Be safe, go virtual

27 Feb 2003

Meany, Miney & Moe Ltd (not real name) is a pan-global legal firm that straddles the complex yet fast-moving world of corporate law.

Much of its work concerns securing patents as well as investments, mergers and acquisitions for its customers in the competitive sectors of software and pharmaceuticals. This fast-paced world demands that its lawyers and executives travel the globe, often making tough decisions on the move, whether in airports or hotel lobbies.

The competitive nature of the company’s work means that should documents fall into the hands of a competitor, it could be the difference between success and the loss of millions of euro as well as irrevocable damage to a hard-earned reputation. Not only this, but the firm’s lawyers are also on the look out for corporate espionage, where the danger of corporate spies attempting to steal documents or get their hands on sensitive information is a genuine concern.

The remote working nature of the business, with lawyers visiting clients on-site or accompanying them to court hearings, demands that a secure route to enable lawyers transmit and access important documents on the company’s server is vital. The server is inundated with attacks by hackers all the time and only the most vigilant efforts keep the reputation of the firm intact. The company is evaluating a number of methods for empowering its mobile workforce, one of which is a virtual private network (VPN). As well as this, the company has been evaluating wireless local area networks (WLANs) as a means of enabling hot-desking to complement its mobile workforce.

“A VPN is a proven security mechanism that is robust, secure and ideal for a firm with a mobile workforce,” says Robert Kinsella, solutions marketing manager at Baltimore Technologies. “It means that a worker can go online and access a secure part of the company’s network, virtually, from anywhere using the strongest possible cryptography. VPN technology is essentially an old military technology that the US Department of Defence has recommended as its chosen mechanism.

“However, hacking is getting more sophisticated and we would recommend that people on the move should use stronger means of authentication when accessing a VPN than just a standard username and password. We would recommend that they use digital certificates and other devices such as smart cards and tokens,” Kinsella adds.

VPNs provide relatively inexpensive, secure connections to remote workers, with the necessary hardware and software providing the encryption to protect the user’s data as it crosses the internet. VPNs are either point-to-point or network-based. VPNs are being snapped up by companies that find traditional data technologies such as ATM, Frame Relay and leased lines too expensive. A VPN can be supported over a digital subscriber line (DSL) or standard dial-up service, making it an economically feasible service for small/remote offices and homes. It is also effective for corporate extranets.

Using a VPN for an extranet (a private version of the internet for companies and external partners) has the advantage that each organisation pays for its own internet access service and for any hardware or software required. And in the case of Meany, Miney & Moe and its client base, it means that a special extranet over VPN can be established to support specific projects and to share vital information securely. The set up allows each organisation to use its preferred access method and the appropriate hardware or software solution. “Only the people that need to see the information, whether it’s the lawyers or the mergers and acquisitions team, can see the information and every Excel, Word or Adobe document can be encrypted for added security,” Kinsella explains.

However, in recent months, VPNs have been shown to suffer from vulnerabilities that could shake the most confident of Meany, Miney & Moe’s personnel. A hole was discovered in the point-to-point tunnelling protocol commonly used in the VPN software bundled in Microsoft’s Windows 2000 and XP operating systems for servers and PCs.

Nevertheless, VPNs continue to be regarded as a one-stop solution for many firms’ security concerns. “The advantage of VPNs is that over the internet it means users can use low-cost connectivity such as dial-up or DSL instead of leased line services,” explains David Bolger, technical director at networking firm Entropy. “The only disadvantage is that there is no guaranteed bandwidth. It is as close as possible to the most flawless security solution available today. However, the VPN must be used in tandem with a firm’s firewall to be completely effective. This is a real value proposition for small to medium-sized businesses. It’s very easy to put in place and is cost effective. We recently established a network of remote offices across Europe using this technology. Compared with leased line or other methods, using traditional methods such as dial-up and DSL through a VPN it is possible for a firm to get a return on investment within 18 months.”

The growing proliferation of WLANs such as Wi-Fi have added to the appeal of VPNs whereby workers on the move can still access corporate applications or enjoy hot-desking. However, should security weaknesses inherent in the present 802.11b standard of Wi-Fi endanger the strength of VPNs? Not so, says Hugh Marron of IP Options, if proper vigilance is exercised in firms. “With wireless, one small slip could unravel everything. If a firm was to install a WLAN, and at the same time wants to ensure that a VPN is not harmed, the important thing is to keep your WLAN separate from everything else. VPNs are secure and unlikely to be harmed by a hack attack on a WLAN, as long as they are kept apart.”

He continues: “Unfortunately it is near impossible to prevent someone with the right equipment from seeing your wireless network. What is possible is to try to prevent them from gaining access to that wireless network. WLANs should physically be on separate networks and IP [internet protocol] segments to the rest of your LAN – access between the main LAN and the WLAN should be controlled by a firewall. Companies serious about wireless security should scan their own premises and surrounding perimeter regularly. This must be diligently controlled.”

By John Kennedy