11/13/2002 -- Paranoia is good! And no, I'm not referring to the old role-playing game. I'm referring to the state that most security people live in. Change another well-known saying to "Even paranoid network admins have intruders," and you'll have a good idea of where this month's column is going.
The key to strong network security is to trust the users as far as you can throw them. Many companies who make money from protecting the perimeter of your network like to talk up the threats from outside. It's true that the most costly and knowledgeable threats are on the outside, but that doesn't change the fact that most network problems are caused directly or indirectly by your users; people that are trusted by the organization.
These same users need to connect to your network. Of course, it's a lot easier to manage computers that don't leave the building than ones that do. A muscle next to the left eye starts to twitch when you consider how many executives allow their children to use their laptop.
For these potentially untrustworthy devices that need to connect to your network remotely, Cisco has given users the option of creating VPN tunnels with firewall software configured on the remote workstation. Imaging being able to filter out inappropriate packets directly at the workstation, instead of configuring a CPU-intensive access list on a router or firewall.
First, you need to be using VPN Concentrator 3.5 or better along with client software of 3.5 or better. As for firewall support, while Cisco promises to increase the size of the list, the only two popular firewalls currently supported are ZoneAlarm and BlackICE Defender. At this time, ZoneAlarm is preferred because of its support for Concentrator-configured client protection policies. This is where the admin can configure Concentrator with a security policy and then, when the user creates a tunnel, the policy is pushed down to the user, configuring the firewall.
The protection policy is configured just like any interface filter is on the Concentrator. The difference is that rather than placing the policy on a physical interface, it needs to be linked to the firewall setting of a group. Go over to Configuration, Settings and choose the group you want to configure. Modify the group and select "Client FW" for firewall configuration. Select "Policy Pushed" and choose the policy you just configured.
Another option is to have a policy from a Zone Labs Integrity server sent down to the client. This type of server is used in large environments to keep a consistent policy across many different VPN Concentrators and clients. If you start having trouble keeping the policies for the groups up to date across your many concentrators, you may wish to explore this product.
With a bit of luck, some technology and a healthy dose of paranoia, the corporate network can be a bit safer.
|