Despite all of these security precautions, it remains impossible for you to truly control what happens to computers that are outside of your network. A coworker's child may download a Trojan horse in a video game demo, which connects back to a hacker and then allows that hacker access to your VPN. No firewall device or personal firewall application can prevent
these sorts of problems because home users will circumvent the highly restrictive policies that would be required to mitigate this type of problem.
So you have to ask yourself if allowing VPN access from home users is necessary and wise considering your security posture. You may very well be better off allowing controlled access for specific protocols through your firewall than providing the wide open unencumbered access that a VPN provides. While hackers could attempt to exploit your open protocols, securing a single known open protocol is far easier than securing against the wide range of exploits that could be perpetrated through a VPN.
If users really only need a single protocol to perform their work, and that protocol doesn't suffer from known exploits, and the protocol provides strong authentication, it's a good candidate for simply passing through your firewall.
An example of a protocol that could be reliably used in this manner is Windows Terminal Services. Terminal servers provide a broad range of services to users very efficiently and are commonly used to provide low-bandwidth users with access to a network's data.
Windows Terminal Services
A service of Windows that implements the Remote Data Protocol (RDP), which intercepts video calls to the operating system and repackages them for transmission to a remote user (as well as receiving keystrokes and mouse pointer data from the remote user), thus enabling a low-bandwidth remotely controlled desktop environment in which any applications can be run.
As long as passwords aren't easily guessed, exposing Terminal Services to the Internet is a lot more secure than opening up VPN connections to your network. Viruses cannot automatically transit through a Terminal Services connection because there's no file services connection. A hacker who has exploited a home user's computer doesn't have any more access to the terminal server than he would have from his own home, because he would still need the account name and password for the remote network in order to log in.
Once remote users have logged into Terminal Services, they will have just as much access to applications and ability to perform work as they would have if they were in the building. The relative richness of the protocol is what makes it a good candidate to simply replace VPN accessibility for remote users.
Other protocols that could be candidates for opening to the Internet are Secure Shell (SSH) (for text-based applications on Unix machines) and secure web-enabled applications (as long as proper web server security measures have been implemented).
secure shell (SSH)
A secure encrypted version of the classic Telnet application. SSH uses public key
cryptography to authenticate SSH connections, and private key encryption with changing keys to secure data while in transit.
Review Questions
1. Why are VPN connections potentially dangerous?
2. What threats are presented to network security by laptop users?
3. Why are laptops the most likely source of virus infection in a protected network? 4. What percentage of corporate crimes has the FBI traced back to stolen laptops? 5. What software should be used to protect laptops from hackers?
6. What is the best way to protect home computers from hackers?
7. How should you reduce the risk posed by lost information when a laptop is stolen? 8. What is the best way to prevent the loss of data from a damaged or stolen laptop? 9. Are VPNs always the most secure way to provide remote access to secure
networks? Answers
1. VPN connections are potentially dangerous because the VPN endpoint could be exploited, allowing the attacker to use the VPN to penetrate the firewall.
2. Laptops are easy to steal and may contain all the information necessary to connect to the company's network.
3. Laptops the most likely source of virus infection in a protected network because they are frequently connected to other networks that may not be well protected.
4. 57% of corporate crimes have been traced back to stolen laptops.
5. Personal Firewall application software should be used to protect laptops from hacker. 6. Using NAT devices or light firewall devices is the best way to protect home computers
from hackers.
7. Encrypting documents stored on the laptop reduce the risk posed by lost information when the laptop is stolen.
8. Storing data on removable flash media in encrypted form that is not stored with the laptop is the best way to prevent the loss of data from a damaged or stolen laptop.
9. No. Opening a single secure protocol to direct access is usually more secure than allowing open access to VPN clients.
Terms to Know
• flash memory
• NAT routers
• personal firewall applications
• secure shell (SSH)
• VPN software client
• Windows Terminal Services
Overview
Computer viruses are self-replicating malicious programs that attach themselves to normal programs without the user's awareness or consent. They are one of the most feared causes of data loss-but, as it turns out, they have more of a reputation than they deserve. More than 90% of viruses are completely harmless aside from the computing resources that they waste by propagating. You are much more likely to lose data due to a hardware failure or by human error than due to a virus infection.
self-replicating
Having the ability to create copies of itself.
Despite the fact that most viruses are harmless, some viruses cause all sorts of unexpected behavior like system crashes, strange pop-up messages, and the deletion of important files. Some extremely clever worms copy themselves using the Internet and can absorb so much bandwidth that they interfere with the proper operation of your Internet connections. Even completely benign viruses that have no apparent ill affects expand the size of executable files and macro-enabled documents like barnacles encrusting a ship's hull.