Managing safe and secure remote connections
By Ed Tittel and James Michael Stewart
This column starts with the premise that companies have a strong and vested interest in securing and managing their telecommuting employees' home office connections to the Internet. In fact, our guiding assumption is that such organizations want to manage and control their remote employees' networks and connections in much the same way that they seek to protect their corporate networks and IS operations from unauthorized access and use. The remote security management problem is not unlike its on-premises equivalent, except that it is far more broadly distributed and must inevitably work with a variety of different connection types and speeds.
Although one might hope to find a whole set of products that combine all the necessary security, access control and connection management features in a single package, a search of offerings available at present is bound to be somewhat disappointing. A quick sanity check against our initial search criteria turned up only three products that met most of those criteria (these are documented in the article entitled "Hitting the Target" at the conclusion of this column).
In fact, most home office connectivity products available today appear to focus on creating and sharing LAN broadband connections such as cable modem or DSL, rather than on protecting or managing such connections. While these kinds of solutions may be desirable for individual home-based or small office users, they are not well suited when it comes to providing centralized control over distributed remote networks or computers and their Internet connections.
It's interesting to consider a "wish list" of features and functions that most savvy IT organizations would like to see in such products before they could take them seriously, and deploy them effectively:
* Secure external management access: Be it to create an initial installation, to download updates or changes, or simply to investigate the state and operating condition of a small home office/remote network access device, support for secure remote access using secure telnet (stelnet) or some encrypted remote access technology would be required. For routers and other manageable network devices, such links often occur through a special sideband dial-up connection. The devices currently available on the marketplace do not support either of these configurations terribly well.
* Centralized security policy management: By and large, the preference in most IT organizations is to define a single security policy and then to take advantage of a mechanism to distribute (and update) that policy as it manifests itself on various networked devices throughout an enterprise. Though remote/small office devices are not alone in failing to support such functionality directly (and instead require reformulation of configuration files at best and instantiation of equivalent settings through some GUI or command-line interface at worst), none of the remote devices currently available offers this capability.
* Remote IP agent capabilities: New developments in mobile IP technology permit workstations (such as laptops) to maintain the same static IP address assignment and use local and remote routers to establish a tunnel from a foreign subnet to a home subnet. This permits end-to-end services such as IPSec, voice over IP, or streaming media, that sometimes require specific IP addresses to be available to work properly. Again, as of this writing no small home office devices support this kind of functionality.
* Basic firewall/bastion host services are as necessary for remote users as they are for corporate networks, including packet screening and filtering, proxy services, stateful inspection of application layer protocols and services, network address translation, DHCP and so forth. The picture here is less grim; many currently available remote devices support most or all of these kinds of functions. These functions aren't as amenable to centralized setup and management as most enterprises might like, but at least they're available.
* Remote control/operation: For many IT operations it's eminently desirable that their tech support staff be able to take over and remotely manage or control remote devices, PCs and so forth. At least one currently available small home office device supports this kind of capability, and we expect to see support for this kind of capability burgeon as more service companies form "management partnerships" with equipment vendors, or as enterprises outsource management and technical support of their local and remote networks to service providers.
I could continue with this list indefinitely, but whereas the preceding items represent core "must-have" requirements, other items tend to fall into the "nice to have" category. Nevertheless, it's plain that small home office device vendors haven't targeted the remote enterprise as their primary sales targets. As the potential of this market makes itself known in the next year or two, we expect this situation to change and for centralized management, control and operation of such devices to become commonplace and routine. Even cable companies and DSL providers could benefit from the kind of architecture that helps to protect users not only from external security threats, but also from their own blissful ignorance of basic principles of network security and management!
In the final analysis, it looks like the market for small home office/remote connectivity solutions is heading toward a centrally managed security and connectivity environment for remote locations, but is only taking its first steps in that direction. These baby steps are promising and represent a trend toward making security concerns an important part of managing connections between employers and employees, even when they're off the employers' premises. With the right solution in place, this helps end-users connect remotely with confidence that their locations are protected, while also permitting companies and organizations to rest assured that their remote data and communications are likewise safe and sound.
Hitting the Target
By Ed Tittel and James Michael Stewart
Of all the small home office devices that turned up, most of them included the following features or functions:
* Simple firewall capabilities
* Simple traffic screening on domain name, IP address, or port address
* Network Address Translation (NAT) services
* DHCP for LAN clients
Those products that came closest to meeting our original search criteria also included remote management capabilities, some of which supported centralized management from the vendor, others from a centralized, authorized IS location inside the purchasing organization.
The first product in this category is
WatchGuard's Firebox SOHO
. It supports DSL, cable or ISDN, but an external modem is required. It can automatically download software and security updates, and no installation or client software is required (the box handle everything from firmware). It can share a share a single connection with up to 10 users (and is upgradeable to a maximum of 50 users). The Firebox SOHO also acts as a hub for connected systems, and VPN services are available as a recommended, add-on feature. This device is managed remotely by the vendor through a yearly subscription contract, and some configuration control may be gained if the recommended VPN software is also installed.
The second product in this category is
McAfee's FireWall ASaP
). FireWall ASaP combines the functions of a managed firewall with VPN services, antivirus checks and content filtering capabilities, and it delivers a general security solution that is pre-configured by McAfee to meet your security requirements. As with the WatchGuard product, this product is also managed and monitored by McAfee as needed. Thus, if your needs change, you must contact McAfee to implement such changes and pay for support service on a yearly contract. This device requires a statically-assigned IP address and is designed for use with McAfee's ASaP VPN product. Although we were unable to find exact details on the connection types support, we'd guess that they include cable modem and DSL at a minimum, perhaps along with ISDN and/or analog telephone support, depending on the precise configuration selected.
The third and final set of products in this category comes from
) and includes both their 800 and 1700 Series routers. These devices support ISDN, serial connections (Frame Relay, leased lines, X.25 or asynchronous dialup), IDSL and ADSL (modem integrated). Cisco also allows service providers to deploy value-added services, such as security with integrated stateful firewalls and/or IPSec virtual private networks, third-party VPNs, integrated toll quality voice over IP and differentiated classes of service through Quality of Service Features. Cisco recommends setting up these routers by their using Cisco 800 Fast Step, a Microsoft Windows-based configuration tool (or by making arrangements with a service provider to do this for you). The Cisco 800 Fast Step software ships with both types of router and is also available on Cisco Connection Online on the World Wide Web. Obviously, relationships with third-party service providers for small home office security and configuration management will involve some kind of service contract or billing relationship, but we find it extremely interesting that Cisco built third parties into this set of product offerings from the get-go. In fact, we expect to see this entire market segment migrate in that direction in the next year or two.
About the authors
Ed Tittel and Michael Stewart are both searchNetworking experts.
to ask them a question or read more about them.