Consider this: If you or an employee is using free Wi-Fi in some local café, in a matter of seconds a hacker can manipulate your machine into a “man-in-the-middle” scenario, where the device is now a conduit that sends data right to the bad guy. Once a device is compromised, login credentials (corporate mail server, bank accounts, LinkedIn.com, Facebook.com, etc.) can be harvested by using SSL Stripping.
Unfortunately, unless trained to detect such intrusions, end users don’t notice anything unusual happening on their devices. To prevent hackers from entering corporate networks via open access hotspots, the following cautionary steps can be taken:
* Use multifactor authentication on VPN connections. Both Google and Facebook support this.
* When working off-site, use a “no split” connection for VPN access. This configuration forces all traffic headed to the Internet to go over the VPN and out to the Internet from there. “No Split” basically means Internet traffic is not split off from the VPN traffic to the office. This strategy also reduces the possibility of a man-in-the-middle situation.
No-split, however, has an obvious downside: it increases traffic volumes on the corporate Internet connection. For this reason, it should be reserved for use in highly public areas such as airports or when working on sensitive corporate documents. At home, a regular VPN is usually fine especially if users are engaged in a lot of personal Web browsing and not connecting to servers that host confidential information. Obviously it’s a practice of balancing risk scenario where the end user needs to consider the environment they are in before deciding to make a VPN connection.
To enforce the use of no-split VPNs, server administrators should ensure that their sensitive servers cannot reach the Internet. Generally, they are blocked at the Internet router. Scheduled access can be granted for updates then blocked again once the updates are complete.
* If public Wi-Fi access is necessary, refrain from conducting any financial activities or visiting sites where you need to enter login information. Instead use a cellular connection for bank transactions when it is absolutely necessary. Pick up a mobile hot spot device from your cellular provider if you need to access protected resources where only public Wi-Fi is available.
Beyond these infrastructure tweaks, here are some additional security tips that bear repeating:
* Use common sense – don’t stick USB keys into your computer that you find on the ground.
* Tablets and smart phones controlled by the company should have a lock code, and they should be configured to allow remote wiping.
* When lost or stolen equipment is reported, VPN appliances should be configured to send the IT department notification if device traffic continues.
* Some VPN clients can be configured to auto-connect with “no-split” as soon as the PC is turned on. This strategy is a second level security step for users who tend to forget about best security practices.
Ongoing analysis will also help expose malicious activity. Administrators should send flows created by VPN connections to a NetFlow/IPFIX analyzer. Enterprise-level flow collection appliances scour the flows for odd behavior signatures such as:
* Host reputation lookups: Hosts communicating with other hosts with poor Internet reputations
* Observation of TCP flags to uncover various types of network scans
* Comparing current to archived baseline behaviors
* Calculating flow ratios as well as byte/packet counts to unique destinations.
Anomalies carry different weights depending on the severity of the incident. A host found to be violating one or more algorithm will likely end up with a higher index and ultimately gain the attention of a security professional. It isn’t enough to monitor for threats, we have to assume that threats are always on the corporate network. Since NetFlow can be archived, it’s the best forensic tool for investigating anomalies after the event has passed. No VPN environment should be implemented without the collection of flow data and most major routers and firewalls export NetFlow or IPFIX.
So next time you’re enjoying your cup of java and considering connection to a public WiFi, take the cautionary steps to protect your device and data — your personal and company’s assets may depend on it.
Michael Patterson, CEO, Plixer International