Wednesday, September 24, 2008

Your WAN diagram better include Starbucks...

When performing a network architecture review (security focused), we always ask for LAN/WAN diagrams. Some LAN diagrams are detailed to an OCDegree, but other times we get some pretty lame ones (or none at all - even in HUGE organizations).

I often wonder - why aren't all the extensions of the WAN documented in the diagrams as well? When a remote worker with a laptop connects to your corporate network via VPN, isn't that truly an extension of your WAN?

Yes, yes it is.

Shouldn't laptops that are, in effect, extending your WAN to Starbucks and Panera be treated as assets with a higher rate of compromise associated with them? Let us go on record: the days of solely relying on the Windows Firewall and anti-virus software for laptop protection in the volatile network soup known as the Internet are LONG GONE. When a laptop connects to an open wireless network at (name your coffee shop of choice), your organization is inherently ACCEPTING all of the network vulnerabilities of that hotspot. You can't control the hosts that reside on the same network as your laptop, and you can't verify that there isn't already malicious activity taking place on that network.

What you can do:

  • Use laptop images as a source of creating a Minimum Security Baseline, not just an administrative Easy Button.
  • When deplying VPN to remote employees, don't enable Split Tunneling. Seriously, just don't do it. Full tunneling or bust. And to top it off, a web proxy would be great.
  • HIPS or be square. That's right, Host Intrusion Prevention System. As more of the big guys implement HIPS into their anti-everything agents, the time has come to really look at implementing the technology. Steer clear of HIPS technology that is signature-based; it will never be as strong as something behavior-based. I've got my favorite, but we won't talk about that here.
  • Network Admission Control is a good idea, just depends on how you deploy it. Enforcing security posture will always be better than what most are doing, which is nothing.
  • Don't allow employees to install full VPN clients on their home PC's for connecting back to your corporate network. Since when was "Barbie Horse Adventures" part of your trusted app list?

All I'm asking is that you're realistic. Include everything that extends your WAN beyond your border router - which is anyONE or anyTHING connecting to your network from the outside, to name a few:

  • Site-to-site VPN connections
  • Remote-access VPN connections
  • PDA's with sync'ing capabilities

This might be stating the obvious, but asking the question, "Does this extend the boundaries of my WAN?" is part of a good exercise while designing the management, technical, and operational controls associated with devices that are "ridin' dirty".

Read more!