| About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store |
 |
||||
|
||||
 | ||||
 |
|
|||
 |
||||
|
|
|
||
|
||||||||||||||||||||||||||||||||||||||
 TEST CENTER Secure the home office sensibly and easily By P.J. Connolly, InfoWorld Test Center March 8, 2001 Personal firewalls and SOHO routers deliver performance, remote management, security
Some well-heeled companies may take the maximalist approach by restricting remote employees to using only company-owned PCs for accessing company-provided broadband services. Often these devices have their configurations locked down with little difference from a PC in the company offices. This works to some extent when you have a well-defined and funded telecommuting program. Unfortunately, many companies haven't chosen that path. In many cases, the telecommuting policies are ad hoc, set up on a case-by-case basis. The employee, rather than the business, may make the arrangements and thus has a sense of ownership. Too often, we see home workers treated with an attitude of "You're on your own." It's understandable to expect a telecommuter to be able to handle basic systems maintenance, but not everyone has the time to become his or her own security expert. The result, as we've seen many times over, is a security breach. Although the maximalist approach solves some of the biggest issues of supporting the home worker, such as determining who is responsible for maintenance and upgrades, it often ignores the security weaknesses that exist in today's broadband networking options. A big problem is the built-in networking of Windows systems. Notwithstanding the known vulnerabilities of NetBIOS and the various LAN Manager and Windows security schemes, there's a bigger issue: When millions of machines have been configured to the same default settings, it should come as no surprise when someone in Peoria finds his or her system being probed by a computer in Norway. The emerging personal firewall software market offers several products that address networking vulnerabilities at the desktop level. Leading vendors in this space include Network ICE, Sybergen, Sygate, and Zone Alarm, as well as more familiar companies such as McAfee and Symantec. Good desktop firewalls can be had for free, but most commercial packages cost between $40 and $60 and sometimes include anti-virus capabilities. These desktop firewalls are a good first step but hardly a complete solution because they don't shield non-networked devices, especially network-attached printers, from remote probing. They do, however, provide a line of protection at the desktop's network interface that we expect will be built in to future operating systems. SOHO (small office/home office) routers can offer even more protection for the home user by isolating the home network from the broadband connection. Vendors competing in this space include Cisco, Linksys, Ramp Networks, SonicWall, and WatchGuard, with most of their offerings in the $150 to $200 range. SOHO routers are usually built around an Ethernet hub or switch, and, using DHCP (Dynamic Host Configuration Protocol) and NAT (Network Address Translation), can often support a full Class C network of up to 253 devices in the unroutable 192.168.x.x IP address space. SOHO routers are often compact and managed via a Web browser from the internal (home) network. We prefer that these devices use a 10/100 Ethernet switch to provide better performance on the internal network, though the WAN connection will require only a 10Mbps connection to a cable modem or DSL box. Most SOHO routers are designed to deliver protection equivalent to a low-end firewall: NAT (network address translation) with TCP port inspection. They can perform some simple filtering tasks and forward requests -- depending on the TCP port -- to a limited number of internal hosts. Most also offer the ability to place one IP address in a DMZ (demilitarized zone) where none of the router's firewall features apply. This can be useful in videoconferencing, when gaming, or when using other types of applications that don't play well with firewalls. One problem with this approach is that often only one computer at a time can be in the DMZ, so managing this feature may prove troublesome in households with multiple users of these services. We recommend that users install in home offices both personal firewalls and SOHO routers to present a blanket front to potential intruders. This way, if you have to keep one of your hosts in the DMZ more or less permanently, even that exposed host will have some degree of protection from the nasties. In our experience, one has to poke too many holes in desktop firewalls for internal networking and application traffic to rely on them completely, but putting a SOHO router in place makes systems invisible from the Internet. Managing SOHO routers remotely may not be for every organization. The safest rule is that if you provide the hardware you should manage it. At a minimum, a SOHO router should permit management through its WAN interface, although we highly recommend using a nonstandard TCP port instead of easily guessed ones such as 8080. To take device security a step further, identify and change all default passwords when installing SOHO routers and similar border devices. There is no point in spending a few hundred dollars on security, only to leave a back door open for an attacker who can find the passwords published in the documentation. Securing the home office presents a number of challenges but nothing that can't be overcome with a little well-directed effort. If your company's home and remote workers aren't using SOHO routers to provide an additional layer of security, you're leaking more information than you might want to be. The protection offered by SOHO routers easily covers the cost of installing them. Return to Test Center In Focus: Telecommuting   Senior Analyst P.J. Connolly (pj_connolly@infoworld.com) prefers to work in stealth mode after being on call from 1986 to 1996.  RELATED SUBJECTS  SecurityNetwork HardwareNetwork/System ManagementSPONSORED WHITE PAPERS 
SPONSORED LINKS
|
||||||||||||||||||||||||||||||||||||||
|
||||||||||
|
||||||||||
