|
Location, location, location. Perhaps a hackneyed phrase, but location is a growing issue for organizations. Very little business today is conducted at one single office location and few businesses today serve just one isolated geographic location.
This is not the only driver behind the increased need that companies have for providing remote access to their core computer networks. Employees work remotely more often than they used to—from home, on business trips or whilst servicing customers in the field. Because most business today is conducted electronically, organizations are progressively opening up access to their networks to business partners to allow greater, more efficient collaboration, and access is also being provided, in some cases, to customers.
This can create headaches for those in charge of policing who accesses what—especially given that much of this traffic can be reliant on insecure communications channels, and the inter-net in particular. In today’s highly regulated world, organizations are under considerable pressure to prove that no one has tampered with their computer networks or the data that they contain. In recent research conducted by Quocirca, 82% of 250 organizations surveyed cited data protection legislation as the most important regulation that their businesses faced—over two-and-a-half times more than for any other government or industry-specific legislation in existence.
The onus is on an organization to provide highly secure remote access to its computer networks, including knowledge of who accesses what and when, over all communications channels and from every type of device. There are a wide variety of technology choices that companies can make, but not all are easy to manage—especially when scaling up to protect extremely large, complex and decentralized networks. This paper will describe the essential elements that organizations should consider when looking to achieve highly secure remote access capabilities.
Limitations of first-generation virtual private networks
In the not so distant past, the most common method for accessing networks remotely was by use of a dial-up connection, with users authenticated by a user name and password combination, or perhaps a one-time password from a security token. Organizations looking for secure connectivity within their organizations generally built their own private networks using dedicated communications lines, but this was often a very expensive undertaking.
Over time, the use of public communications networks, including the internet, has increased and these have become essential communications tools for business. To cater to the requirements of organizations needing to securely transfer sensitive data over public and private networks, the virtual private net-work (VPN) was developed and is now the leading technology used for achieving remote access.
A VPN is a virtual network that is built on top of existing communications networks and provides a secure communications mechanism for transmitting data and information between net-works through use of a tunnelling protocol. This means that the data being transferred is encapsulated and hidden from public view in order to provide a secure path for data to travel over a public network. This provides a much less expensive option than leasing dedicated telephone lines and provides companies with several layers of protection, including ensuring the confidentiality, integrity and authentication of communications, as well as access control.
VPNs come in many flavours. The first to come onto the market deployed PPTP (point-to-point tunnelling protocol) or L2TP (layer 2 tunnelling protocol). However, IPSec (Internet Proto-col Security) emerged in the 1990s as the frontrunner owing to its superior encryption capabilities. Because it was for some time the de facto standard, there is a large installed base of IPSec implementations worldwide, with the most common use being for office-to-office connections, such as a branch office connecting to headquarters, or for a small number of trusted users accessing the corporate network.
Traditionally, IPSec deployments have required that a software agent be installed on every end point connecting to the network and that administrators configure the settings for each device by visiting each device in the network. This made it costly and complicated to manage in many cases—especially in large, complex deployments. There were also concerns about the security of IPSec VPNs because, once a device is connected to the IPSec VPN, it was able to access the entire computer network and all files contained there. Therefore, a stolen or hijacked device, where the user managed to crack the access credentials for the VPN, had full, unfettered access to the main central network. An easier way was needed of restricting what users could access without the expense and hassle of configuring each device separately.
|
