection; the 128-kbps bandwidth provided by an ISDN connection is the absolute minimum but, in practice, only 384 kbps or 327
AU1253_ch27_Frame Page 328 Saturday, October 26, 2002 4:51 PM
MANAGEMENT higher bandwidth offers a connection that is sufficient for high-quality videoconferencing. Existing and future telecommunications technologies such as increasingly fast Internet connections using ADSL and cable modems, the promise of ATM-based broadband ISDN, and coming third-generation wireless devices all mean significantly higher access speeds than those currently available. An organization that wants to seriously use the opportunities offered by virtual work arrangements should build a state-of-the-art telecommunications infrastructure and make it available for the employees who are applying the new model of work. Technology Support Providing the best of technology to employees who are doing their work outside the traditional work environment will not be sufficient if they are not trained or able and willing to learn to use the technology. Virtual workers are often far away from the traditional organizational support system and therefore need to have stronger technical problem-solving skills than do peers who are closer to the reach of the organized support. This area was often ignored earlier when employees interested in virtual work arrangements often were technology experts themselves. In the current situation, the need for technological survival skills is high enough to warrant a special training course for employees who are starting to telecommute or become members of virtual teams. The content should not only include standard software but also issues related to the telecommunications solutions used. The more dependent a teleworker is on the resources available on the network, the more important it is that the training enables the employee to troubleshoot and independently solve at least the most typical simple network problems. However good the training, the importance of an excellent support structure cannot be overemphasized. Both telecommuters and virtual team members have their own special computing and telecommunications needs, and sufficient support should be available to address the relevant issues. For members of virtual teams, the most essential issue is the creation and maintenance of a proper environment for sharing information, an environment that allows efficient and effective file sharing and electronic conferencing among team members, wherever they are located. For telecommuters, it is vitally important that support personnel are easily accessible by phone (and videoconferencing, if used by the organization), and that they are able to provide help both with traditional software problems and telecommunications issues specific to telecommuters. The support organization should have the necessary expertise to help telecommuters choose the best telecommunications solution suitable for each individual from the set of available solutions. 328
AU1253_ch27_Frame Page 329 Saturday, October 26, 2002 4:51 PM
Supporting Telework REMOVING OBSTACLES WITH MANAGERIAL ACTIONS The technology-based solutions reviewed previously are not all that is needed. It is easy for managers and knowledge workers focusing on technology-related projects to understand the technical solutions and to attempt to apply them to all problems. Technical solutions alone will, however, fail to bring the results that can be achieved by choosing a balanced approach that integrates appropriate technologies with carefully selected managerial tools. Task Support One of the problems with telework is the real or perceived lack of support for a variety of work-related tasks. Many employees find it problematic if they are not able to turn to their immediate co-workers or supervisors to ask for help with difficult decisions or problems requiring specialized knowledge that only few in the organization possess. It appears that the problem is gaining somebody’s immediate attention. Any teleworker has a variety of telecommunications media (e.g., phone, videoconferencing, electronic conferencing, and e-mail) for contacting the same coworkers they would be approaching to ask for help in a face-to-face setting, but every one of these media is easier to ignore than a direct person-to-person contact attempt in an office setting. To alleviate the concerns regarding the lack of task support in a virtual work environment, clear organizational task support mechanisms should be available. First, either messaging and groupware tools such as Lotus Notes or other intranet technologies should be used appropriately to maintain organizational memory in the form of questions and answers or problems and their solutions. Second, teams and departments where at least some of the employees are working virtually should explicitly acknowledge the task support needs of the employees outside the permanent location and give them a priority when appropriate; this requires conscious effort, especially from those working on the company premises. Third, whenever possible, regular face-to-face meetings with virtual employees present should be a part of the organization of work for all project teams and work groups; among other benefits, these meetings offer excellent opportunities for mutual learning and support. Fourth, in many situations it is good if the entire group or department learns to use asynchronous media (such as e-mail or electronic conferencing) for questions and answers that do not require an immediate answer; an additional benefit is that these media provide an opportunity to store the questions and answers as part of the organizational memory. Whatever the technical implementation chosen, it is important that the task support needs of the employees working in the virtual environment 329
AU1253_ch27_Frame Page 330 Saturday, October 26, 2002 4:51 PM
MANAGEMENT are taken into account and acknowledged in a way that reduces at least the perceived lack of task support. Modified Reward Mechanisms Successful telework requires organizational reward mechanisms that are adapted to suit the new models. If work behavior cannot be directly observed, it should not be a basis for evaluation either. This is, however, a tradition that is difficult to change; when direct results of an employee’s work do not warrant a positive evaluation, managers often tend to rely on their impressions based on observations of work behavior. If an employee has successfully created the impression of hard work and strong dedication, it is much easier for a manager to attribute the unsatisfactory results to external causes that were not under control of the employee. It is still much easier to create these impressions when colocated with the manager who performs the evaluation. (This is not to say that employees do not try to create similar impressions of dedication and diligence in virtual environments, too, for example, by creating work-related e-mail or electronic conferencing postings in the middle of the night.) To a certain extent, visibility in the communication channels of the virtual world is also used as a behavioral criterion, and, thus, individual actions intended to create a positive image might be effective in some cases. Organizations should, however, find ways to move toward an evaluation model that values, in a fair and equitable way, contributions toward the organization’s goals, not the number of hours spent or other similar activitybased measures. In many organizations, this is a clear cultural change, which is never an easy process, and it requires conscious effort by the management. Extra effort is needed to make sure that promotion decisions are fair and perceived to be fair. Virtual workers can aid this process by making sure that the results of their work are not hidden and that their supervisors understand what they are achieving. Moreover, the external signs of rewards should also be available and visible in the virtual world if there are corresponding signs in the real world: For example, “Employee of the month” type of recognitions should be visible not only on the wall in company headquarters but also on the corporate intranet. If privileges that are only useful at the company premises (e.g., special parking or access to special facilities) are used as reward mechanisms, some corresponding rewards should be developed for those operating in the virtual world. If the top management of an organization wants to support and encourage virtual work models, managers should express and communicate this explicitly to all employees using channels that are available also to those 330
AU1253_ch27_Frame Page 331 Saturday, October 26, 2002 4:51 PM
Supporting Telework who are not physically present at the company locations. The best support is support by example, which requires that the top management is also able and willing to use the communication channels typically used by virtual workers. Also, it is important that the top management expresses the commitment to create and maintain a reward system that is fair for everybody because virtual work arrangements may create concerns regarding fairness among both those who participate in them and those who do not; the success of these arrangements requires that these concerns are addressed. Maintaining and Enhancing Organizational Identity Employees want to identify with the organization for which they are working, and it is important that teleworkers have enough opportunities to strengthen their organizational identities. Partially, this requires that organizational networks, particularly intranets, include information and symbolism that aids all employees with identification (e.g., statements regarding corporate values, mission, basic objectives, history, and future, consistent use of corporate colors and logos, or examples of achievements by the company and its employees). On the other hand, it is important that all employees without a strong permanent home within the organization are regularly brought together to social meetings in which they can learn to know their co-workers better, in a relaxed face-to-face setting, and to identify better with the entire organization. One of the best ways to create and maintain a strong identification with an organization is to create an atmosphere of trust in which every employee can feel that he or she is trusted to contribute fully to the organization’s goals without continuous observation and control by management. These feelings can be nurtured by explicit statements and other visible signs of trust, but it is even more important that employees can feel that management appreciates and accepts their decisions regarding their own work. Responding to Other Social Needs Organizations willing to use virtual work arrangements successfully should find mechanisms to respond to employees’ social needs. For many employees, work is a justification to leave home regularly and meet other adults. Virtual teams, work at customer sites, and satellite offices fulfill this need, but for many teleworkers who work at home, the advantages of freedom and flexibility are significantly challenged by the long hours alone without the opportunity to stop by at a colleague’s office or have a lunch break together. Also, lack of face-to-face social contacts supports the feeling of being out of the loop and out of the core circle of employees. One solution to this problem that also makes sense for other reasons is to make sure that all employees, however virtual their existence normally is, regularly attend face-to-face meetings with both their supervisors and 331
AU1253_ch27_Frame Page 332 Saturday, October 26, 2002 4:51 PM
MANAGEMENT their co-workers. If possible and mutually agreeable, one option is to implement part-time telework arrangements so that even telecommuters spend one or two days a week at central or satellite office locations. Naturally, if this option is chosen, logistical arrangements are necessary to make sure that cost savings related to the reduction of office and parking space are not entirely lost. The developments in telecommunications technologies — especially relatively inexpensive high-bandwidth solutions such as ADSL and cable modems with a flat fee pricing structure — make it possible to use a rich variety of communication options (including videoconferencing over IP networks) for business-related purposes. It is probable that active utilization of modern telecommunications technologies alleviates — at least to a certain extent, but not fully — the feelings of being alone and far away from the center of action. CONCLUSION Many organizations have identified good reasons to make telework possible for their employees; the benefits include increased flexibility and cost reductions for both individuals and organizations. Yet many organizations are struggling to make these arrangements successful and widely available. The lessons learned from this chapter can be summarized with two key points. First, advances in technology have dramatically expanded the possibilities for telework, but virtual work arrangements do not fit with all industries and all employee groups. Managers have to carefully evaluate the feasibility of telework for a given organization and given type of work. Second, the success of virtual work arrangements cannot be guaranteed with technological solutions only. In most cases, strong and clear managerial interventions are necessary. The technical opportunities for virtual work arrangements continue to evolve; advances in wireless communication technologies, for example, are expected to have a strong impact. Yet even with future technologies, the benefits of telework may be elusive if due attention is not given to the careful design of work arrangements that fulfill the fundamental needs of both organizations and their employees.
332
AU1253_ch28_Frame Page 333 Sunday, October 27, 2002 5:56 AM
Chapter 28
Assuming Command of Your Network David A. Zimmer Andres Llana, Jr.
Many companies looking to implement remote access are more concerned with the extra management burden than they are with the cost of the actual hardware and software. While many vendors concentrate heavily on the price of remote-access products, network administrators have to look beyond price alone and consider the products’ manageability. Otherwise, these products could turn out to be more expensive in the long run. Fortunately, many vendors of remote access servers support the Simple Network Management Protocol (SNMP). SNMP support facilitates ongoing management and integrates the remote access server into the management environment commonly used by network administrators. Support for SNMP allows the server to trap several meaningful events. Special drivers pass these traps to a SNMP-based network management platform, such as Hewlett-Packard’s OpenView, IBM’s NetView/6000, or Sun’s SunNet Manager. The management station, in conjunction with the vendor-supplied Management Information Base, can then display alerts relative to the operation of the server. The network administrator is notified when, for example, an application processor has been automatically reset because of a time-out, or when there is a hardware failure on a processor that triggers an antilocking mechanism (ALM) reset, a type of reset that ensures that the entire system and all other users are not locked by the failing processor. Management utilities allow for status monitoring of individual ports, the collection of service statistics, and the viewing of audit trails on port access and usage. Networks have required close attention ever since workstations relocated out of the mainframe computer room and began communicating over a telecommunications line. As workstations gained more intelligence, legacy networks were soon replaced with local area networks, greatly 0-8493-1253-1/03/$0.00+$1.50 © 2003 by CRC Press LLC
333
AU1253_ch28_Frame Page 334 Sunday, October 27, 2002 5:56 AM
MANAGEMENT intensifying the management process. At that point, managing evolved beyond simplistic element monitoring, taking on greater importance as companies relied more heavily on their networks. Today, networks are a major asset for many companies, requiring large investments in hardware, software, and communications equipment. While capital equipment costs can be considerable, the major expense for most companies is the annual recurring cost of operating the network. Of this expense, the majority (84 percent by some estimates) is devoted to operational expenses for personnel, leased facilities, and system maintenance. Because of this phenomenon, network management has experienced a shift in emphasis to encompass “enterprisewide management.” In this scenario, there is a requirement to monitor and control all network systems and applications. This has caused a shift in the level of support staff required to manage the corporate network. As client/server local area network (LAN) segments continue to grow across the corporate landscape, managing a comprehensive wide area network (WAN) has become more complex and critical to the success of the business enterprise. Network management platforms have since evolved from a collection of device-oriented tools to a more integrated management process. Earlier UNIX network management platforms such as HP OpenView and SunNet Manager are now being asked to support a host of new functions and applications. Fortunately for many end users, proprietary management platforms became available based on the industry standard: SNMP. The adoption of this standard minimized the number and complexity of management functions, which allowed developers to enhance the operation of their management tools. Several SNMP-based platform vendors have developed an enterprise network management tool, the architecture of which can deliver scalable functionality well into the future. THE COST OF MANAGEMENT Managing networks in the past has always been a labor-intensive, timeconsuming process requiring skilled people to administer the network and provide hands-on troubleshooting, physical management, and device and asset management. Faults or network errors required the analysis and localization of a problem before a fix could be established. Next, personnel had to be dispatched to a distant wiring closet, remote network hub, or another building across an office park to fix the problem. Problems on a WAN are even more troublesome when they occur on the public network. With the RBOC downsizing, network problems on the public network are taking longer to resolve, further adding to the cost of network downtime. 334
AU1253_ch28_Frame Page 335 Sunday, October 27, 2002 5:56 AM
Assuming Command of Your Network As a distributed network evolves, expanding its population of remote nodes, support staff can easily double or triple. A recent Infonetics study on the real cost for network management showed that a network comprising 1000 nodes could easily incur an annual cost of over $1.4 million for trained staff. Obviously, a network that is based on a legacy communications platform rather than state-of-the-art facilities can only exacerbate the staffing situation. For example, where multiple legacy network management platforms are involved, diverse event reporting can become very confusing, drowning the network administrators in their own data. Obviously, a large distributed network can produce reports for thousands of events, which may be forwarded to the network administration team. In this scenario, interpreting which reports are more critical than others presents a very daunting task for the network management staff without automated support. MANAGING FOR THE FUTURE However, as a company’s network architecture evolves, choosing the right management strategy allows the network administrator to bridge the gap between expanding requirements and limited financial resources. As more company networks migrate toward more sophisticated switched networks, the right management strategy should be in place to accommodate a more sophisticated level of network management. For this reason, it is important to base a management strategy on a careful analysis of the network’s longterm projections. This analysis should establish a criteria for those elements to be measured that provides the greatest impact on the network and the company’s stated goals. The Right Tools Having the right tools can greatly improve the cost of managing the network while allowing the operator to maintain the highest levels of reliability. For this reason, it is necessary to recognize the essential elements critical to the establishment of a network management strategy. While the early forms of network management focused on network element management, the emerging network management platforms focus on entirely different criteria. For example, in expanding the population of an already busy network, the key requirement exists for scalability. Scalability. Earlier SNMP platforms were based on a UNIX hardware/ software platform and were designed to support smaller networks (less than 1500 nodes). However, it is not impossible for a small network to double in size through a corporate merger or acquisition. The resulting larger network would likely generate much more traffic than could be handled by a single UNIX platform. Some network managers faced with such a circumstance have had to carve up their networks into more manageable 335
AU1253_ch28_Frame Page 336 Sunday, October 27, 2002 5:56 AM
MANAGEMENT subnets so that they could be managed by a single UNIX platform. For this reason, the network planner should consider a network strategy that will support shared information among several management platforms so that it may be possible to view the network as a whole. Enhanced Traffic Management Techniques. When SNMP managers were
first deployed in the early 1980s as element managers, they produced the bare essentials. Today, these same managers have been expanded to provide a prodigious amount of information. The level of information can be so great as to inundate the management staff; hence, the requirement for sensible management and presentation of information. Filtering. Filters are used to examine single resource information streams that may be coming from a router, switch, or applications agent. The filter will be used to check for thresholds, amounts of change, and other similar functions. Reports that exceed their threshold can then be forwarded to another control point or to an appropriate manager for action.
While filtering may reduce the redundancy in event reporting, it will still fall on the administrator to determine the cause of the network error. Further, this filtering may reduce noise level traffic, but it will not enable the network manager to determine the prime effects that may be causing the problem. In a similar manner, a router or switch could fail, sending a large stream of message events out onto the network. This would only confuse the operator; thus, it is imperative that there be a mechanism for automated event correlation. Another issue to address is the reallocation of management among several platforms to reduce workload. For example, Novell and Microsoft provide a direct interface between their local management systems and an SNMP-based platform. Other systems like Aprisma, IBM, and Sun offer “intelligent agents” or other means to handle local data that does some management and filtering tasks without involving the SNMP platform. Correlation. Correlation is the process by which reports from multiple sources can be handled in parallel and evaluated in terms of an established priority. In this way, critical events can be surfaced to the operator for immediate attention. Other events of lower priority can be lowered down in a prioritized list. For example, a failing switch or router can generate a series of events. A correlation process sorts them out and identifies the most likely cause. Parallel actions may include enabling an alternate routing table. Larger networks will require a multidomain solution with multiple servers and the ability to correlate events from different domains.
THE HUMAN ELEMENT Early SNMP platforms provided a convenient means for managing specific proprietary devices or elements. However, as these multiply across a network, 336
AU1253_ch28_Frame Page 337 Sunday, October 27, 2002 5:56 AM
Assuming Command of Your Network operator time can be consumed in a number of ways. Older UNIX platforms may require more highly skilled personnel with institutional knowledge to interpret system events. For this reason, a key requirement for an enterprise management platform is in the amount of information automation that is present. Such a system should be easy to use by personnel with less skill. The ability of a platform to support a form of institutional memory that allows it to remember solutions to problems is a prime requisite for a large network. Most systems use Remedy’s trouble ticketing application, which supports a form of institutional memory. However, very few of the early network management platforms supported any sort of rules-based or expert system functionality. Aprisma’s Spectrum system has a rules-based expert system functionality built in. Thus, it is incumbent upon the network owner to plan the deployment of high-level productivity tools as a strategy if they are to contain staffing costs. TELECOMMUTER SKILL SET A telecommuter must possess certain skills to be successful. Managers can usually determine which employees might be best suited to telecommuting. Typically, these same people are already performing well within the company. The same traits that make them successful inside the company make them successful as telecommuters. These traits are: • • • • • • •
Self-starter Motivated Organized Goal oriented Disciplined Knowledgeable Trustworthy
Who would not make an effective telecommuter? Studies have shown that employees new to the company or who are younger shy away from telecommuting. They reason that they need to “establish” themselves in the minds of others, especially management. They are very sensitive to career management issues and want to ensure they do not miss an opportunity because they were working from home. Also, the younger employees do not have the pressure of family life and do not relish the idea of working in an environment in which there are no people. They get enough “time by themselves,” as they may live alone. As a result, they typically turn down the opportunity of telecommuting. TELECOMMUTER TRAINING Regardless of their skill sets, telecommuters need to be trained. Areas to consider in the training sessions would be organization skills, time management, 337
AU1253_ch28_Frame Page 338 Sunday, October 27, 2002 5:56 AM
MANAGEMENT care and troubleshooting of office equipment, including upgrading software, reloading paper, and attaching wires, company policies, zoning laws, and insurance considerations. Some of the items to be covered are general to the telecommuting program; others are specific to the telecommuter, such as zoning laws and insurance concerns. Sociological and psychological areas should be addressed as well. The telecommuter going from the social environment of the office to the isolated arena of working from home needs to know the signs of isolationrelated stresses, the workaholic conditions, and other maladies. These concerns hinder the telecommuter’s effectiveness and productivity, as well as the physical and psychological well-being. Periodic reviews of these areas are highly recommended. The telecommuter should be trained in basic hardware and software troubleshooting. More important, the telecommuter should be trained to communicate most effectively by telephone and electronic mail. Phones, faxes, and e-mail are the telecommuter’s life blood for working effectively. Without proper skills, the telecommuter will suffer from information deprivation leading to isolation, which lowers the person’s productivity. MANAGER SKILL SET The manager of telecommuting employees must possess certain skills as well. Unlike when supervising people they can see, managers must facilitate the telecommuter’s continued involvement within the organization. The manager must set an example for commuting employees in interacting with telecommuters. The manager must determine that no special allowances are shown toward the telecommuter because they are telecommuting. In short, the manager must have the following attributes: • Leadership. The manager knows how to extract the most from each employee regardless of the employee’s commuting status. • Trust. The manager believes the best of people and that the people will meet the deadlines imposed. • Respect. The manager does not require the telecommuter to work 24 hours per day just because the work is always nearby and respects the timetable established with the telecommuter. • Communication skills. The manager keeps everyone in the group informed regardless of their location. MANAGER TRAINING The manager must be trained in managing telecommuters. The skills listed above may be freshened with techniques to facilitate proper support of the telecommuter. Also, the manager must be trained to manage by objectives and tasks rather than the time-based manner of managing. It forces the 338
AU1253_ch28_Frame Page 339 Sunday, October 27, 2002 5:56 AM
Assuming Command of Your Network manager to think differently and to see the value of being less concerned over the amount of time spent on the project and see that meeting the milestones are more important. Just as the telecommuter needs to be trained in effective communications by telephone, fax, and e-mail, the manager should receive similar training. Keeping people informed and coordinating projects encompass most of a manager’s time. Effective use of the communication infrastructure is vital, especially in a virtual group situation involving telecommuters. OFFICE TECHNOLOGY FOR THE TELECOMMUTER Telecommuting may be implemented by a company in several different formats: employees work from home or employees report to community sites, among others. If the company chooses to implement community sites or locations near a group of employees’ homes, the company typically outfits the office with equipment equivalent to that at the main office. This chapter focuses on the equipment and concerns necessary to outfit a productive home office. Unfortunately, many employers do not consider the home office a serious environment to perform work. Therefore, the equipment “donated” for use in the home is antiquated by computer standards. This ought not to be. Whereas an employee can be productive while using older equipment, faster machines with up-to-date functionality can make the employee more productive at a relatively small cost. With that in mind, outfitting the home office should be the same as outfitting the employee for the office. The most efficient way to outfit the home office for productive use is to consider the equipment the employee uses in the office on a day-to-day basis. If the employee uses a computer in the office for generating reports, processing e-mail, programming spreadsheets, or entering data, the employee needs a computer at home. Similarly, the employee needs other equipment, such as fax machines, copiers, and modems. While planning the home office equipment needs, the employee should consider three main areas: • Communications • Computing resources • Support services Communications Communications is the lifeblood of telecommuters. Without the proper information flow, the telecommuter becomes isolated from the real world. Someone once said, “Home office plus communications to the main office equals telecommuting.” Communications come in three primary forms 339
AU1253_ch28_Frame Page 340 Sunday, October 27, 2002 5:56 AM
MANAGEMENT today, with several others emerging very quickly. The primary communication methods are voice, fax, and e-mail. The emerging mediums that should be considered are video conferencing and online connections. Voice Communications. Voice communications accounts for the majority of interactions with others. As a result, the telephone has become a ubiquitous tool, available to all. The adoption of voice mail inside companies almost rivals the adoption of the telephone. Because the telephone has become such an important business tool, the employee should have an extra telephone line installed at home specifically intended for business use, especially if the employee’s job or personality requires extensive use of the telephone.
The type of phone equipment can be left to the discretion of the employee. Many home office workers prefer speaker phones if they spend hours tuned into audio conferences. The hands-free mode speaker phones let the employee move paper, take notes, and even do other work while a conference call is in progress. If a speaker phone is used, the employee is wise to buy a high-quality phone that provides clarity in speaker mode. If the person relies heavily on the phone, voice mail purchased from the local phone company is another must. Voice mail provides coverage while the phone line is busy, unlike a simple answering machine, and presents a more professional image. Answering machines are a good substitute to voice mail if the added expense of the voice mail is not justifiable. Answering machines come in two formats today: digital and analog, cassette-tape based. The digital records the announcement message and incoming messages in computer memory, so the recordings are clear. The machines permit random saving and deleting of messages as opposed to the sequential nature of tapebased machines. If purchasing a digital answering machine, the employee should be aware of the maximum message time the machine will store. If more time is needed, the employee must purchase a machine that supports the additional time. The tape-based machines are the least costly and most trouble prone. Tapes have a tendency to stretch and wear from usage causing messages, announcements, or incoming messages to sound muffled or distorted. Messages cannot be randomly eliminated. Either all the messages are saved or they are all deleted. If the employee requires extensive phone usage, call waiting is another feature that should be considered. Call waiting is a service purchased from the local phone company. It “announces” another call on the same line that is currently in use by the employee. Call waiting permits the employee to “flash” the telephone hook to put one call on hold while answering the 340
AU1253_ch28_Frame Page 341 Sunday, October 27, 2002 5:56 AM
Assuming Command of Your Network other. This feature is useful, especially when the employee is expecting important calls that should not be routed to the voice mail or terminate in a busy signal. Three-way calling is another feature that is useful to the telecommuter. A service purchased from the local phone company, three-way calling permits the telecommuter to hold a phone conversation with two other parties in separate locations. If the telecommuter coordinates activities of others, three-way calling is a must. Others may find locating a telecommuter by phone frustrating if they are not used to the telecommuter’s schedule. The caller may have to dial a second number to reach the telecommuter. To eliminate the need to call additional numbers, a telecommuter can employ call forwarding, which directs all calls placed to one location to be automatically forwarded to another location. By using this service, a telecommuter need only provide one number and the caller need not know the telecommuter’s location. This service is particularly handy for telemarketing and customer service positions, in which reaching the person is important even though the person’s location is not. Call forwarding permits forwarding to only one number or one “hop.” New services permit calls to travel along several hops in order to locate a person. These services are called Follow-Me Services. The telecommuter programs the telephone network to direct calls through a series of numbers (e.g., office phone, home-office phone, and cellular phone) until either the telecommuter answers or returns the caller to a voice mail system. These services are beneficial to mobile telecommuters who are constantly moving from one location to another and who find maintaining a pre-set schedule difficult. Regardless of how simple or how fancy the telecommuter makes the call routing, a very important feature needed is the message-waiting indicator (MWI). If a message is left but never retrieved, the systems become useless. MWI can take several forms to accommodate the telecommuter’s work patterns: stutter dial tone (an intermittent tone when first lifting the phone handset), LEDs on the phone or answering machine, and pages sent to pagers. Fax. The fax machine has become quite pervasive within businesses. Even the smallest businesses have fax machines, and many are starting to penetrate the home or home-office space. Fax machines are very important tools. Even with all the electronic advances made, much business is conducted with pen and paper. The fax machine lets employees move information from one place to another quickly and cheaply. The home office requires fax capabilities. 341
AU1253_ch28_Frame Page 342 Sunday, October 27, 2002 5:56 AM
MANAGEMENT Faxing can be done in two ways: through fax machines and directly from a PC. The fax machine is great for the times the information resides on a piece of paper and cannot be easily transcribed electronically. Additionally, receiving and printing faxes do not require the employee to leave the PC running. The PC fax does not run out of paper while receiving a large fax. The fax can be viewed, rotated, and cleaned before printing. In some cases, the employee can use optical character recognition (OCR) to translate the fax image into text that can be imported into a word processor. Regardless of which fax receptacle is chosen, an additional telephone line should be considered. The extra line permits sending and receiving faxes while the employee is on the other line. If the extra line is not installed, the employee should use a line detector that automatically routes calls to the proper receiving device, such as telephone, answering machine, or fax machine. Fax mailboxes permit retrieval of faxes from anywhere. The fax mailbox acts like a receiving fax machine from the perspective of the fax sender. The fax images are stored on computer disk until the recipient decides to retrieve them. Using voice prompts (i.e., interactive voice response, or IVR), the fax mailbox reports the number of received faxes and directs the recipient in downloading the faxes to a fax machine. Fax mailboxes come in two forms: one-call systems and two-call systems. One-call fax mailboxes require the person retrieving faxes to place the call to the mailbox from a fax machine. When instructed, the person presses the Start or Send button on the fax machine, and the fax mailbox downloads all the faxes, or selected faxes if the mailbox provides select functions. One-call fax machines benefits are simple call charge processing and security. For example, the person retrieving the faxes pays for the call to check for messages and for downloading. If an 800 number is used to retrieve the faxes, all call charges are billed to that number for easy tracking by the company. This is especially nice if the fax mailbox service is outsourced to an outside service bureau where additional costs might be charged if they were required to dial a number, as in the case of the two-call systems. Retrieving sensitive information faxes is more secure, as the recipient is present when the faxes are downloaded. Two-call systems overcome the major disadvantage of one-call systems: accessibility to a fax machine. While staying at a hotel, a guest may not have immediate access to the hotel’s fax machine. A two-call system will permit the guest to call the fax mailbox from the room, arrange to have the faxes sent to the hotel’s fax machine, and pick them up at a later time. Secondly, accessing a one-call fax mailbox and downloading faxes to a notebook computer is very difficult because of the combination of IVR prompts and receiving modem commands. The two-call system permits 342
AU1253_ch28_Frame Page 343 Sunday, October 27, 2002 5:56 AM
Assuming Command of Your Network the person to handle all the voice prompts, hang up, and let the computer answer the incoming call. Electronic Mail. Electronic mail (e-mail) has become a mission-critical tool in business today. Because of demands on people’s time, harried travel schedules, and desires to improve family life, coordinating schedules is very difficult. E-mail lets the originator communicate his or her message at a time most convenient and the recipient respond at a different time. Additionally, e-mail has become a transport agent for all types of information, such as word processing documents, spreadsheets, or calendar requests. Video Conferencing. Video conferencing is gaining acceptance by businesses today as a way of meeting with someone without having to be physically present in the same location. Video conferencing provides the ability not only to speak to another person over a telephone line but also to see the person, or a drawing, picture, or sketch, if necessary. Video conferencing equipment comes in a variety of sizes ranging from a personal desktop version to large, auditorium setups.
Video conferencing, because of its emerging state, still requires some professional help in establishing a working system. Until recently, most systems were based on proprietary technology that precluded combining equipment and conferencing networks of different vendors. Standards have been established to eliminate this barrier. H.320 is an industry standard that describes video transmission. T.120 describes computer desktop information transmission. Any new installation of video equipment should support those standards. To have a satisfactory video conferencing experience, the conferencing network must support enough bandwidth to provide smooth picture motion. The industry has standardized on 384 kbps transmission speed between large sites. For home office use, 128 kbps is acceptable and not too costly. To reach that speed, the telecommuter must install an ISDN line in the home. ISDN lines are broken into a voice channel and two data channels. The two data channels, transmitting at 64 kbps each, are combined to provide the 128 kbps. In most areas, ISDN is still charged at the higher business rate tariffs, but in many cases, the lower residential rate tariffs are being offered. Personal desktop video equipment costs from $2000 to $5000 depending on the manufacturer, phone company rebates or subsidies, and needed equipment. Several manufacturers, such as PictureTel and Intel, offer equipment for the desktop computer. Video conferencing is an exciting new technology. But, because of the expense, many employers may balk at implementing it in every telecommuter’s 343
AU1253_ch28_Frame Page 344 Sunday, October 27, 2002 5:56 AM
MANAGEMENT home. For those applications or situations in which visual contact is necessary, video conferencing could be cost justifiable. In the other cases, the benefits of telecommuting are just as real without it. Online Connections. Online services, such as CompuServe, Prodigy, and America Online, have been around for some time. These services, outgrowths of simpler bulletin board systems, provide a wealth of information, services, and value. Simply by signing on to a service, a subscriber gains an e-mail account. For companies that cannot afford to run an internal system and support remote users, online services provide excellent means to support remote workers. Most services provide either 800-number access or a local telephone number. Whether the telecommuter is stationary at home or travels, processing e-mail and gathering information is inexpensive.
As time passes, these online services continue to enhance their service offerings, providing a one-stop shopping experience for all communications. A subscriber may be able to receive not just e-mail, but faxes and voice messages. Instead of having to access several locations and services to retrieve all communication types, the subscriber can access a universal inbox, where all types of messages are stored. Computing Resources The computer in the home office should be equipped to mirror the office computer. If the telecommuter is expected to produce at least as much at home as at the office, the computer must be up to the task. In addition, the peripheral equipment must be present. CD-ROMs, large memory banks, large hard disks, and sound cards all come standard on today’s computers. The same should hold true for the home office. The telecommuter should avoid the “hand-me-down” situation. By using the less adequate machines, the telecommuter does not realize the desired productivity gains. Subtle but costly changes to the equipment, such as smaller monitors or less memory, may affect the work of a layout artist or a CAD/CAM specialist. Simply requiring the telecommuter to switch from one screen format to another may cause frustration and lower productivity. Many telecommuters expect the company to supply the equipment for the home office, which is not always the practice. Telecommuters required to purchase their own equipment should not be tempted into buying equipment less capable than the office equipment. As software evolves, it requires more computing power to run effectively. To maximize the investment, the telecommuter should buy the most powerful equipment possible. The employer may be willing to finance the cost with a low interest rate and easy payment plans. It is cheaper to buy the better quality and more powerful equipment than to have to replace it in a year or two. 344
AU1253_ch28_Frame Page 345 Sunday, October 27, 2002 5:56 AM
Assuming Command of Your Network Multifunctional Equipment. Several companies have produced products specifically designed for the limited space in home offices. Manufacturers have performed studies that show some of the most-often-required equipment are fax machines, copiers, scanners, and printers. If all those devices are bought separately, making room in a confined home office makes for a challenging afternoon. Some manufacturers have combined these products into one unit that takes up about the same space as just one of the devices mentioned. The cost of the multifunctional may be close to the price of one device. They range in price from $700 to more than $1500. The concept of the single device that does all is compelling to the home office worker.
When choosing the multifunctional device, the telecommuter must consider several issues. If the fax portion of the machine is receiving a fax, can the printer print? If the printer is printing, can the fax receive a fax? If the printer is printing and the device cannot receive a fax, does the sender receive a busy signal so he or she can try again later? Is the quality of the individual functions equal to the quality of the stand-alone device? Is the laser printer of the same quality and speed as a stand-alone laser printer? What functions are blocked while other functions are working? Understanding those types of issues helps the telecommuter determine any effects on productivity, increased waiting times, and frustration levels. Power Concerns. Telecommuters rarely consider the electrical power needs when choosing their home office location or the equipment they will place in it. Whereas no single device overloads circuits placed in homes today, the combination of the office equipment may put a strain on house circuits. Providing the office location with enough electrical service lowers fire hazard risks, circuit breaker trips, and loss of data. The telecommuter is wise to contact a professional electrician to help determine the power needs for the office space. If necessary, the electrician will recommend running separate circuits to handle the load of the equipment.
If a telecommuter has already supplied the chosen office location with a bevy of equipment, he or she can perform a quick check to determine load on the circuitry. The first step is to start all the equipment and have it perform the functions it was designed to do. For example, the computer is computing, the monitor is being updated, the printer is printing, the fax is faxing, the lights are lit, and the answering machine is answering. The circuit box and breakers should be checked carefully for any humming noises or excess warmth. Exhibit 1 lists common office equipment and power requirements. Equipment from different manufacturers vary, so the telecommuter’s values may vary. Most circuits in today’s homes support from 15 to 20 amperes. As shown in the table, power consumption is a major concern. 345
AU1253_ch28_Frame Page 346 Sunday, October 27, 2002 5:56 AM
MANAGEMENT Exhibit 1. Common Office Equipment and Power Requirements Answering machine Computer processor Copier Cordless phone External modem Fax machine Laser printer Lights (500 watts) Office radio Postage meter Small color TV Video display Total
0.20 amps 2.00 amps 12.00 amps 0.06 amps 0.20 amps 1.50 amps 7.50 amps 4.50 amps 0.15 amps 1.60 amps 0.70 amps 0.50 amps 30.91 amps
Lighting. Lighting is another important area to consider. Improper lighting causes eye strain, headaches, and other maladies that are counter-productive and lowers the enjoyment of working from home. Glare on computer monitors, shadows while writing, and insufficient light while reading may be subtle but can cause large physical and mental stresses. The person should position the computer monitor and lights so that there is no glare, paying particular attention to light coming from windows, overhead skylights, and room lights. Fluorescent lights flicker at a similar rate to the computer monitor. Although not detectable directly by the eyes, the flickering causes severe eyestrain and headaches very quickly. Other forms of lighting should be considered. Alternative Office Strategies. Alternative office strategies provide flexibility to accommodate the many forms of telecommuting and the needs of the telecommuter. Exhibit 2 describes the various forms and the advantages and disadvantages.
In some cases, the employer has determined that the employee will be saving enough in commuting expenses to more than offset the additional costs of the above items. In other cases, the employers have split the expenses or will pay for “business only” expenses. Other companies have a more liberal policy that pays for all additional expenses. SETTLING ON A NETWORK STRATEGY In selecting a network management strategy, one should first consider the criteria for management and the minimal requirements for control without which the network could not proceed. Given these criteria, additional requirements can be added until all management needs have been met. Consider, too, whether or not the installation is a candidate for a Windows NTor UNIX-based package. Windows-based packages start out in the $4000 to 346
AU1253_ch28_Frame Page 347 Sunday, October 27, 2002 5:56 AM
Assuming Command of Your Network Exhibit 2.
Alternative Office Strategies
Strategy
Benefits and Advantages
Disadvantages and Pitfalls
On-premise options Flexible schedules
Maximizes labor-pool segment interested in part-time work
Work is accomplished when worker is most productive; problems may arise that require attention when employee is not in office
Modified offices with refined standards to improve productivity and efficiency
Reduces space required
Less hierarchical space distribution; increased flexibility for employee moves; organization cannot use office/workstation size to indicate seniority
Shared space, with two or more employees sharing single, assigned space
Better use of space
Increases headcount without increasing space required; employees may be reluctant to give up own space
Group address, designated Team orientation of users Encourages interaction among group or team space for ensures high, ongoing team members; team size may specified period of time use rate create space shortage Activity settings, with a Provides users with variety of work settings choice of setting that to fit diverse activities best responds to tasks
Fosters team interaction; requires advanced technological equipment
Free address, with work space shared on a firstcome, first-serve basis
Maximizes use of unassigned space.
Minimizes real estate overhead; suitable for sales and consultant practices; access to files can be problematic
Hoteling, with reserved work space
Accommodates staff increases without increase in facility and leasing costs
Can result in upgraded office amenities; storage can be problematic
Off-premise options Satellite office, with office Lowers rentable cost per Remote management a challenge centers used full-time square foot by employees closest to them Telecommuting, a combination of home-based and office work space
Transportation and real estate costs reduced
Improved quality of personal life. Potential increases in productivity; home office equipment may be inadequate
347
AU1253_ch28_Frame Page 348 Sunday, October 27, 2002 5:56 AM
MANAGEMENT Exhibit 2.
Alternative Office Strategies (continued)
Remote telecenter, an office center located away from main office, closer to clients
Achieves Clean- Air Act mandates
Fosters productivity and employee loyalty through improved family life; clear guidelines for and support of supervisory staff are required
Virtual office, the freedom to office anywhere, supported by technology
Increases employee productivity
Potential increase of time with clients due to reduced commute time; reduced space and occupancy costs; may affect employee connection to the organization
Compiled by consulting firm Hellmuth, Obata & Kassabaum, Inc.
$5000 range, while a UNIX-based package starts out in the $20,000 to $30,000 range for software. Added to these base prices may be application modules and node licensing fees. Not every network faces the same set of circumstances; however, network management system requirements can be affected by a number of issues that may be peculiar to a specific network. These issues can influence the choice of a network management strategy and ultimately the acquisition of a system. For example, network administrators should consider whether they will have to: • • • • •
Manage multiple domains Integrate existing disparate network management systems Manage specific items of legacy non-SNMP communications equipment Provide database support Acquire performance management tools
FUNCTIONAL REQUIREMENTS Configuration and Presentation While documentation products are not new, it is important that the network manager provide the tools to create, organize, and build organizational network views. At the basic level, there should be the ability to display topology maps with all device connections and status. As a rule, most of the vendor offerings provide support for automatic map generation, data collection, and methodologies to configure display devices. Gateways to database managers (i.e., Oracle and Sybase) with the ability to share data are also important considerations. Some networks will have different databases across multiple copies of the network management platform that are not shareable. Herein lies a 348
AU1253_ch28_Frame Page 349 Sunday, October 27, 2002 5:56 AM
Assuming Command of Your Network major problem, because event data must be shareable to be useful in tracking problems and trends. Network configuration and event data that reside in different locations, systems, or applications lead to redundant multiple databases, making consistent data and fault management difficult at best. This situation leads to repetitious polling and wasted resources. Ideally, there should be a single data repository utilizing a distributed database technology. Many vendors now provide APIs for access to their database as well as import and export tools for SQL. Aprisma supports a dual capacity in their internal database and allows distributed access as well as support for database synchronization techniques supported by HP, Sun, and Tivoli. APPLICATIONS All of the network management system (NMS) vendor products rely upon a large partner base to support their product. HP OpenView leads with the most varied applications support. Aprisma (Spectrum) also has very large numbers of applications that have been integrated into their NMS product line. The integration of partner applications has allowed HP to support the early introduction of a comprehensive network management system for the Windows NT operating environment. Aprisma also has a Windows NT version of the SPECTRUM system. Fault Management Fault management has always been the primary focus of legacy network management systems. A strong network management system will automate the entire process from first alert to resolution, as well as successful closure. This an important requirement for very large networks because there are many more pieces that can malfunction; therefore, there is the need to locate in real-time all event-driven activities. All of the vendor packages provide some form of notification, tracking, and alarm management. Products such as Aprisma have more advanced features to filter repetitive alarms and correlate alarms, eliminating the need for the user to customize this process. Tivoli, HP, and Sun provide either for user-defined filtering and correlation or access to a third-party application that provides the same facility. Performance Management Early forms of element management were handled by proprietary network management systems. In many smaller networks, these network management systems support communications devices, routers, and switches. In some network management packages, agents (hardware or software) will be deployed rather than deploying separate applications or conducting 349
AU1253_ch28_Frame Page 350 Sunday, October 27, 2002 5:56 AM
MANAGEMENT redundant polling. This strategy conserves resources and does not place an overhead burden on the basic network management operating system. However, as a minimum, there should be the capability for flexible data sampling based on established criteria. Coupled with this should be some form of easy-to-use, online graphical and text reporting of exception conditions. At present, Aprisma offers such a capability as part of its core systems; others provide this through plug-in modules from thirdparty developers. Poorly designed systems can cost in terms of resources and overhead in processing time. The application of intelligent agents and submanagers allows the localization of such functions as polling, event collection, and correlation. This technique reduces bandwidth and transmission costs while improving processing throughput and increasing the number of elements that can be effectively managed. Protocols and Standards A system that supports multiple protocols permits maximum flexibility in deployment. A management protocol permits communication and data transfer between managers and agents. While SNMP is the dominant protocol, SNMPv2, CMIP, and DMI are all contenders to some form of information exchange. Common Object Request Broker Architecture (CORBA) is the standard protocol for compliant objects that intercommunicate. With SNMP well established, there is little chance that other management protocols will rise above the subnet level. Network Managers There are many versions of network manager applications on the market. Some of these are proprietary element managers that are available from the hardware vendors. A growing number of hardware vendors also offer proprietary enterprise network management packages that support monitoring and collection of SNMP MIB information packets from any SNMP-compliant device on the network. There are a number of Windows NT network management systems on the market that also show a great deal of promise since they provide lowcost entry into enterprise network management. These systems start out in the $2000 range, with various optional application modules available at additional cost. There are also many more comprehensive network managers that have been designed to run on a UNIX platform. These generally start out in the $20,000 range for the software, and when configured with a UNIX platform, start out in the $30,000 to $40,000 range. Some of these systems have been designed as manager-of-manager systems and can integrate a number of popular network managers. 350
AU1253_ch28_Frame Page 351 Sunday, October 27, 2002 5:56 AM
Assuming Command of Your Network SUMMARY During the early 1990s, proprietary element managers allowed the operator to manage selected elements of the network. In this setting, multiple platforms provided access to topology and device databases, as well as access to devices to change ports, routing, and other operational parameters. While networks remained fairly local in nature, a dedicated operations staff was able to keep track of troublesome events as they were reported and make appropriate fixes. Network management for the enterprisewide network has changed over the past few years as network nodes have multiplied into the thousands. With large networks, there are more things that can go wrong, and event reporting on multiple platforms can easily drown even the largest and most dedicated staff. Going back a few years, the mood seemed to focus on implementing the manager-of-manager systems to integrate otherwise incompatible network managers. This was an important issue because the establishment of geographically complex WANs with multiple domains and distributed management platforms could not be managed effectively. Obviously, not all networks have the same management needs. Even more sophisticated network managers that have an array of plug-in modules to solve any specialized requirement are now emerging. In spite of the emergence of new products, it is still necessary for the administrator to carefully weigh all enterprise management needs before settling on a network management package.
351
AU1253_ch28_Frame Page 356 Sunday, October 27, 2002 5:56 AM
AU1253_Index_Frame Page 353 Wednesday, November 6, 2002 7:03 AM
Index A AAA, see Authentication, authorization, and accounting Access codes, assignment of, 97 control granular, 167 lists (ACLs), 192 systems, mechanisms, 168 VPN-based, 56 prevention, 231 Accounting Data Interchange Format (ADIF), 199 Accounting-Stop packet, 187 ACLs, see Access control lists Address management, 273 ADIF, see Accounting Data Interchange Format ADSL, see Asymmetric digital subscriber line Aether Systems, 149 AH, see Authentication header ALM, see Antilocking mechanism Alta Vista Tunnel, 88 Amazon, 155 America Online, 69, 344 ANI, see Automatic number identification Answering machine, 345, 346 Antilocking mechanism (ALM), 333 Antivirus software, 150 ANX, see Automotive Network Exchange Anywhere, anytime technology, 144 Apple Microsoft vs., 143 PowerBooks, 35
AppleTalk, 19, 35 Application(s) avoiding security holes between, 220 development, Wireless Internet, 283 gateway firewalls, 50, 51 GUI-based, 34 imaging, 33 -level firewalls, 27 licensing fees, 348 service provider (ASP), 145 trouble ticketing, 337 virus protection, 225 Aprisma intelligent agents, 336 internal database, 349 Ardis, 69 ASP, see Application service provider AssureNet Pathways, Inc., 241 Asymmetric digital subscriber line (ADSL), 14, 15, 122, 216, 327 Asynchronous transfer mode (ATM), 124, 133, 274 ATCOM, Inc., 281 Atlantic Systems Group TurnStyle firewall, 208–209 ATM, see Asynchronous transfer mode ATM machines, 286 AT&T, 95, 128 EasyLink Services, 100 EDIView, 98 Mail, 70 SDDN, 102 SDN Billing Advantage, 98 TMDA used by, 286 Attachmate Remote LAN Node Server (RLN), 208 353
AU1253_Index_Frame Page 354 Wednesday, November 6, 2002 7:03 AM
Index Attack(s) denial of service, 225, 227, 246 detection software, 91 man-in-the-middle, 216, 218 organization caught unprepared for, 304 telco, 173 uninterrupted, 238 U-Turn, 161 Attribute/value (AV), 189 Attribute–value pairs (AVPs), 197 Audit dial-in, 249 trails, 27 Authentication authorization, and accounting (AAA), 178, 183, 184 biometric, 26 Center, 289 challenge-response asynchronous authentication, 209 check items, 189 DIAMETER, 198 event-plus-time synchronous, 211 header (AH), 265 process, two-factor, 210 RADIUS-based, 280 services, token-based, 51 SSL client, 229 SSL server, 229 strong, 16 systems, time-only synchronous, 211 TACACS, 192 third-party, 21 tokens, 205, 209 user, 207 Authentication, remote access, 201–212 components securing remote access, 206–212 authorization, 207 user authentication, 207–212 enterprise-specific security choices, 202–204 basic controls, 203 file transfer controls, 204 inbound traffic controls, 204 management controls, 203–204 outbound traffic controls, 204 establishment of common 354
vocabulary, 205–206 authentication, 205 remote access, 205–206 remote control, 206 security process, 202 user and client authentication, 201–202 Authentication services, centralized, 183–200 DIAMETER, 197–200 accounting, 199–200 authentication, 198 authorization, 199 foundation, 197–198 proxy configurations, 198–199 security, 200 key features of AAA service, 184–185 RADIUS, 186–191 accounting, 187 authentications and authorizations, 186 ease of implementation, 188–190 forward thinking, 187–188 limitations, 190–191 TACACS, 191–197 accounting, 192–193 authentication, 192 authorization, 192 implementation of, 193–196 limitations, 196–197 other capabilities, 193 Automatic number identification (ANI), 96 Automotive Network Exchange (ANX), 55 Auto-reboot, 38 AV, see Attribute/value Avon Products, Inc., 135 AVPs, see Attribute–value pairs
B Bandwidth-on-demand pricing, 101 Basic input/output system (BIOS), 221 Basic Rate Interface (BRI), 15 Basic trading area (BTA), 133 Bay Networks, OEM agreement with, 87 BellSouth, 69, 153 Beta tests, 83
AU1253_Index_Frame Page 355 Wednesday, November 6, 2002 7:03 AM
Index Big Five accounting firms, 245 Binary transaction, 140 Biometrics, 26, 240 BIOS, see Basic input/output system Borderless networking, see Extranets BorderManager, 45 Border security, 42 Branch office connection network, 257, 258 Break-in attempts, 45 BRI, see Basic Rate Interface Broadband ISDN, ATM-based, 328 lines, 4 BroadVision Mobile Solution, 145 Browsers, VPN software embedded in, 126 BTA, see Basic trading area BT Tymnet, 60 BUGTRAQ, 168 Business-to-business VPNs, 91
C CA, see Certificate authority Cable modem, 15, 20, 123 TV Internet connections, 216 Calendar requests, e-mail as transport agent for, 343 Call blocking, 102 detail records (CDRs), 152 forwarding, 341 screening, 96 Callback, 25 Caller ID, 25, 185 Carnegie Mellon University Computer Emergency Response Team (CERT), 41 CCP, see Compression Control Protocol CDMA, see Code division multiple access CDPD, see Cellular Digital Packet Data CD-ROM reader cost, 62, 64 Novell NetWare-compliant, 63 CDRs, see Call detail records Celesta, 146
Cell-Loc, 142 Cellmania, 145 Cellular Digital Packet Data (CDPD), 130 Cellular One, 130 Cellular phone(s), 312 CDMA, 291 Internet-enabled, 303 lost, 294 Nokia 9000, 146 TDMA, 288 Central office (CO), 136 Centrex services, VPNS service compatible with, 103 CERT, see Carnegie Mellon University Computer Emergency Response Team Certificate authority (CA), 104, 229, 264 validation, 153 Challenge Handshake Authentication Protocol (CHAP), 25, 71, 184, 259, 260 Challenge-response asynchronous authentication, 209 CHAP, see Challenge Handshake Authentication Protocol Checkpoint firewall, 208 Check Point Software, 87 Cingular, 286 CIR, see Committed information rate Circadian rhythm, 8, 308 Cisco Systems, 155 devices, client setup for TACACS on, 193 routers, 208, 246 security features now in development by, 253 technology proposed by, 274 Citrix, 78, 145 Clean Air Act, 5 Client file, 189 Clipper chip, 263 CMAK, see Connection Manager Administration Kit CO, see Central office Code division multiple access (CDMA), 144, 286, 290 cell phones, 291 wideband, 292 355
AU1253_Index_Frame Page 356 Wednesday, November 6, 2002 7:03 AM
Index Committed information rate (CIR), 123 Common Object Request Broker Architecture (CORBA), 350 Communication servers, 75–83, 205 adherence to remote access communication policy, 82 administration costs, 82 combining connections, 81 creating and enforcing remote access communication policies, 81 methods of connecting, 76 remote control, 76–78 remote node, 79–81 types of network users, 75–76 roving executives, 76 telecommuters, 75 traveling sales force, 75–76 Company LAN, remote access to, 311 Compression Control Protocol (CCP), 261 CompuServe, 69, 344 Computer-aided design/computeraided engineering (CAD/CAE), 101 Confidentiality, challenge to preserving, 295 Connection Manager Administration Kit (CMAK), 278 Connection mediums, 12 CORBA, see Common Object Request Broker Architecture Corporate firewall, 160 Corporate relocation expenses, 319 CPE, see Customer premises equipment Crash cart, 223, 226 Crypto servers, 26 Customer premises equipment (CPE), 101, 103 CyberSAFE Kerberos-based system, 207 Cygnus Support Kerberos-based system, 207
D Dan Farmer SATAN, 91 DAs, see Distributed antennas Data communication, 327 356
encryption, 273 Encryption Standard (DES), 71, 242, 263 needs, definition of, 59 services high-speed, 100 low-speed, 100 Database access methods, 61 information cost of accessing external, 63 strategy for accessing external, 60 network management, 99 SQL, 224, 225 Databases, providing access to external, 59–64 database access cost, 62 defining data needs, 59 economizing on multiple access requirements, 62 information access methods, 60–61 LAN access to modem pool, 62–64 selecting external sources, 59–60 update frequency, 61 Dataphone digital service (DDS), 101 DDS, see Dataphone digital service DEC, 16 DECnet, 35 DECT system, see Digital enhanced cordless telecommunications system Dedicated circuits, 173 Default accounts, lack of controls on, 247 Dell, 143 Demilitarized LAN (DMZ LAN), 113 Demon dialer programs, 261 Denial of service (DoS) attack, 225, 227, 246 DES, see Data Encryption Standard Desktop operating systems, 45 Dial-back, 71 Dial-in security mistakes, 245–250 accounts with easily guessed passwords, 247 data lines in same prefix as voice lines, 245–246 direct dial-in systems, 246–247 enticement information, 246
AU1253_Index_Frame Page 357 Wednesday, November 6, 2002 7:03 AM
Index help files, 248 lack of controls on default accounts, 247 lack of monitoring, 248–249 pcAnywhere, 248 trust, 249 unlimited access attempts, 249 Dial solutions, high cost of owning, 162 Dial-up access, types of, 234 /callback systems, problem associated with, 242 computer systems, capacity for unauthorized users to gain access to, 233 modems, 101 networking technology (DUN), 278 routers, 36 scenario, advantages and disadvantages of, 81 Dial-up security controls, 233–244 authentication requirements, 240–243 challenge–response, 241 dial-up/callback systems, 241–242 encryption, 242–243 physical devices, 240–241 time–synchronous, 241 final defense, 243 identification, 236–237 minimizing risks, 235–236 passwords, 237–240 types of dial-up access, 234–235 direct dial, 234 packet switching, 234–235 DIAMETER, 183 authentication transaction, 198 broker proxy server, 190 proxy configurations, 198 Strong Proxy Extension, 200 Dictionary file, 189 Digital certificates, client-side, 56 Digital enhanced cordless telecommunications (DECT) system, 129 Digital Equipment Alta Vista Tunnel, 88 Digital service units (DSUs), 101 Digital transmission methods, 291 Direct-dial facility, 234
Directory server, stand-alone, 54 Disk access sharing, 63 Disk Operating System–based notebooks, 35 Distributed antennas (DAs), 130 Distributed radio system (DRS), 130 DMZ LAN, see Demilitarized LAN DNS, see Domain name server Domain name server (DNS), 257 DoS attack, see Denial of service attack Dow Jones, 59, 60 DRS, see Distributed radio system DS-1 connection, 86 DSL Internet services, 161 DSUs, see Digital service units Dumb terminals, 3 DUN, see Dial-up networking technology Dynamic passwords, 26 Dynamic rekeying, 88
E Eagle Remote firewall, 87 EAP, see Extensible Authentication Protocol Eavesdropping, 216 E-business type applications, wireless, 139 E-commerce transactions, 139 EDGE, see Enhanced Data rates for Global Evolution Edge network users, 157 Educational institutions, telecommuting policies of, 320 EFS, see Error-free seconds EFT, see Electronic funds transfers Electronic dictionary, 115 Electronic funds transfers (EFT), 40 Electronic intrusion, 227 Electronic mail, see E-mail Electronic payment transactions, securing of, 255 E-mail (electronic mail), 11, 67, 326 access, 68 attachments, 9, 296 connections, 67 conversation, captured, 216 expectations with advent of, 5 Internet, 75 357
AU1253_Index_Frame Page 358 Wednesday, November 6, 2002 7:03 AM
Index remote access to, 35 remote users exchanging, 6 server, remote, 67 systems, LAN-based, 9 Employee(s) disabled, 318 hacker befriending, 238 ID cards, 167 recruiting, 10 retention, 4, 10 telecommuting, 313, 314 turnover, 172, 318 userIDs, 111 Encapsulation security header, 266 security payload (ESP), 265 Encryption algorithms, 56, 150 client-to-firewall, 23 data, 273 end-to-end, 26, 297 file, 219 GSM, see GSM encryption hardware-based, 87, 104 implications, 49 keys, 189, 218 methods, PDA, 284 Microsoft point-to-point, 263 network, 219 on-the-fly, 218 password, 71 public-key, 230 Skipjack, 263 software, 217 SSL-to-WTLS, 298 symmetric, 263 End-to-end encryption, 26, 43, 297 End-user education, 180 Enhanced Data rates for Global Evolution (EDGE), 292 Enterprise -critical devices, potential for damage to, 227 expenses, ways to reduce, 267 networks, 159 partner/supplier network, 256 Enticement information, 246 EPOC, WAP built on, 147, 149 Ericsson, 128, 137 358
Error-free seconds (EFS), 102 Error recovery software, 38 ESP, see Encapsulation security payload Event-plus-time synchronous authentication, 211 Everypath, 151 Excite, 155 Extensible Authentication Protocol (EAP), 197, 252, 264 External network communications, secure, 221–231 data centers with MKV, 223–225 dilemma, 225 dramatically improved productivity and external security, 222 electronic intrusion, 227 enterprise risk, 225–226 external security as cornerstone of development, 227–228 OS log-on/password, 228 remote site support, 223 Secure Sockets Layer for external IP connections, 228–230 encrypted SSL connection, 229–230 SSL client authentication, 229 SSL server authentication, 229 system architecture, 230 unique concerns in data center environment, 226–227 Extranets, 39–46, 269 access, 123 analyzing solutions, 42–45 accelerating performance, 44 facilitating network management and increasing user productivity, 43–44 maintaining security, 42–43 virtual private networks, 44–45 architecture, reverse proxy, 52 benefits of borderless networks, 39–42 Internet business model, 42 management, 41 performance, 41 potential problems of integrated networks, 40 security, 40–41 challenge of, 46
AU1253_Index_Frame Page 359 Wednesday, November 6, 2002 7:03 AM
Index growth of, 48 implementations, earliest, 49 implementing and supporting of, 47–57 application gateway firewalls, 50–57 router-based extranet architecture, 49–50 major network vendor provides borderless solution, 45 partner connectivity, 121
F Failed solution, most common cause of, 12 Family Leave Act, 5 Fax, 11 machine(s), 4, 312 hotel, 342 pervasiveness of, 341 power requirement, 346 telecommuter access to, 75 online, 127 FDMA, see Frequency division multiple access Feel better reasoning, 7 FEPs, see Front-end processors Field force automation, 68 File encryption, 219 servers, 19 Transfer Protocol (FTP), 61, 204 Filters, 336, 277 Fingerprints, 240 Fire fighting, 10 Firewall(s), 111 age-old, 48 application gateway, 50, 51 Atlantic Systems Group TurnStyle, 208–209 Checkpoint, 208 corporate, 160 Eagle Remote, 87 holes opened in remote, 160 IBM AIX, 257 IPSec-enabled, 258 personal, 159 placement of, 115
private enterprise network, 49 proxy service capability of, 116 third-party, 260 using PPTP with, 262 vendors, 26 VPN-capable, 92 -Wizards, 168 FLEXOS, WAP built on, 147 Forrester Research Inc., 69 Frame relay, 15, 37 circuits, 173, 175 connection, 123 Frame slippage, 99 Fraud detection, 199 Free services, 154 Frequency division multiple access (FDMA), 287 shift keying (FSK), 131 Front-end processors (FEPs), 262 FSK, see Frequency shift keying FTP, see File Transfer Protocol Functions, remote access, 29–38 remote access servers, 35–38 dial-up bridges and routers, 36–37 faster connections, 36 hybrid solutions for resource pooling, 37–38 remote dial-up bridges and routers, 37 remote node versus remote control, 30–35 client/server approach, 34–35 remote node, 32–33 software solution, 33–34 variations of remote control, 30–32 Fundamentals, remote access, 3–12 benefits of remote access, 6–7 employee benefits, 7–9 manager and employee benefits, 10–11 overview, 4–5 users of remote access, 4–5 why organizations need remote access, 5
G Gap in WAP, 298, 300, 303 359
AU1253_Index_Frame Page 360 Wednesday, November 6, 2002 7:03 AM
Index Gateway -to-gateway VPN, 54 management of centralized, 21 General Motors Cadillac, OnStar system offered with, 133 General Packet Radio Service (GPRS), 130, 152, 291 Generic routing encapsulation (GRE), 274 Geoworks, 142 Global positioning system (GPS), 133, 134, 146 Global System for Mobile (GSM), 144 communications, 144, 286 encryption, 290 networks, 127 phones, SIM cards used by, 293 use of in European nations, 288 GMT, see Greenwich Mean Time Government agencies, telecommuting policies of, 320 directives, 3 GPRS, see General Packet Radio Service GPS, see Global positioning system Graphic user interface (GUI), 17, 33 -based applications, 34 utility, Ping as, 117 GRE, see Generic routing encapsulation Greenwich Mean Time (GMT), 241 Groupware, 9, 329 GSM, see Global System for Mobile GUI, see Graphic user interface
programs, 235 HandMail, 131 Hand-me-down situation, telecommuter, 344 Handset microbrowser, 153 HandWeb software, 131 Hardware-based encryption, 87, 104 Health care service providers, wireless technology used by, 134 Help desk, 82, 222 Hewlett-Packard OpenView, 333, 334, 349 High-speed circuit-switched data (HSCSD), 151 High-speed data services, 100 High-speed Internet access, 15 High-tech criminals, security concerns caused by, 213, 215 Home office computer, 344 Host as ISP, 301 WAP gateway at, 300 Hoteling, 6, 11 HSCSD, see High-speed circuit-switched data HTML, 138, 140, 147 HTTP, see HyperText Transport Protocol Hull Trading, 135 Human error, 168 HyperText Transport Protocol (HTTP), 114, 138, 147, 229
I H Hacker(s), 111 bulletin boards, 236 casual, 250 dedicated, 250 employee befriended by, 238 first thing done by, 245 proficiency of in accessing computer systems, 243 remote access and, 24 security concerns caused by, 213 skills of, 214 Hacking motivation behind, 215 360
IANA, see Internet Assigned Numbers Authority IBM, 69, 155 AIX firewall, 257 eNetwork VPN offerings, 255 Global Services, 256 intelligent agents, 336 Kerberos-based system, 207 mobile workers for, 320 NetView/6000, 333 security features now in development by, 253 telecommuting pilot program, 308 teleworkers for, 321
AU1253_Index_Frame Page 361 Wednesday, November 6, 2002 7:03 AM
Index ICA, see Intelligent Console Architecture ICMP, see Internet Control Message Protocol IDC, see International Data Corporation IDDD numbers, see International direct distance dialed numbers IDEA, see International Data Encryption Algorithm IEEE standard, wireless networking, 132 IETF, see Internet Engineering Task Force Imaging applications, 33 Industrial espionage, 214 Industrial Revolution, 3, 323 Information access provider, 59 systems (IS), 201 technology (IT), 214 Technology groups (ITGs), 277 Information Age, growth of, 3 Insurance companies, telecommuting policies of, 320 Integrated Services Digital Networks (ISDN), 3, 20, 37, 69, 123 Basic Rate Interface, 37 broadband, 328 dial-up lines to, 12 equipment, suppliers of, 69 lines, 4 Intel desktop computer equipment offered by, 343 LANRover, 81 Intelligent agents, 336 Intelligent Console Architecture (ICA), 78 International Data Corporation (IDC), 41, 68, 144 International Data Encryption Algorithm (IDEA), 263 International direct distance dialed (IDDD) numbers, 97 International Telecommunications Union (ITU), 127, 152 International Traffic in Arms Regulation (ITAR), 125 Internet access
cost, home, 171 high-speed, 15 wireless, 132 as business medium, 39 business model, 42 connection bare-bones, 177 cable TV, 216 connectivity cost, 123 Control Message Protocol (ICMP), 117 e-mail, 75 expectations with advent of, 5 growth less-desirable effect of, 44 opportunities offered by, 46 problems, troubleshooting, 174 Protocol (IP), 161, 273 address, 27 gateways, 178 telephony, platform for, 280 Protocol Security (IPSec), 23, 132, 174, 252 -enabled firewalls, 258 interoperability, 57 purpose of, 265 standard, industry adoption of, 57 tunnel mode, 276 vendor implementations, 105 VPNs, 103, 104 routing infrastructure provided by, 269 Security Association and Key Management Protocol (ISAKMP), 104, 254, 265 Security System SafeSuite, 91 service provider (ISP), 22, 42, 70, 107, 252 cost, 123 host as, 301 Internet hub, 132 Network Access Server, 271 router, 108 world’s largest, 279 service vendors (ISVs), 145 transactions, end-to-end encryption to protect, 297 use of as virtual network, 107, 111 VIP technology deployed over, 175 361
AU1253_Index_Frame Page 362 Wednesday, November 6, 2002 7:03 AM
Index wireless, 284 adoption of, 141 application development for, 283 Internet Assigned Numbers Authority (IANA), 262 Internet Engineering Task Force (IETF), 183, 253 design of IPSec by, 265 standard, 191 Internet Packet Exchange (IPX), 19, 273 send and wait characteristic of, 36 /SPX, 45 Intranet connecting computers over, 272 expectations with advent of, 5 /Internet connections, importance of to organization, 39 Invalid password, 237 IP, see Internet Protocol IPSec, see Internet Protocol Security IPX, see Internet Packet Exchange IS, see Information systems ISAKMP, see Internet Security Association and Key Management Protocol ISDN, see Integrated Services Digital Networks ISP, see Internet service provider ISVs, see Internet service vendors IT, see Information technology ITAR, see International Traffic in Arms Regulation ITGs, see Information Technology groups ITU, see International Telecommunications Union
J JavaOS, WAP built on, 147, 149 Job completion time estimation, 311 satisfaction, 316 Jupiter Communications, 155
K Kerberos, 71, 207 Key management, 273 362
L LAN, see Local area network LAN access technology, remote, 65–72 applications, 67–68 field force automation, 68–71 dial-in transportation, 69 dial-out connections, 69–71 remote access methods, 65–66 remote node access, 66 security options, 71 audit logs and authentication, 71 encryption and dial-back, 71 Laptop(s) computers, saving password on, 239 files stored on, 216 theft, 214, 215 UNIX-based, 35 Layer 2 forwarding (L2F), 27, 274 Layer 2 Tunneling Protocol (L2TP), 255, 274, 276 LDAP, see Lightweight directory access protocol LeeMah Datacom Security Corporation, 241 L2F, see Layer 2 forwarding Lights-out environment, 226 Lightweight directory access protocol (LDAP), 257 Livingston Enterprises, 183 LMCS, see Local multipoint communications systems LMDS, see Local multipoint distribution services Local area network (LAN), 14, 29, 108 access Ethernet-based, 63 major modes of remote, 65 -attached workstations, 33 -based e-mail systems, 9 client/server, 334 configuration of for remote access, 33 demilitarized, 113 design of for corporate environment, 41 dial-up users, authenticating, 206 Ethernet bus-based, 62 print servers linked to, 135
AU1253_Index_Frame Page 363 Wednesday, November 6, 2002 7:03 AM
Index -to-LAN connections, 170, 273 mainframe connected to distant, 110 multiple PCs attached to remote workgroup, 36 new type of, 85 PBX systems integrated directly to corporate, 129 print servers, 66 remote access company, 311 unauthorized, 202 rerouter, 79 users in simplest, 165 virtual, 85 Windows 2000-based computer connected to, 260 wireless, 131, 158 Local multipoint communications systems (LMCS), 133 Local multipoint distribution services (LMDS), 133 Logical link control (LLC), 110 Login(s) Apple, 196 attempts, failed, 27 privileges, restriction of, 165 proxy, 204 Long-distance charges, 122 Lotus Notes, 329 Low-speed data services, 100 L2TP, see Layer 2 Tunneling Protocol Lucent Technologies, 128, 146, 183
M Macintosh OsX, 45 Macro viruses, 215 MailFAX, 100 Mainframes, 16, 65 Maintenance network, 230 Malicious code protection, 219 Malicious programs, users unwittingly downloading, 297 Malware, users unwittingly downloading, 297 Management by example, 325 Management by walking around, 325 Man-in-the-middle attacks, 216, 218 Manufacturing companies,
telecommuting policies of, 320 MBS, see Mini base stations MCI, 95 Mail, 70 Virtual Private Data Service (VPDS), 100 M-commerce, see Mobile commerce Medical imaging, 101 Messaging tools, 329 Microbrowser, 153 Microsoft, 155 Apple vs., 143 domain controller, 184 Internet Explorer, 45, 228 ITG, 277, 278, 279 original mobile phone browser, 141 point-to-point encryption (MPPE), 263 Proxy Server, 281 RAS, 81 security features now in development by, 253 Windows, 33, 221 Windows 3.1, 31 Windows 3.11, 31 Windows 95, 31 Dial-Up Network, 239 lack of security features, 216 Windows 2000 Remote Access Service, 279 user database, client accounts validated against, 259 Windows CE, 137 handheld devices, 143 software, 131, 136 WAP built on, 147, 149 Windows NT, 105 4.0, 29, 31, 259 Access Server, 30 domains, 168 Ping command, 117, 118 Remote Access Service, 208 Workstation, 45 Word, 79 Mini base stations (MBS), 130 Mischief, possible access for, 225 Mitsubishi, Mondo, 143 MKV, see Mouse, keyboard, and video Mobile commerce (M-commerce), 144 363
AU1253_Index_Frame Page 364 Wednesday, November 6, 2002 7:03 AM
Index critical success factors for, 151 high-speed connectivity for, 154 WAP and, 150 Mobile telephone(s), 127 adoption rate, 141 health issues, 149 next generation of, 297 radiation, 150 shopping online using, 285 Mobile workers, 320 Model, Minstrel, 131 Modem(s), 35 -based connectivity, 172 cable, 15, 20, 123 computing device with attached, 233 dial-up, 101 pool, 70 LAN access to, 62 maintaining of, 270 ratio of employees to modems in, 63 technology advancement of, 69 changing, 172 characteristics of, 66 wireless, 135 Motorola, 69, 129, 130, 137, 156 Mouse, keyboard, and video (MKV), 221, 230 data centers with, 223 free-for-all, 223, 227 switching systems, 222 MPPE, see Microsoft point-to-point encryption MS-DOS Command Prompt window, 117
N NAS, see Network access server NAT, see Network address translation National Computer Security Center (NCSC), 228 National Institute for Standards and Technology (NIST), 125 NCP, see Network control point NCSC, see National Computer Security Center NDS, see Novell Directory Services NEC, 128, 142
Neighborhood shared workspace, 309 NetBEUI, 35 NetBIOS, 35, 170 Netscape, 45, 155, 228 NetWare NDS, 105 Network(s) access server (NAS), 172, 183, 271 address translation (NAT), 257 alarms, 99 architecture, critical component of, 201 attacker with access to protected, 124 -aware virus, 217 bandwidth, 171 branch office connection, 257, 258 carrier-provided, see Virtual private networks, traditional carrier connections, private, 173 control point (NCP), 100 disruptions, 168 encryption, 219 enterprise, 159, 256 equipment vendors, 177 file server, 67 File Service (NFS) Protocol, 169 flexibility, 97 infrastructure, design of, 121 job entry (NJE), 101 LAN-to-LAN, 47 latency, applications sensitive to, 172 logon prompt, 72 maintenance, 230 management database, 99 needs of, 351 platforms, UNIX, 334 system (NMS), 221, 349 operating systems, 45 Operations Center (NOC), 160 packet-switching, 234, 235 performance, monitoring of, 97 predictability, 110, 121 RAM Mobile Data, 69 remote access, 258 resources, protection of, 166 security, 121 service(s) 364
AU1253_Index_Frame Page 365 Wednesday, November 6, 2002 7:03 AM
Index best-of-breed, 278 providers, VPN products aimed at, 176 topology, WAP, 140 transport protocols, 45 users, types of, 75 value-added, 270 violations, 92 VPN-aware, 251 Network, assuming command of, 333–351 applications, 349–350 fault management, 349 network managers, 350 performance management, 349–350 protocols and standards, 350 cost of management, 334–335 functional requirements, 348–349 human element, 336–337 long-term projections, 335–336 manager skill set, 338 training, 338–339 office technology for telecommuter, 339–346 communications, 339–344 computing resources, 344–346 settling on network strategy, 346–348 telecommuter skill set, 337 training, 337–338 Network Associates WebXRay, 117 Network Computing Devices, Inc., 78 Networking flexibility, 101 virtual, 85 NFS Protocol, see Network File Service Protocol Nilles, Jack, 315 NIST, see National Institute for Standards and Technology NJE, see Network job entry NMS, see Network management system NOC, see Network Operations Center Nokia, 130, 137, 142, 143 9000 cellular telephones, 146 Communicator, 142 Nortel Companion system, 129
Notebooks, Disk Operating System–based, 35 Novatel, Minstrel modem, 131 Novell Directory Services (NDS), 45 IPX, 36 NDS server, 184 NetWare-compliant CD-ROM reader, 63 Netware Directory Service, 168 NTT DoCoMo, 141, 151, 285
O OCR, see Optical character recognition Office chat, 318 equipment, common, 346 space reduction, 11 strategies, alternative, 347–348 One-time password, 210 Online fax, 127 Online help, 248 Online ticket purchasing, 139 OnStar system, 133, 134 Openwave Secure Enterprise Proxy, 301, 302 Optical character recognition (OCR), 342 Oracle, 145, 348 ORDENT, 14 Organization identity of, 331 reward mechanisms, 330 OS/9, WAP built on, 147
P Pacific Exchange, 135 Packet filtering PPTP, 261 router, 114 leaks, 168 -switching networks, 234, 235 Pagers, 11 Palm OS, 137, 147, 149 PAP, see Password Authentication Protocol 365
AU1253_Index_Frame Page 366 Wednesday, November 6, 2002 7:03 AM
Index Password(s) accounts with easily guessed, 247 audit trail of previously issued, 237 Authentication Protocol (PAP), 25, 71, 184 breaking into UNIX system through use of, 249 deployment of, 24 design of, 237 distribution of employee, 111 dynamic, 26 encryption, 71 establishment of for Apple logins, 196 files, stealing of, 246 generators, dynamic, 240 guesser, automated, 249 invalid, 237 multiple, 238 obvious, 25 one-time, 210 protection, 25 reusable, 207, 208 sniffer, 208 uniqueness, ensuring, 261 PBX, see Private branch exchange pcAnywhere, 248 PDAs, see Personal digital assistants PDC, see Personal digital communications PDD, see Post dialing delay Pentium processor, 78, 282 Perceived threat, 171 PERL, 45 Permanent virtual circuits (PVCs), 123, 276 Personal digital assistants (PDAs), 137, 150, 284 Personal digital communications (PDC), 291 Personal identification number (PIN), 26, 210 Phone.com, 137, 142 PictureTel, desktop computer equipment offered by, 343 PIN, see Personal identification number Ping utility, 117, 118, 121 PKI, see Public key infrastructure
PLCs, see Programmable logic controllers PN code, see Pseudorandom noise code Point-to-Point Protocol (PPP), 25, 70, 255 Point-to-Point-Tunneling Protocol (PPTP), 26, 43, 260, 274 packet construction of, 275 filtering, 261 protocol standard, movement to, 267 use of with firewalls, 262 Point of presence (POP), 97, 282 POP, see Point of presence Post dialing delay (PDD), 102 Postintrusion monitoring software, 243 PPP, see Point-to-Point Protocol PPTP, see Point-to-Point-Tunneling Protocol Print servers, 66, 135 Private branch exchange (PBX), 97, 101, 128 VPNS service compatible with, 103 wireless, 129 Private network access, services billed as, 177 connections, 173 Private tunnels, 24 Private Virtual Circuits (PVCs), 86 Prodigy, 70, 344 Programmable logic controllers (PLCs), 135 Program source code, 242 Project-based work schedule, 8 Proxy(ies), 42 architecture, outbound, 52 caching, 44 functions, 51 logins, 204 requests, username prefixes used for, 189 servers, 55 types of, 51 Pseudorandom noise (PN) code, 290 PSTN, see Public Switched Telephone Network Public key encryption, 230 infrastructure (PKI), 153, 294 366
AU1253_Index_Frame Page 367 Wednesday, November 6, 2002 7:03 AM
Index Public Switched Telephone Network (PSTN), 301 PVCs, see Permanent virtual circuits
Q QoS, see Quality of service Qualcomm, 130, 134 Quality of service (QoS), 124 QWRTY keypad, 142
R RADIUS, see Remote Authentication Dial-In User Service RAM Mobile Data network, 69 Raptor Systems, 87 RAS, see Remote access server REA, see Rural Electrification Administration RedCreek, 87 Reflective access lists, 111, 113 Remedy’s trouble ticketing application, 337 Remote access backup methods of, 171 definition of, 4 fees, 279 Internet-based, 22, 23 methods, 15–18, 66 dedicated application, 17 integrated solution, 21 remote control over remote node, 20 terminal servers, 16 network, 258 number one user of, 4 policy sample, 181 simplest type of, 81 security products, market for, 201 server(s) (RAS), 35, 260, 301 options, 72 variety of, 79 software, 206 Remote Authentication Dial-In User Service (RADIUS), 27, 71, 105, 183
-based authentication, 280 client setup for, 189 server, 186, 187 transaction types, 186 Remote control disadvantages, 33 scenario, 77 software, 33 Remote job entry (RJE), 101 Remote node connection, 206 products, 30 scenario, 80 server, 67, 81 Remote office connectivity, 121 Remote servers, lights-out support for, 223 Research In Motion, Verisign plan endorsed by, 153 Reservation Protocol (RSVP), 110 Resource pooling, hybrid solutions for, 37 Retinal scans, 240 Reusable passwords, 207, 208 Reverse proxy extranet architecture, 52 Risk analysis, 28 RJE, see Remote job entry RLN, see Attachmate Remote LAN Node Server Road warrior(s) new-age, 127 remote access for, 169 Rolm, 128 Router(s) access lists, 112 basic extranet, 50 Cisco, 208, 246 dial-up, 36 ISP, 108 original intention of, 50 packet filtering, 111, 114 port requirements, comparing private network, 109 using PPTP with, 262 Roving executives, 76 RSA Security, Verisign plan endorsed by, 153 RSVP, see Reservation Protocol 367
AU1253_Index_Frame Page 368 Wednesday, November 6, 2002 7:03 AM
Index Rural Electrification Administration (REA), 128 Rush-hour commutes, 307
S SAFER, see Split Access Flexible Egress Routing Satellite work center, 309 SDN, see Software Defined Network SDS, see Switched digital services Secure Electronic Transaction (SET) protocol, 254 Secure Enterprise Proxy, 301 SecureID, 185, 188 Secure remote access, 165–181 reliable authentication of remote users/hosts, 167–172 connectivity to remote users and locations, 169–170 granular access control, 167–168 logging and auditing of system utilization, 168–169 minimizing costs, 170–172 protection of confidential data, 168 transparent reproduction of workplace environment, 169 remote access mechanisms, 172–176 remote access policy, 179–181 security goals for remote access, 166 selection of remote access system, 178–179 virtual private networks, 176–177 Secure Sockets Layer (SSL), 54, 152, 228, 254 certificates, 153 client authentication, 229 connection, encrypted, 229 handshake protocol, 230 server authentication, 229 -to-WTLS encryption, 298 Security controls, dial-up, see Dial-up security controls holes, 45 lax, 207 mailing lists, 168
mistakes, dial-in, see Dial-in security mistakes network, 121 object-layer, 255 panacea, 202 pitfalls, avoiding, 217 policies, most effective, 179 risk(s) assessment, 48 means of lowering, 213 software, 219 tools, evaluation of, 203 transaction-level, 264 virtual private network, see Virtual private network security Security Dynamics Secure ID card, 115 types and implementation of tokens, 241 Serial Line Internet Protocol (SLIP), 27 Server AAA, 183, 184 communications, see Communication servers crypto, 26 directory, stand-alone, 54 domain name, 257 e-mail, 67, 68 features, 27 file, 19, 169 management system, 224 Message Bus (SMB), 169 Microsoft Windows, requirement of, 221 network access, 172, 183 file, 67 Novell NDS, 184 ORDENT, 14 print, 66, 135 proxy, 55 RADIUS, 186, 187 remote access, 35, 301 options, 72 variety of, 79 Remote Access Service, 260 remote node, 67, 81 support, 222 TACACS, 193, 194 368
AU1253_Index_Frame Page 369 Wednesday, November 6, 2002 7:03 AM
Index terminal, 16 tunnel, 120 UNIX type, requirement of, 221 VPN, vendor, 57 Web, extranet with authenticating, 53 Windows NT Access, 30 Yale University, 117, 119 Service Level Agreement (SLA), 227 Service provider, WAP gateway at, 299 SES, see Severe errored seconds SET protocol, see Secure Electronic Transaction protocol Severe errored seconds (SES), 102 Shared wiring, philosophy of, 32 Shiva, 81 Short Message Service (SMS), 146, 149 Siemens, 128 Signal loss, 99 SIM, see Subscriber identity module Simple Network Management Protocol (SNMP), 333, 350 Skipjack encryption technology, 263 SLA, see Service Level Agreement SLIP, see Serial Line Internet Protocol Smart card(s), 56, 289 interfaces, 142 media-like, 219 SmartCode software, 131 SMB, see Server Message Bus SMS, see Short Message Service SNMP, see Simple Network Management Protocol Software antivirus, 150 attack detection, 91 Defined Network (SDN), 95 encryption, 217 error recovery, 38 HandWeb, 131 hangs, 38 Microsoft Windows CE, 131 newly downloaded, 244 postintrusion monitoring, 243 remote access, 206 remote control, 33 remote node server, 81 security, 219 server-based authentication, 208
SmartCode, 131 suppliers, security features now in development by, 253 tunnel, establishment of, 54 Solution, design of remote access, 13–28 administration systems, 27 connectivity options, 14–15 defining requirements, 13–14 integrated solution, 21–22 Internet-based remote access, 22–27 issues/solutions, 23–24 protection of network resources, 27 protection of transmitted data, 26–27 security, 24 basic approaches, 24–25 goals, 24 user authentication, 25–26 remote access methods, 15–18 dedicated application, 17–18 terminal servers, 16–17 remote access policy, 28 remote control, 18–19, 20–21 remote node, 19–20 server features, 27 Sonera SmartTrust, Verisign plan endorsed by, 153 Split Access Flexible Egress Routing (SAFER), 103 Spoofing/masquerading, 50 Spreadsheet(s) e-mail as transport agent for, 343 packages, 33 Sprint, 95 SprintNet, 60 Sprint PCS smart phones, 130 SQL database, 224, 225 SSL, see Secure Sockets Layer Strategy, choosing of remote access, 157–162 remote network access and wireless network security, 158–160 corporate firewall, 160 firewalls as part of problem, 159 personal firewalls, 159–160 VPNs as part of problem, 158–159 strategy, 160–161 centralized management, 161 369
AU1253_Index_Frame Page 370 Wednesday, November 6, 2002 7:03 AM
Index secure access with authentication, 160–161 support, 161 Subnetworks, 40 Subscriber identity module (SIM), 289 Sun, 336, 349 SunNet Manager, 334 Switched digital services (SDS), 101 Sybase, 348 Symantec, 150 pcAnywhere, 76, 239 Procomm, 70 System auditing, 179 failures, 168
T TACACS, see Terminal Access Concentrator Access Control Server TCP, see Transmission Control Protocol TCP/IP, 19, 35, 45, 170 application utility, Ping utility program included as, 117 network, concerns about communication over, 229 security protocol, 55 use of over V.90 connection, 36 vendors, 36 TCSEC, see Trusted Computer System Evaluation Criteria TDMA, see Time division multiple access Technology choices, incorrect, 82 Tekelec, 146 Tektronix, Inc., 78 Telco attacks, 173 infrastructure, maintaining of, 270 Telco-Research, 281 Telecenters, 309, 313 Telecommuter(s), 323 hand-me-down situation, 344 productivity, 8, 309 skills of, 338 Telecommuting, 3 benefits, 7 coining of term, 315
definition of, 4 expectations with advent of, 5 organizations, 320 programs, jobs suitable for, 310 Telecommuting, evaluating organizational readiness for, 315–322 benefits of telecommuting for company, 317–319 capability to employ disabled or distant workers who cannot commute, 318 fewer attendance problems, 318 higher job satisfaction and higher productivity, 318 less employee turnover, 318–319 less office space requirements, 317–318 less time wasted with office chat, 318 lower relocation expenses, 319 benefits of telecommuting for worker, 315–317 higher job satisfaction, 316 higher productivity, 317 less distractions, 317 lower clothing costs, 316 lower commuting expense, 316 lower commuting time, 316 lower food expense, 316 more flexible work schedule, 317 no need to relocate, 317 drawbacks of telecommuting, 319–320 lack of physical contact, 319 potential to be left out of loop, 319 potential to overwork, 319–320 telecommuting organizations, 320–322 belief in telecommuting, 322 clearly defined, measurable objectives, 321 critical success factors, 321 strong communication system, 321–322 Telecommuting, management issues, 307–314 benefits of autonomy, 308 future needs, 312 370
AU1253_Index_Frame Page 371 Wednesday, November 6, 2002 7:03 AM
Index implementation of telecommuting program, 312–313 jobs suitable for telecommuting, 310–311 managing telecommuters, 313–314 organizational benefits of telecommuting, 308–309 increased productivity, 309 job satisfaction, 309 reduced costs, 309 preparation of organization for telecommuting program, 310 societal benefits of telecommuting, 307–308 suggestions for successful implementation, 314 technology requirements, 311–312 computer equipment, 311 LANs, 311 other products, 312 sophisticated phone systems, 311–312 videoconferencing, 312 voice mail, 312 telecenters, 313 why employees want to telecommute, 308 Telecommuting, security risks in, 213–220 minimizing security risks, 217–219 checking for malicious code, 219 controlling types of connections, 218 encrypting data when transferred, 218 encrypting stored data, 217–218 enforcing corporate security policy, 219 integrating security functions, 219 protecting encryption keys, 218–219 telecommuting in today’s distributed enterprise, 214 types of security risks, 215–217 access control, 217 compromised systems, 217 data transferred between remote systems and internal networks, 216–217
files stored on laptops, 216 who and what pose security risks, 214–215 hackers, 214–215 high-tech criminals, 215 industrial espionage, 214 traditional thieves, 214 viruses and other types of malicious code, 215 Telecom providers, IP networks managed by, 177 Telephone(s) cellular, 146, 312 CDMA, 291 Internet-enabled, 303 lost, 294 TDMA, 288 GSM, SIM cards used by, 293 mobile, 127 health issues, 149 next generation of, 297 radiation, 150 shopping online using, 285 WAP-enabled, 145, 155, 302 Telework, supporting, 323–332 obstacles of virtual work arrangements, 324–326 management-related obstacles, 325–326 task- and resource-related obstacles, 324–325 removing obstacles with managerial actions, 329–332 maintaining and enhancing organizational identity, 331 modified reward mechanisms, 330–331 responding to other social needs, 331–332 task support, 329–330 removing obstacles with technology, 327–328 technology resources, 327–328 technology support, 328 Terminal Access Concentrator Access Control Server (TACACS), 27, 183 authentication, 192 event logging capability, 192 371
AU1253_Index_Frame Page 372 Wednesday, November 6, 2002 7:03 AM
Index limitations, 196 original, 191 server implementation, 193 Terminal servers, 16 Terrorism, possible access for, 225 Terrorist behavior, threat of, 226 Thieves, security concerns caused by, 213, 214 Third-party authentication, 21 Third-party firewalls, 260 Three-way calling, 341 Time division multiple access (TMDA), 144, 286 cell phone, 288 radio spectrum of, 287 Time-only synchronous authentication systems, 211 Tivoli, 349 T1 line connection, 107, 108 TLS, see Transport layer security TMDA, see Time division multiple access Token-based authentication services, 51 Token programming, control of, 212 Toneloc, 246, 248 ToS, see Type of service Traffic controls inbound, 204 outbound, 204 management techniques, 336 Transmission Control Protocol (TCP), 296 Transport layer security (TLS), 147 Traveling sales people, 75 TRITON Invisible Fiber, 133 Trojan program, 217 Trouble ticketing application, 337 Trusted Computer System Evaluation Criteria (TCSEC), 228 Tunnel servers, 120 Type of service (ToS), 124
U UMTS, see Universal Mobile Telecommunications System Unauthorized user, ways to identify, 243
U-NII, see Unlicensed National Information Infrastructure Universal Mobile Telecommunications System (UMTS), 142, 152, 292 Universal resource locators (URLs), 140, 152 UNIX, 16 -based laptops, 35 file server, 169 hardware/software platform, 335 network management platforms, 334 platform, network managers designed to run on, 350 system(s) consultant broken into, 249 Internet core technology based on, 41 type servers, 221 workstations, 45 Unlicensed National Information Infrastructure (U-NII), 132 Unwired Planet, 137 URLs, see Universal resource locators User authentication, 56, 207 file, 189 ID(s) breaking into UNIX system through use of, 249 distribution of employee, 111 identifying valid, 237 U.S. Patent Office, 142 U-Turn attacks, 161 problem, 159 UUnet Technologies, Inc., 279, 281
V Value-added network (VAN), 270 VAN, see Value-added network Vandalism, possible access for, 225 Verizon All@once Virtual Private Network Solutions (VPNS), 103 Videoconferencing, 312, 326, 340, 342 Virtual chaos, 223 Virtual Local Area Networks (VLANs), 85, 124 372
AU1253_Index_Frame Page 373 Wednesday, November 6, 2002 7:03 AM
Index Virtual network, use of Internet as, 107, 111 Virtual office, 85 Virtual private network (VPN), 26, 40, 269–282, 327 architectures, 54 -based access control, 56 billing, 98 business-to-business, 91 common misperception of, 157 common uses, 271–277 basic VPN requirements, 273–277 connecting networks over Internet, 271–273 secure remote user access over Internet, 271 connectivity, candidate for, 93 cost justification of, 90 crypto, 176 data networking over, 100 deployment, pilot tests prior to, 93 ease of management and use, 277–281 planning for near future, 280–281 Windows communication platform, 278–280 establishment of via public network, 111 gateway-to-gateway, 54 implementation of, 44, 87 intelligence inherent in, 96 IPSec, 103, 104 locations, traffic status alerts for, 99 market for, 121 NAS-based, 196 prevalence of, 126 products, evaluation of, 89 remote user, 175 secure remote access provided through use of, 166 security scenarios, 266 technology, 255 server, vendor, 57 trunk groups, 99 tunnels, 158 use of to connect remote sites, 272 Virtual private network design approaches, 107–126
market for VPN, 121–126 extranet access, 123–124 future of IPSec VPNs, 124–126 internal protection, 124 use of Internet as virtual network, 107–121 equipment cost, 109 network predictability, 110–111 other factors in VPN operation, 120–121 performance considerations, 116–120 reliability issues, 109–110 security considerations, 111–115 using firewalls, 115–116 Virtual private networking, 85–93 application performance, 93 benefits, 85–87 bigger security picture, 91–92 consideration for VPN implementation, 92 implementations, 87–89 pitfalls during deployment, 90–91 risk versus reward, 89–90 security policy, 92 system requirements, 92 training, 93 Virtual private networks, traditional carrier, 95–106 access arrangements, 99–100 billing options, 98 business case for VPNs, 96–98 carrier-based VPN concept, 95–96 data networking over VPN, 100–106 high-speed data services, 100–102 IPSec VPNs, 103–106 low-speed data services, 100 performance objectives, 102–103 network management, 98–99 Virtual private network security, 251–267 advanced VPN security features, 262–266 authentication header, 265 certificates, 263–264 encapsulation security header, 266 Extensible Authentication Protocol, 264 373
AU1253_Index_Frame Page 374 Wednesday, November 6, 2002 7:03 AM
Index IP security, 265 negotiated security association, 265 symmetric encryption versus asymmetric encryption, 263 transaction-level security, 264 branch office connection network, 257–258 enterprise partner/supplier network, 255–257 front-end processors, 262 reason for, 252–253 remote access network, 258–259 understanding IBM VPN security, 254–255 understanding Microsoft VPN security, 259–262 access control, 261 authentication, 259–260, 260–261 data encryption, 261 PPTP packet filtering, 261–262 understanding PPTP security, 260 using PPTP with firewalls and routers, 262 Virtual teams, 323 Virtual work arrangements, 323, 324, 331 Virus(es), 204 creation of new, 219 definition of, 215 network-aware, 217 protection applications, 225 security concerns caused by, 213 vulnerability of PDAs to, 150 Visual Basic, 45 VLANs, see Virtual Local Area Networks Voice communications, 327, 340 mail, 5, 9, 11, 312 messaging, 127 Voiceprints, 240 Voicestream, GSM communications used by, 286 VPDS, see MCI Virtual Private Data Service VPN, see Virtual private network VPNS, see Verizon All@once Virtual Private Network Solutions
W WAN, see Wide area network WAP, see Wireless Application Protocol War dialers, 235, 246, 248 War Games, 235 Web -based enterprises, 225 browsing, 45, 121 server, extranet with authenticating, 53 WECA, see Wireless Ethernet Compatibility Alliance Wide area network (WAN), 14, 129, 203 costs, 252 establishment of with multiple domains, 351 Internet problems and in-house managed, 174 management, complexity of, 334 PBX systems integrated directly to corporate, 129 VPN connection operating as, 269 Wi-Fi, see Wireless Fidelity WinSock, 45 Wireless Application Protocol (WAP), 137–156, 285 applications for, 139–140 arguments against WAP, 149–156 critical success factors for WAP and M-commerce, 151–153 future impact, 154–156 mobile phones and health issues, 149–150 security, 150 WAP and M-commerce, 150–151 arguments for WAP, 148–149 criticism of, 141 Forum, 137, 141, 142, 146, 148, 296 gap in, 298, 300, 303 gateway at host, 300 securing of, 298 at service provider, 299 predictions, 140–143 reason for, 137–139 technology for M-commerce, 148 374
AU1253_Index_Frame Page 375 Wednesday, November 6, 2002 7:03 AM
Index global standard, 146–147 operating system for WAP, 147–148 WAP-enabled phones, 145–146 WAP Forum, 148 topology, 140 WAP-enabled phones, 302 wireless Internet applications developed using, 295 Wireless connections, types of remote, 69 Wireless device(s) graphics display capabilities of, 285 Net surfing using, 284 Wireless Ethernet Compatibility Alliance (WECA), 132 Wireless Fidelity (Wi-Fi), 158 Wireless Internet security, 283–304 security of network infrastructure components, 297–303 security of transmission methods, 286–292 CDMA, 290–291 FDMA, 287 GSM, 288–290 other methods, 291–292 TDMA, 287–288 security of wireless devices, 292–297 authentication, 292–294 confidentiality, 294–296 malicious code and viruses, 296–297 types of applications available, 285–286 users of wireless Internet, 284–285 Wireless local area network (WLAN), 131, 158 Wireless local loop (WLL) systems, 127 Wireless Markup Language (WML), 138 Wireless modems, 135 Wireless office services (WOS), 129, 130 Wireless payment applications, 153 Wireless technology, 127–136 cellular digital packet data, 130–131
searching for wireless solution, 135–136 uses for wireless technology, 133–135 consumer applications, 133–134 financial, 135 health care, 134 manufacturing, 135 transportation, 134 wireless broadband Internet access, 133 wireless communications, 128–129 wireless Internet access, 132–133 wireless local area networks, 131–132 wireless office services, 129–130 Wireless Technology Research LLC, 150 Wireless transmission, 49 Wireless transport layer security (WTLS), 152, 295 WLAN, see Wireless local area network WLL systems, see Wireless local loop systems WML, see Wireless Markup Language Word processing documents, e-mail as transport agent for, 343 Workstations LAN-attached, 33 remote, 31 World Wide Web, exploding popularity of, 44 WOS, see Wireless office services WRQ Reflections, 70 WTLS, see Wireless transport layer security Wyse Technology, Inc., 78
X Xerox Network System, 35
Y Yahoo mobile, survey taken on, 143 Yale University server, 117, 119
375
AU1253_Index_Frame Page 376 Wednesday, November 6, 2002 7:03 AM