Virtually Insecure

Warning: remote access VPNs can let predators sneak in

In October 2000, Microsoft discovered that someone had broken into its internal network, evidently using a Trojan horse program to commandeer the PC of an employee who was working remotely.

The widely reported intrusion wasnt just bad publicity for Microsoft. It was a wake-up call to the rest of the industry with a clear message: If youre going to extend access to your network to telecommuters, youd better have the proper security measures in place.

Every time an I-manager grants remote access to the corporate network, that adds another potential point of intrusion. Increasingly, that remote access is offered through a virtual private network, which encrypts data sent over the Internet. The market for VPN software has exploded, with worldwide annual revenue expected to leap from $270 million in 2000 to more than $2 billion in 2004, according to a recent report by Infonetics Research.

Some Internet administrators expect that a healthy VPN alone would be enough to keep the riffraff out. But that could be a costly assumption, industry experts say.

John Kirby, director of enterprise protection strategy at global services company Electronic DataSystems, is determined not to make that mistake. "Weve known for quite a while that our employees who are involved in [remote access] situations into our network represent an exposure," Kirby says. "The problem was that there hadnt been sufficiently robust products on the market [to combat the exposure] that would meet our needs."

EDS, which permits 70,000 of its approximately 120,000 employees to access the network remotely, is in the early stages of rolling out Zone Labs ZoneAlarm Pro personal firewall software, which will be installed on all PCs connecting remotely to the network, in addition to the VPN and antivirus software that the company already uses. Personal firewalls are single-user versions of the traditional server firewall software, meant to manage traffic to and from the PC.

Gregor Freund, Zone Labs CEO, says that there is a misconception about the purpose of VPNs. "VPNs were meant for interoffice communications, such as a branch office communicating with headquarters," he says. "When you have one office talking to another, the end points are presumably secure."

It was soon discovered that VPN technology could be extended to the mobile work force. But a single laptop PC is a different environment from a branch office. While the corporate network is usually protected with several layers of security — firewalls, intrusion detection systems and constant network monitoring by a security professional — many client computers that connect via VPNs usually have no additional security. That could render the VPN an encrypted tunnel not just for the mobile worker, but for any hacker who could penetrate the machine.

"The big danger of [using VPNs] alone is you have no idea if the computer end point is secure at all," Freund says.

This method of attack is actually the new rage among hackers, according to Chris Rouland, director of X-Force, the internal research and development arm at Internet Security Systems. "The way we see hackers breaking in now is by specifically targeting the user of a corporations home user machine and using whats called TCP [Transmission Control Protocol] port redirection," Rouland explains.

That means a hacker only needs to break in once and set up a back door, which allows him to use the compromised PC as nothing more than a router from the Internet into the corporate network.

"Once an attacker is into that VPN connection, he usually finds the hard candy shell with the soft chewy center, and then its just easy for them to hop around," says Rouland, who believes that most broadband users are probed by hackers five to 10 times per day.

Hacker Fodder

Adding fuel to the fire is the continued growth of always-on broadband connections. According to Forrester Research, broadband access in the home will expand from 5 million households in 2000 to more than 46 million in 2005. And while its on and connected, a PC is available for hackers to attack.

"The longer people are logged on, the longer they have the same IP [Internet Protocol] address, the longer the attack window," says Leslie Stern, senior product marketing manager at Check Point Software Technologies.

Broadband providers say its the responsibility of users to take proper security measures. For example, cable broadband provider [email protected] advises its users to turn off the file and print sharing function in Microsoft Windows. For those with a home network, the provider recommends installing personal firewall software.

The problem, Stern says, is that beyond those advisories, most broadband providers wont offer security support.

Fortunately, the issue of making sure VPN-connected computers have additional security is gaining widespread attention these days. Before, it was almost unheard of for firewalls to exist anywhere other than the corporate network. The only people with personal firewalls were techies that knew how to set one up.

Now, personal firewalls are packaged with other software or sold right off the shelf. Check Points latest VPN software, for example, includes personal firewall software. Other companies selling PC firewall software include ISS, NetScreen Technologies, SonicWall and WatchGuard Technologies. Some PCs and broadband modems come with firewall software preinstalled. And 3Com has begun embedding firewalls directly on network interface cards, so even if the operating system is vulnerable, a hacker couldnt invade the computer.

In addition, theres intrusion detection software, which was designed to monitor corporate networks but has been extended to individual PCs. Intrusion detection software watches the traffic flowing through the PC to tell if any traffic seems out of the norm, which would then trigger an alert to the user and the administrator.

"People are beginning to realize that products like this are fairly cheap and easy to install, and they cut down the risk of network intrusions," says Chip Mesec, vice president of marketing at, a news and community site for security professionals.

Probably the biggest tool for preventing VPNs from becoming intrusion points is communicating with and educating employees. "Awareness is an important thing that needs to be built into the fabric of what youre doing," EDS Kirby says. EDS devotes at least one week out of each year to educating its work force on security practices.

Zone Labs Freund says that many businesses have been very bad at VPN user education. He suggests a new approach: "You can have multiple policies on the client, where it behaves in different ways depending on what youre currently connected to," he says. For example, if the company allows employees to install Napster, an administrator could set a policy that doesnt permit Napster to run while users are connected to the VPN.

Ronald Sable, vice president of public sector practice at managed security provider Guardent, says that most mobile users are conscientious and will follow security policies if they know what they are and how to apply them.

"You should trust your employees . . . because you cant watch over them all the time," he says.