|
Location, location, location. Perhaps a hackneyed phrase, but location is a growing issue for organisations. Very little busi-ness today is conducted at one single office location and few businesses today serve just one isolated geographic location.
This is not the only driver behind the increased need that com-panies have for providing remote access to their core computer networks. Employees work remotely more often than they used to—from home, on business trips or whilst servicing custom-ers in the field. Because most business today is conducted elec-tronically, organisations are progressively opening up access to their networks to business partners to allow greater, more efficient collaboration, and access is also being provided, in some cases, to customers.
This can create headaches for those in charge of policing who accesses what—especially given that much of this traffic can be reliant on insecure communications channels, and the inter-net in particular. In today’s highly regulated world, organisa-tions are under considerable pressure to prove that no one has tampered with their computer networks or the data that they contain. In recent research conducted by Quocirca, 82% of 250 organisations surveyed cited data protection legislation as the most important regulation that their businesses faced—over two-and-a-half times more than for any other government or industry-specific legislation in existence.
The onus is on an organisation to provide highly secure remote access to its computer networks, including knowledge of who accesses what and when, over all communications channels and from every type of device. There are a wide variety of tech-nology choices that companies can make, but not all are easy to manage—especially when scaling up to protect extremely large, complex and decentralised networks. This paper will describe the essential elements that organisations should consider when looking to achieve highly secure remote access capabilities.
Limitations of first-generation virtual private networks
In the not so distant past, the most common method for access-ing networks remotely was by use of a dial-up connection, with users authenticated by a user name and password combi-nation, or perhaps a one-time password from a security token. Organisations looking for secure connectivity within their organisations generally built their own private networks using dedicated communications lines, but this was often a very expensive undertaking.
Over time, the use of public communications networks, includ-ing the internet, has increased and these have become essential communications tools for business. To cater to the require-ments of organisations needing to securely transfer sensitive data over public and private networks, the virtual private net-work (VPN) was developed and is now the leading technology used for achieving remote access.
A VPN is a virtual network that is built on top of existing com-munications networks and provides a secure communications mechanism for transmitting data and information between net-works through use of a tunnelling protocol. This means that the data being transferred is encapsulated and hidden from public view in order to provide a secure path for data to travel over a public network. This provides a much less expensive option than leasing dedicated telephone lines and provides companies with several layers of protection, including ensuring the confi-dentiality, integrity and authentication of communications, as well as access control.
VPNs come in many flavours. The first to come onto the market deployed PPTP (point-to-point tunnelling protocol) or L2TP (layer 2 tunnelling protocol). However, IPSec (Internet Proto-col Security) emerged in the 1990s as the frontrunner owing to its superior encryption capabilities. Because it was for some time the de facto standard, there is a large installed base of IPSec implementations worldwide, with the most common use being for office-to-office connections, such as a branch office connecting to headquarters, or for a small number of trusted users accessing the corporate network.
Traditionally, IPSec deployments have required that a software agent be installed on every end point connecting to the network and that administrators configure the settings for each device by visiting each device in the network. This made it costly and complicated to manage in many cases—especially in large, complex deployments. There were also concerns about the security of IPSec VPNs because, once a device is connected to the IPSec VPN, it was able to access the entire computer network and all files contained there. Therefore, a stolen or hijacked device, where the user managed to crack the access credentials for the VPN, had full, unfettered access to the main central network. An easier way was needed of restricting what users could access without the expense and hassle of configur-ing each device separately.
|
