Archive for the ‘VPN’ Category

A Conversation on “Health Information Technology”

July 20, 2009

By: Tim Cronin

On Sunday, the Boston Globe printed a portion of a letter to the editor I sent in regards to one of the paper’s articles. The opinion discussed the mandating of electronic health records and the importance of security for such records. Below is the complete letter.


One of the hot-button issues facing the country today is healthcare reform.  President Obama has identified widespread electronic medical records as a major benchmark towards achieving the goal of affordable health coverage for all.  Scott Kirsner did an excellent job describing some of the technologies Massachusetts companies are creating that will make universal electronic health records possible in his article State helping to shape US efforts to digitize health records for all. The article neglected to examine the network security concerns of such a system.

One may say “Moving medical records online will mean less privacy for everybody.” In reality less privacy is not an issue if proper security is in place. Therefore, moving medical records to electronic storage will increase the need to secure networks.  The truth is that records are no less secure when stored electronically, as long as the network is secure.  In fact, there are gains in privacy. The biggest risk involved is that making all records electronic does allow a person to attempt to gather information remotely by compromising a network. As long as medical facilities deploy network security technologies and maintain them, this should not be a widespread problem. With paper records, someone who wanted to steal medical information can be successful, but would need to get a hold of a physical copy of the record.  This means that an attacker would need to take a risk and go to the location of the records storage.  Paper records also pose a risk to patient privacy as medical staff bring records home with them so they can work outside of the hospital. Recently, an employee at a Boston hospital accidently left records on the “T”. If the records were accessible electronically through a secure network connection, this wouldn’t have happened.

Electronic medical record keeping also provides for a more secure data backup process. Hospitals using electronic records will need redundant hard drives, servers, data storage and other important infrastructure to ensure medical information is never lost. With all those backups, many fear that it will be easier to gain unauthorized access to patient information. In actuality, the electronic backups will be easier to secure than the current system of paper charts. Currently paper records are sent to storage vendors and the vendor’s employees have access to the information in clear text. The best security that you can provide without destroying the information is to send the charts in a locked receptacle.  In an electronic system, data can be encrypted and stored at vendors’ facilities without fear that the vendor will be able to read the data.  This adds to the locked receptacle, because you can lock storage medium in a case, then if that case is compromised, you also have the data in an illegible form.  You can also deploy hashing functions to ensure that no data is tampered with.

To address one of the biggest fears, properly deployed medical networks will not send information in a manner that is easy for someone to simply capture.  With electronic medical records, you will need to make sure that there is no path for the records to be sent over the open Internet. Instead records should be sent over secured VPN networks specifically designed to protect this information.  Nobody should have access to the network that does not need access.  Congress has already acted to ensure that this guideline is followed, through the HIPAA and HITECH acts.  However, these acts stop short of dictating the security standards and focus on the penalty for if a record is compromised. Creating an electronic medical records system will benefit the healthcare system in America in many ways, including increasing the security of medical records However, if the country is to move towards mandating electronic medical records, then congress should create additional acts creating security standards.


Tips for securing your Wi-Fi Connection

July 6, 2009

By Tim Cronin


Recently, NPR’s “All Tech Considered” posted a very good and concise article on securing WiFi technology.  I would just like to add a few key points for those that concern themselves with network security.


First, when using a VPN on an un-trusted hotspot, make sure that it is a “full tunnel” VPN.  Split tunnels work well for connecting with trusted networks (like your home network).  Unfortunately, if you are on an un-trusted hotspot, then there is no guarantee that there is security on that hotspot and an attacker can use your PC to get access to your internal network. 


Second, I would just like to point out that “Secure your home network” Is a huge point.  Don’t just take advantage of encryption, MAC filtering and other ubiquitous measures.  Also, reduce the size of your network to the minimum that is necessary for the amount of expected systems.  And change the default network.  Choose something not common.  These steps may not be effective alone, but can certainly add to an overall secure environment. 


SIDENOTE: MAC filtering and other security features have been shown to be inadequate when a skilled attacker targets your network.  There is still not reason *not* to use them.  The key is to make your network harder to get into than the ones around you, make it difficult enough so that the attacker loses interest or make it harder than his skill level to crack.  An attacker will likely take the path of least resistance, after all. If your network proves to be difficult to hack, the hacker will move on.


Third, disable your wireless antenna when not in use.  Most laptops have a button or switch that disables the antenna so that it’s easy to see that it is disabled.  This is especially true on airplanes.  There are many people that find it fun to browse others’ PCs while on board a plane.


Fourth, if you connect to an access point that you don’t intend to connect with often, delete it from your automatic wireless network list.  This was shown to be a very large hole by HD Moore (with his “Evil eeePC”).  Instructions here:


Last, never assume that you aren’t compromised.  The chance always exists.  Monitor your systems regularly for irregularities.

Microsoft’s DirectAccess: Reinventing VPN

June 8, 2009

By Tim Cronin

As we know, Virtual Private Networking (VPN) is a technology that allows remote systems to connect to a local system in a secure manner.  This is what Microsoft’s DirectAccess is setting out to do as well.  Microsoft is marketing the new remote access tool as somewhat of a revolution, claiming that you can throw the VPN out with the bathwater.  This is not necessarily the case, but DirectAccess may still herald a new generation of VPN technologies.

WHAT IS DirectAccess

DirectAccess is a technology that allows Vista, Server 2008 and Windows 7 to connect with the office LAN seamlessly, without having to log into any clients.  DirectAccess is also being used to remotely manage remote PCs without the PCs needing logged in user (for instance, you can push a new update to an idle PC).  This technology comes at a time when there are a multitude of remote technologies to choose from so Microsoft is distinguishing itself by saying that DirectAccess is basically a hands-off technology.  The user doesn’t need to do anything except get a network connection and log into the machine as normal – the OS takes care of the rest. 


Despite Microsoft’s marketing, DirectAccess is a VPN technology with new functionality.  For those familiar with configuring VPNs, DirectAccess uses IPSec to tunnel the remote system to a DirectAccess server.  The DirectAccess server then authenticates the system and, if configured, authenticates the user.  Both of these steps rely on certificates (and the option of smart cards for multi-factor authentication for the user).  From here, there are differences in topology and design from which you can choose.  You can use “End to End” (security to the application server) or “End to Edge” (security to the perimeter, then letting unsecured traffic on the LAN). 

One key piece of information that must be taken into account: DirectAccess uses IPv6 as the preferred protocol.  You can use IPv4, but there will be extra steps that you may need to take.  There are several more key points to the connection for which I will refer you to Microsoft’s documentation at   


Microsoft has taken steps to make sure that security of this technology is the focus and seems to have been successful.  When this technology is configured properly and used properly, I can see a step forward with this technology.  That being said, DirectAccess does assume some things.  The most glaring is that user authentication is not required. If a user’s laptop is stolen and not reported in time, then it is conceivable that an attacker would have access to your internal network.  Although, they may not be able to log into the domain, there is still an IPSec connection between the attacker and the LAN.  This will make the use of full disk encryption even more necessary.  Also, the fact that there are so many technologies involved in order to get a connection is a concern.  If any one of them has a vulnerability it can be a problem to say the least.


All-in-all, I don’t think DirectAccess will herald the end of the VPN.  I think that there may be some changes, but VPN is here to stay for the moment.  The public information on DirectAccess is still a bit hazy on site to site connections (in fact, I am not sure it’s possible).  For this reason VPNs are still going to be in use.  Also, remote access VPN technologies, as they exist today, will adapt to new market requirements.  I foresee the major VPN vendors keeping pace with Microsoft.