Posts Tagged ‘VPN’

Tips for securing your Wi-Fi Connection

July 6, 2009

By Tim Cronin

 

Recently, NPR’s “All Tech Considered” posted a very good and concise article on securing WiFi technology.  I would just like to add a few key points for those that concern themselves with network security.

 

First, when using a VPN on an un-trusted hotspot, make sure that it is a “full tunnel” VPN.  Split tunnels work well for connecting with trusted networks (like your home network).  Unfortunately, if you are on an un-trusted hotspot, then there is no guarantee that there is security on that hotspot and an attacker can use your PC to get access to your internal network. 

 

Second, I would just like to point out that “Secure your home network” Is a huge point.  Don’t just take advantage of encryption, MAC filtering and other ubiquitous measures.  Also, reduce the size of your network to the minimum that is necessary for the amount of expected systems.  And change the default network.  Choose something not common.  These steps may not be effective alone, but can certainly add to an overall secure environment. 

 

SIDENOTE: MAC filtering and other security features have been shown to be inadequate when a skilled attacker targets your network.  There is still not reason *not* to use them.  The key is to make your network harder to get into than the ones around you, make it difficult enough so that the attacker loses interest or make it harder than his skill level to crack.  An attacker will likely take the path of least resistance, after all. If your network proves to be difficult to hack, the hacker will move on.

 

Third, disable your wireless antenna when not in use.  Most laptops have a button or switch that disables the antenna so that it’s easy to see that it is disabled.  This is especially true on airplanes.  There are many people that find it fun to browse others’ PCs while on board a plane.

 

Fourth, if you connect to an access point that you don’t intend to connect with often, delete it from your automatic wireless network list.  This was shown to be a very large hole by HD Moore (with his “Evil eeePC”).  Instructions here: http://technet.microsoft.com/en-us/library/cc778180(WS.10).aspx

 

Last, never assume that you aren’t compromised.  The chance always exists.  Monitor your systems regularly for irregularities.

Advertisements

Microsoft’s DirectAccess: Reinventing VPN

June 8, 2009

By Tim Cronin

As we know, Virtual Private Networking (VPN) is a technology that allows remote systems to connect to a local system in a secure manner.  This is what Microsoft’s DirectAccess is setting out to do as well.  Microsoft is marketing the new remote access tool as somewhat of a revolution, claiming that you can throw the VPN out with the bathwater.  This is not necessarily the case, but DirectAccess may still herald a new generation of VPN technologies.

WHAT IS DirectAccess

DirectAccess is a technology that allows Vista, Server 2008 and Windows 7 to connect with the office LAN seamlessly, without having to log into any clients.  DirectAccess is also being used to remotely manage remote PCs without the PCs needing logged in user (for instance, you can push a new update to an idle PC).  This technology comes at a time when there are a multitude of remote technologies to choose from so Microsoft is distinguishing itself by saying that DirectAccess is basically a hands-off technology.  The user doesn’t need to do anything except get a network connection and log into the machine as normal – the OS takes care of the rest. 

HOW IT WORKS

Despite Microsoft’s marketing, DirectAccess is a VPN technology with new functionality.  For those familiar with configuring VPNs, DirectAccess uses IPSec to tunnel the remote system to a DirectAccess server.  The DirectAccess server then authenticates the system and, if configured, authenticates the user.  Both of these steps rely on certificates (and the option of smart cards for multi-factor authentication for the user).  From here, there are differences in topology and design from which you can choose.  You can use “End to End” (security to the application server) or “End to Edge” (security to the perimeter, then letting unsecured traffic on the LAN). 

One key piece of information that must be taken into account: DirectAccess uses IPv6 as the preferred protocol.  You can use IPv4, but there will be extra steps that you may need to take.  There are several more key points to the connection for which I will refer you to Microsoft’s documentation at http://www.Microsoft.com/servers/directaccess.mspx.   

SECURITY CONCERNS

Microsoft has taken steps to make sure that security of this technology is the focus and seems to have been successful.  When this technology is configured properly and used properly, I can see a step forward with this technology.  That being said, DirectAccess does assume some things.  The most glaring is that user authentication is not required. If a user’s laptop is stolen and not reported in time, then it is conceivable that an attacker would have access to your internal network.  Although, they may not be able to log into the domain, there is still an IPSec connection between the attacker and the LAN.  This will make the use of full disk encryption even more necessary.  Also, the fact that there are so many technologies involved in order to get a connection is a concern.  If any one of them has a vulnerability it can be a problem to say the least.

END OF THE VPN?

All-in-all, I don’t think DirectAccess will herald the end of the VPN.  I think that there may be some changes, but VPN is here to stay for the moment.  The public information on DirectAccess is still a bit hazy on site to site connections (in fact, I am not sure it’s possible).  For this reason VPNs are still going to be in use.  Also, remote access VPN technologies, as they exist today, will adapt to new market requirements.  I foresee the major VPN vendors keeping pace with Microsoft.