Hidden vulnerability dogs VPN project
- 28 October, 2003 10:18
I recently changed positions and have been trying to understand the many projects already under way here. The most vital of these is a planned virtual private network (VPN) rollout. My company has many staffers who travel, as well as those who want to work from home.
Today, these people use ISDN or dial-up lines. These have very high-price rates for calls from hotels and high fixed-cost line rental and call charges from staffers' homes. If the security team and I could let users connect using existing broadband Internet connections, the performance would be better and the costs lower.
Many users appear to be connecting company laptops directly to the Internet to get fast access, but their systems get infected with viruses or worms and then propagate the infections by connecting to internal company systems. Given that, a VPN should dramatically improve security as well as save the company money.
Unfortunately, the project has been in the works for 18 months and still hasn't delivered a workable system. I was flabbergasted, since I've always run projects on a three-month cycle.
It's now just three weeks until the go-live date, but there's one huge problem that must be resolved. The IT team has put together a software package for the laptops that includes a VPN dialer and security products. This package will sit on our standard software build and include antivirus software and a personal firewall. Although the machine will be connected to the Internet, the firewall will block all inbound and outbound connections other than the VPN link.
That sounds great, but the testing that my team did revealed that the firewall loads as a service when the operating system boots and shuts down when the user shuts down the machine. Since the networking software runs as a service on top of Windows, the machine is unprotected for at least 30 seconds during boot-up and shutdown.
In the worst case in our testing, it took more than two minutes for the firewall to load and start doing its job. Why doesn't it just load the protection before starting the network? Or start the network without configuration, then load the protection and configure the network?
I won't mention the name of the software vendor, since I want it to have a chance to fix the problem. I'm pretty sure the problem affects some other vendors' products, so if you have a personal firewall on your machine, it might be a good idea to check that you don't have the same vulnerability.
Given how far down the road the IT team members were toward using this security product, they didn't want to give it up. Instead, they've been trying to add another layer of defense. Instead of using the USB Asymmetric Digital Subscriber Line (ADSL) modem delivered with the broadband service, they intend to buy everyone an ADSL router that includes a hardware firewall. The firewall is built into the firmware of the router and starts at the same time the router connects to the Internet, so the user's machine is always protected.
My task is to sign off that the configuration of the router firewall is acceptable. But I'm not going to do that. Yes, the configuration is fine; the security staffers have turned on network address translation (NAT) so that all internal machines are hidden, and they've enabled a firewall to block all inbound connections.
The security team has even password-protected the configuration so it will be difficult for each user to modify the settings. But just because it works on a technical level, that doesn't mean the IT security group should approve it.
The routers are much more expensive than fixing the software bug in the personal firewall or ripping out the flawed software and replacing it with a better package.
Remote Access Risks
Also, I know that some users will break into the routers and change the configurations when their children want to play Internet-based games. These typically require an inbound network connection for network play, so the configuration will be reset and bypassed -- and we won't know it because we're not set up to centrally monitor remote firewall hardware or software configurations.
Most of our staffers have multiple machines at their homes, so they might not be using their work machines for gaming. But I'm certain that all of our staffers will connect their own machines into the same router we provide. The lure of that company-funded broadband connection will be irresistible.
Furthermore, the firewall and NAT on the router defend against only external threats from the Internet; any machines inside the home will have unfettered access to the corporate laptop.
Then there's the issue of remote travel. I know that our staffers who have laptops aren't going to take their router/firewall with them before they plug into the broadband connections at hotels.
To their credit, the IT team did manage to find a pocket hardware firewall that sits in line with the network cable and filters traffic. It's only about the size of a credit card and offers always-on network protection.
But during testing, the device somehow shorted out one of our network devices so badly that smoke was pouring out of it, giving a whole new meaning to the word firewall.
If we could just get the vendor to fix the start-up order so the firewall starts before the networking software, then we could save a lot of money, offer access in a wider range of environments and be more secure. The only argument against it seems to be 18 months of project inertia.
This should be an interesting test for me to understand my new employer's commitment to security. I'm meeting with the software firewall vendor next week. I'll let you know how we get on. Will we buy hundreds of expensive routers as a Band-Aid on one part of the issue, or will we fix the problem at its source? Stay tuned.
What do you think?
This week's journal is written by a real security manager, "Vince Tuesday," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.