Big news today from Cisco as reported by Network World:

“Cisco (NASDAQ: CSCO) is warning customers of its unified communicationsWindows 7 will be supported.” products that support for Windows 7 won’t be forthcoming until the product’s 8.0 release scheduled for the first quarter of 2010. About a dozen more UC products will not support Windows 7 until version 8.5, in the third quarter of 2010 and at that time, only the 32-bit version of.”

For customers who need IPsec 64-bit support, NCP engineering can help you out. The “beta” version of the client is scheduled to go release candidate any day now too.

We are now starting with the next installment of our how to rethink remote access series, focusing on planning. We spoke with networking, security and remote access specialist, Joerg Gerscheutz. Joerg is a Senior Systems Architect at Siemens IT Solutions and Services.

I believe the human factor can never be removed from any technology, not only remote access! Working in the remote access business for more than 10 years now, I always encounter users who are:
- wittingly or unwittingly able to overcome all the implemented measures
- incapable of finding that single button they were presented in the UI and trained a dozen times to hit

And I want to stress another very important aspect: we are only thinking about the remote access user being the “biggest pain.” But what about the other side of the fence? There is the human factor, too… and I think the pain here is as big as on the simple user´s side!

Just a few examples:

1) The best user interface, the best physical firewall, the best remote access protocols – they are all designed and coded by humans, and therefore prone to errors! There is no error-free source code, there is no error-free hardware. With all these solutions we always have possible security issues due to these intrinsic errors!

2) The best remote access overall environment is always designed and implemented by humans, and therefore prone to errors! There is no error-free implementation, because of different interpretations/understandings of the same topic, not reading/understanding documentation or using technology not the way it was intended/designed to just to achieve cheap or fast solutions! … or simply because of its complexity: Nobody can be a specialist with all jigsaw pieces necessary to get the picture complete, and even if we team up, there are still the interfaces and connections between the single pieces!

3) And as a final thought – there are always administrative errors, again wittingly or unwittingly. With the best firewall in place and a well settled documentation of its rule-set… I suppose there is nearly always a discrepancy between this documentation and the implemented rule-set. With the best processes in place you will always find “cadavers” in your remote access user´s database.

From my perspective there is an apprehensive tendency in absolute believe in technology and neglect of the fact, that this technology is man-made and in some (most?) cases so complex that it is not possible any more to overlook all its attributes, features and interfaces and their interaction!

The Globe and Mail…
Businesses Big and Small Weigh Windows 7 Potential
Lynn Greiner discusses some of the features that Microsoft has incorporated in Windows 7 for businesses. One of those features is DirectAccess, which not only allows VPN-free access to the corporate network, it lets the administrator manage those client systems remotely any time they are connected to the Internet. Administrators should know that since DirectAccess requires IPv6, there needs to be a DNS server that supports AAAA records (which is likely a Windows Server 2008). If users want to connect to older servers on the network that can only cope with IPv4, a device supporting NAT-PT is required to bridge the gap. If you use a standard VPN, it will be enhanced by VPN Reconnect. It automatically and transparently restores a VPN connection after its Internet connection briefly drops.

Information Week…
Wolfe’s Den Podcast: Windows 7 Virtually Speaking
In this post, Alexander Wolfe looks at some of the ways Windows 7 affects virtual private networks. Alexander feels DirectAccess has a strong usability angle in that it makes administration much easier on a lot of levels, in terms of making sure users are properly audited and are running what they’re supposed to. He also notes that many people do not believe DirectAccess is “connecting” them to their corporate network, which is interesting in terms of overall Internet usage. He suggests what is does is effectively break down the probably false separation most of us make between the “personal” (or non-work) Web and one’s business network.

Tech Republic…
What Windows 7 Means to Windows Server Administrators
Scott Lowe shares 10 items that Windows server administrators need to know in order to adequately support Windows 7 clients. The list includes New Remote Server Administration Tools, DirectAccess, VPN Reconnect, Offline Domain Join, BranchCache, New Group Policy capabilities, AppLocker, Windows XP Mode adds patching challenges, Domain Name System Security Extensions (DNSSEC) and Windows Deployment Services supports Windows 7 deployments. Scott offers his take on each of these items.

The next IT expert to offer insight for our how to rethink remote access series is Evan Francen. Evan, an experienced Information Security leader, is a managing partner at FRSecure LLC. FRSecure is a full-service information security consulting company dedicated to information security education, awareness, application, and improvement. Evan shares his thoughts on remote access policy with us.

How would I go about creating my remote access policy?
1) Understand how the business uses remote access
2) Perform a simple risk assessment
3) Write a draft policy with input from management and business units
4) Edit the remote access policy until there is agreement and approval from senior management

What would I include?

Functionally, I would include Approval(s), Version History, Purpose, Audience, and Policy sections at a minimum.

• Approval(s) (Required) – If you expect people to do what the policy tells them to do, they need to know who’s telling them. Management approval gives the information security professional authority to carry out functional control.
• Version History (Required) – Information security policies need to be reviewed on a regular basis. A version history allows reviews and changes to be tracked.
• Purpose (Required) – A simple sentence or two that communicates why the policy exists.
• Audience (Required) – A sentence or two that communicates who must read and comply with the policy. Not all of your users will be remote access users, so not all users need to read the policy.
• Policy (Required) – The meat of the remote access policy. These are the rules that govern remote access. Each rule should be concise and cover a single aspect of your remote access protection.

Why?
How else do you plan on documenting and communicating management’s rules to manage the risks involved with remote access? I know you’re not supposed to answer a question with a question, but I couldn’t resist.

The approach you take to enforce your remote access policy is largely dependent upon the culture of your company. Enforcement = Compliance (sort of). Understand that 90% of your users will never read your policy, so you will probably need to be creative in how you approach employee compliance and use your policy as a reference document. Policy compliance is increased through a mix of communication, training, awareness, monitoring and corrections/sanctions.

InformationWeek…
Keep Your Laptop Off Our Inadequate Network
In this post, Jonathan Feldman asks why IT people resist end-users bringing their own equipment to the enterprise network. To be able to address issues like this, InformationWeek launched a research survey about end-user device practices in enterprise networks. We look forward to seeing the data and hearing what people had to say!

Enterprise Networking Planet…
Build an IPSEC VPN Without Losing Your Mind
In this article, Charlie Schluting offers some tips on how to build an IPsec VPN. Most people expect to have a difficult time configuring IPsec, but Charlie explains the concepts and makes it a less intimidating process for readers.

InformationWeek…
Should Your Enterprise Network Be An Internet Hot Spot?
Alexander Wolfe discusses whether enterprises should open up their networks, effectively turning them into Internet hot spots. With the emergence of both cloud computing and Windows 7, he says this could be a growing trend. Wolfe suggests Microsoft’s new operating system makes it unnecessary for users to launch VPN clients; instead, the discovery and authentication takes place automatically in the background anytime and anywhere a user connects to the Internet. Therefore, the average user will now perceive the Internet and his/her corporate network as pretty much one and the same thing. What do you think about the idea of the enterprise network as an Internet hot spot?

Continuing with our how to rethink remote access series, IT expert Travis Fisher has shared some thoughts on remote access policy with us. Travis is the Executive Vice President of Inacom Information Systems in Salisbury, MD, specializing in developing strong, secure reliable networks for Delmarva organizations.

I’d like to discuss something that isn’t necessarily policy centric, but needs to be addressed during implementation. One thing that isn’t well discussed at this point is who owns the computer during the remote connection and how is it used.

All too often, I see organizations that want remote access, but they do not understand the vulnerabilities that exist when you let an uncontrolled device VPN into your network. At this point, they are behind any access controls and security devices that you have in place. If it’s a shared PC in the family, you open yourself up to all the threats encountered when people consume all of the content on sites that are inappropriate for the workplace.

If you are going to let remote users connect via VPN, you should have a Network Access Control (NAC) solution in place. This will make sure that the device conforms to your security policies.

The general idea is to mitigate the risks associated with granting network access to different classes of users or even to devices that are not directly under the company’s control. It’s going to be up to the network administrator to deploy and configure a NAC solution based upon the needs and resources of their organization.

Common policies that NAC enforces include the device having a current antivirus definition and scan, that the device is validated to be a part of the network and granting appropriate resources for the user. In the event that the remote connection request is not in compliance, the device and user are quarantined until problems can be resolved (i.e., the device can have a new AV definition sent to it, missing patches, etc). The overall goal is to meet any security or regulatory needs in a way that minimizes risk given the amount of management resources available to the administrator.

The next IT expert in our how to rethink remote access series is Javed Ikbal. Javed is the Chief Security Officer at zSquad, an Information Security consulting company in the Boston area. His specialty is building or re-engineering information security programs. Javed has taken some time to share his thoughts on remote access policy.

- Define who may get remote access and the documentation/authorization for getting that privilege
- Document and define the add/change/delete process
- Define if the VPN can be installed on personally owned HW or not
- Prohibit split tunneling
- Enforce endpoint security (patches, AV, local firewall)
- Activity they can do while connected to the VPN

Around the blogosphere…
With the release of Windows 7 today, there has been quite a bit of discussion about the new version and its features. We have captured some articles and posts that have shared some insight into what Windows 7 will bring.

HowFunky.com
Why Cisco Isn’t Doing What is Right for the Client
In this post, Ed Horley suggests that Cisco is not doing what is right for their customers by only offering a 32-bit VPN client. Many people have upgraded to Windows 7 and 64-bit and he is frustrated that there is no Cisco supported 64-bit IPSec client for Windows Vista or 7.

Gartner
To 64-bit or Not 64-Bit?
Steve Kleynhans discusses that with the launch of Windows 7, corporate customers need to start thinking about 64-bit. If it is not the right time to make the move, they should start preparing for the inevitable 64-bit shift. He suggests that at the very least everyone should include one 64-bit environment in their testing matrix. Steve has been using 64-bit and although he hit a showstopper with his corporate VPN, he resolved the issue and has been successfully running a beta VPN client for several months. If you haven’t already, do you think you will make the transition to 64-bit?

Cnet News
Windows 7 Debuts in New York
In this Live Blog, Ina Fred is updating us with what is happening in New York as CEO Steve Ballmer introduces Microsoft’s newest operating system at a special event. Balmer and Brad Brooks, Windows’ VP of Marketing are showing the crowd Window’s 7 coolest features.

The Windows Blog
What People Are Saying About Windows 7
Blogger, Brandon LeBlanc shares with us a social media “hub” for Windows 7 on Windows.com.  This hub is designed to highlight what consumers are saying about Windows 7, by pulling content from all over the web (via tweets, blog posts, etc.) and bringing it all to one spot.  It’s a great (and convenient) tool to see different opinions on W7.

Moving along with our series on how to rethink remote access, IT expert Mark David shares some thoughts on remote access policy. Mark is the Chief Security Officer and Systems Manager at Carta Worldwide, which deploys MasterCard branded prepaid chip cards.

The answer to this, as is often the case with IT solutions, is a multi-layered policy approach. For example, instead of having just a VPN account and a password, the user or the user’s manager must explicitly request access, the resources the user must have access too, and a mandatory maximum age of access past which the account must be renewed or terminated. A certificate to be issued from an issuing service that specializes in this form of distribution or from an in-house site that enforces this maximum age. ACLs and/or RADIUS type policy rules that specify each user’s authentication AND authorization along with a host of other mechanisms and measures to stop and mitigate threats.

Many administrators and contractors look to certificates to achieve a level of protection of the endpoints by forcing the end users to have a trusted certificate installed before their machine is let inside the network. However, the policy for their deployment can easily be self-defeating by using things like auto-enrollment (Active Directory distribution of certificates automatically to clients) and single sign-on services (most commonly associated with MS Active Directory) so that an attacker who simply gains access to the user’s laptop while it’s logged in to the user’s account can connect remotely with no barrier whatsoever.

When designing an IT solution, it’s important to keep in mind that to the end users, it’s a business solution before it’s a technology solution. This gives rise to the phenomena of security becoming stronger towards the middle of a connection, furthest away from end users and weaker towards the end points. However, the connection is the least exposed to compromise in the middle and most exposed at the endpoints.

Sure, in an ideal scenario, the goal would be to attain and then maintain trust in a given connection from the very first moment it is provisioned all the way until it is removed from the system. Therefore, the foundation should always be the access policy and the measures enforced by the policy to ensure only a trusted human being is given a connection into the network. Trust in the individual requesting the connection can be attained by methods such as performing an interview and/or requiring managerial authorization. Once trusted, the connection should be fit into an authentication scheme that requires dual-control, ie, a certificate and a password to make it more difficult for thieves to gain access after steeling a user’s laptop or some other form of illicit access to a terminal. And yes, NAC can fit in here as well to make sure the hardware and OS maintains a minimal degree of trust, and is free of malicious code. An authorization infrastructure (RADIUS, TACACS+, Active Directory or other) should also be in place and enforcing a policy to allow the user access to only required resources. At the application level, the policy should also enforce specific user rights to the maximum degree of granularity available to the specific application being accessed; a business user, for example, may need to download sales reports, but may have no need to access customer’s private information. While the connection is active, the connecting server(s) should be gathering user event logs which should be monitored at least daily; the purpose behind this is actually prevention—your users should know the corporate IT goons are combing over everything they do when connected, so this will keep them honest when tempted to share their laptop with someone who shouldn’t have access to it. Bad password lockouts don’t need to be very aggressive, but they do need to exist in order to thwart brute-force or dictionary attacks.

Besides the access control policy, there is, of course, network design considerations. An ideal scenario would include a honeypot and strict separation of production/sensitive servers from infrastructure/client systems. One cheap way to neatly accommodate that is do what I did for my company which deals with processing credit card transaction—place a multi-role firewall/router (Cisco, Checkpoint, Sonicwall, MS-ISA, etc) as the not only the edge security, but also the router for the entire network; that way, traffic flow can be explicitly controlled to and from certain hosts and networks in a seamless, centralized fashion without weakening security or incurring large costs. For example, if one user needs to remotely access systems in the business network but also has a need to download a file from the production network, it would just be a matter of creating an ACL to allow that specific user to access a specific port or protocol on a specific server.

In short, an ideal remote access system is a comprehensive, cradle to grave trust model based on a detailed access policy enforced by the relevant technology.

Continuing with our series on how to rethink remote access, IT expert Mike Cuppett shares his thoughts on remote access policy. Mike is an IT professional with over 20 years of experience in operations, infrastructure and security. A “developer of people and deliverer of services,” Mike writes for IT Security Rookie as well as his personal blog.

First, I would not define any specific product solution (hardware or software) within the policy, so that the policy would not have to be updated each time a solution changes.

Second, I would define the needs for remote access and categorize them accordingly. Possible categories include system support employee, general employee, external vendor/consultant, external compliance consultant, etc.

Lastly, document the access allowed and controls deployed for each category.

That’s pretty high level, but should make for a good start.

Mike also suggests checking out the following online book stores:

CISSP Prep Book Store
IT Expert Book Store