Security - Telenor
Security - Telenor
Security - Telenor
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
• Less prone to attack: Since the sensitive data<br />
is encrypted, the potential gain from attacking<br />
these servers is reduced.<br />
• Cheaper: The servers themselves need not be<br />
monitored as closely as servers containing<br />
unprotected information.<br />
• Cheaper: It is no longer that critical to upgrade<br />
the systems once new vulnerabilities<br />
have been discovered.<br />
Of course, in order to prevent Denial of Service<br />
attacks when storing protected objects on a<br />
server, there is still a need to secure these<br />
servers. The point being made is that it is no<br />
longer as crucial as for servers where unprotected<br />
sensitive information is being stored.<br />
VPN Access to the Corporate Network<br />
The mobile professional computer user needs<br />
to be able to connect to the corporate (home)<br />
network while being “on the road”. Whatever<br />
access technology used, there is a need to secure<br />
the communication channel back to the corporate<br />
network. This may be achieved using the<br />
VPN technology currently being standardised<br />
and implemented. The technology used to build<br />
VPN networks is typically IPsec. IPsec offers<br />
encryption, authentication and integrity protection<br />
services on IP packets, and may be integrated<br />
with future PKI and hardware token based<br />
security solutions. The user may e.g. be required<br />
to use their smartcard in order to gain access to<br />
the corporate resources using the network.<br />
The same technologies as described here may be<br />
used to secure access to home network expected<br />
to be implemented in future homes.<br />
The VPN technology needs to be able to adapt to<br />
different network interfaces as well as working<br />
transparently with e.g. Mobile IP.<br />
Multiple Shared “Virtual” VPNs<br />
Implementing wireless access technologies such<br />
as 801.11 (Wireless LAN), the security thought<br />
to be available in a physically protected cable<br />
based network is no longer there. In a large<br />
office building with many different companies,<br />
WLAN access may be offered as a generic network<br />
access service to all. On top of this<br />
“generic” network access, each company may<br />
build a “Virtual” shared VPN network to protect<br />
communication within their own defined security<br />
domain. Since unauthorised users may be<br />
receiving this radio based communication, special<br />
care is needed to protect all communication<br />
within this virtual network.<br />
This would be a much more efficient and<br />
cheaper solution, compared to the case where<br />
Telektronikk 3.2000<br />
each company had to build their own corporate<br />
network, WLAN or cable based. In addition, the<br />
employees would benefit from having access to<br />
the internal corporate network from within<br />
WLAN reach of the office building. However,<br />
using this Virtual VPN technology combined<br />
with mobility, the employees could have transparent<br />
secure access to the corporate resources<br />
from every access point imaginable.<br />
Currently, firewall solutions are however not<br />
well suited to protect such a virtual network.<br />
The firewall services need to be integrated on<br />
the terminal itself, as stated earlier in this article.<br />
IPsec, smartcards and PKI systems are the ideal<br />
security technologies to be used to implement<br />
the scenario “Multiple shared Virtual VPNs”<br />
described above.<br />
Intrusion Detection Systems<br />
Even though you have implemented a local firewall<br />
policy, have integrity checking mechanisms<br />
in place as well as updated anti-virus software<br />
and partially read-only system installed, there<br />
is still a possibility that you may be exposed to<br />
successful “hacking attempts”. Even though you<br />
may not have been compromised, it is important<br />
to detect such activities. (You should know your<br />
“enemy”.) Intrusion Detection Systems (IDS)<br />
have been designed for exactly this purpose.<br />
There is a need for both network based and host<br />
based IDS. In our case, focusing on users using<br />
mobile terminals, the network based IDS would<br />
be responsible for monitoring all network interfaces<br />
against unauthorised activities. The network<br />
based IDS may pass this information on<br />
the other parts of the security system on the terminal,<br />
e.g. allowing dynamical modification of<br />
NT<br />
server<br />
IP ordinary<br />
Novell<br />
server<br />
<strong>Security</strong><br />
gateway<br />
Home<br />
agent<br />
Figure 2 A simple WLAN Virtual<br />
VPN technology combined<br />
with mobility<br />
DMZ<br />
WLAN<br />
Firewall Mobile<br />
node<br />
IPSEC Enc. (IP Ordinary)<br />
MIP Enc. {IPSEC Enc. (IP Ordinary)}<br />
29