SECURITY
FOR TELECOMMUTING
AND BROADBAND
COMMUNICATIONS
Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Both
organizations and their employees can benefit when staff members are able to
access office networks from home or while they are traveling. Today,
broadband communications provide fast data transfer rates, making remote
connections practical and productive. There are risks associated with
remote access to information resources in general, and broadband
communications, if not properly protected, can be especially vulnerable to
intruder attacks. However,
with good planning and careful implementation of sensible guidelines,
organizations can support the popular practice of telecommuting, while
protecting their networks and information resources.
The
National Institute of Standards and Technology (NIST), Information
Technology Laboratory (ITL), recently issued new recommendations to help
fFederal agencies make their
telecommuting applications, broadband connections, and information resources
more secure. While
targeting the Federal community specifically, NIST Special
Publication 800-46, Security for
Telecommuting and Broadband Communications, by D. Richard
Kuhn, Miles C. Tracy, and Sheila E. Frankel, should also
be useful to Federalfederal agencies, individuals,
individuals, the private sector, and other public sector organizations. The
report discusses both technical and policy issues, and provides guidance on using
personal firewalls, strengthening the security of personal computers and web
browsers, protecting home networks, and using virtual private networks. The
appendices include useful checklists for security, software update procedures,
and pointers to additional resources available on the Internet. The
recommendations are available in electronic format from the NIST website:
http://csrc.nist.gov/publications/nistpubs/index.html.
The Risks of Broadband Communications
Employees
working from home and while on the road often need access to long documents,
spreadsheets, streaming video, and other large files. Dial-up access to organizational
systems may be too slow to carry out many of these applications conveniently. Broadband
connections, which supply essentially the same services as dial-up connections
to an Internet service provider (ISP), are much faster. The data transfer rates of
broadband communications can be ten to one hundred times faster than those
provided by dial-up access.
While
this speed is a definite advantage, broadband communications generally
represent a greater threat to system security than dial-up connections. Some
of the same features that attract telecommuters to broadband communications
also attract intruders. Broadband
connections are easier for attackers to exploit because they are often
always
(or usually) on, and may not be protected as well as other information
and computer resources.
When
the broadband connection is on, the system is capable of sending and receiving
data. It
is exposed to potential intruders for much longer periods than is the case with
dial-up connections. If
the computer is turned on in the morning and off in the evening, the connection
time may be 10 – 14 hours a day. Even though the user may be
using the system only a few hours each day, it remains connected to the
Internet and is vulnerable to attack.
Because broadband connections are so much faster than dial-up, intruders can download information from a system in seconds, and the intrusion is not likely to be noticed. Similarly, intruders can transmit viruses or other types of Trojan horse programs without the user detecting the activity.
Intruders
gaining access to a user’s system can steal private information stored on the
system, launch denial- of- service attacks, or cause the system
to distribute pirated software. The protection of sensitive
information on home systems is a serious security concern. Almost all users face a risk
that intruders can read, modify, or delete files on their personal computers. If
the intruder takes over control of the computer, it can be used whenever the
device is online. Intruders
have placed programs on computers operated by both organizations
and
home users with high-speed Internet connections and relatively little
security. The
planted programs have mounted denial-of-service attacks against other sites,
sending messages at a rate too high for the sites to handle, and thus disrupting
the organization’s communications.
There
is a very real risk that this kind of denial-of-service attack may be launched
from home computers in the future. [can we say that home computers have already
been used in distributed DOS?]
What Can Be Done
Federal
agencies and their employees can take a variety of actions to protect the
networks and computers that are used for telecommuting. NIST recommends that:
All home networks connected to the Internet
via a broadband connection should have some firewall device installed. The
first line of defense for the home broadband user is a good network firewall.
Home users may be aware of highly publicized Internet break-ins and denial- of- service attacks, but may not realize
that their systems are vulnerable to such attacks. Many large organizations use
firewalls to reduce the risk of unauthorized access to their networks. A
firewall is a filter that allows certain types of packets, or message
fragments, to enter and exit a network, while rejecting others. Firewalls have now been developed for home
use. “Personal firewalls.” available for home systems, are software add-ins that filter
packets going to and from the communications connection.
All
home networks connected to the Internet via a broadband connection should have
some firewall device installed. Personal software firewalls
installed on each computer are useful and effective, but separate, dedicated,
and relatively inexpensive hardware firewalls that connect between the
broadband connection and the telecommuter’s computer or network can provide
even greater protection. Routers
with built- in firewall features are available at most computer
and electronics stores for $50 to $100. NIST
strongly recommends that organizations consider usinguse both personal
and hardware firewall devices for high-speed connections. When both a software
personal firewall and a separate device are in operation, the organization can generally
screen out intruders and identify any most rogue
software that attempts to transmit messages from the user’s computer to an
external system.
Section 3 of the report provides technical details and information on the features and availability of software personal firewalls.
Web browsers should be configured to limit
vulnerability to intrusion. Web browsers also represent a threat of
security compromise and require additional configuration beyond the default
installation. Web
browsers should be configured to reduce vulnerability to intrusions. Browser
plugins should be limited only to those required by the end user. A browser
plugin is a software application that handles a particular type of file or
content, such as display of documents and video. Each plugin is a potential
source of attack. Active
code should be disabled or used only in conjunction with trusted sites. The
browser should always be updated to the latest or most secure version. Privacy
is always a concern with web browsers. The two greatest threats to this privacy
are the use of cookies and monitoring of web browsing habits of users by third
parties. Cookies can be disabled or selectively removed using a variety of
built-in web browser features or third-party applications.
Section
4 of the report provides details on disabling features in browser software. .
Operating system configuration options
should be selected to increase security. Since many computer tasks require passwords, users should select
passwords that are not easily guessed or cracked. The default configuration of
most home operating systems is generally inadequate from a security standpoint.
File and printer sharing should almost always be disabled unless needed for
home networking. The operating system and major applications should be
updated to include the latest and most secure version or patch level.
All
home computers should have an anti-virus
program installed and configured to scan all incoming files and electronic
mail. The anti-virus program should have its virus
database updated on a regular basis. Another concern for many telecommuters is
the threat to their privacy through the surreptitious installation of spyware
by certain software applications. This spyware, while usually not intended to
be malicious, reports information on users (generally without their knowledge)
back to a third party. This information could be general information about the
user’s system or specifics on their web browsing habits. A variety of programs
are available for detecting and removing this spyware.
Encryption is an
important and powerful method for protecting data in transmission and in
storage. Encryption
should be used when sensitive and critical data are subject to compromise. Commercial
and freeware encryption products are readily available and easy to use. NIST
maintains a list of cryptographic modules that have been validated to conform
to Federal Information Processing Standard (FIPS) 140-2 (see
http://csrc.nist.gov/cryptval/). This
standard is applicable to all fFederal agencies that use cryptographic-based
security systems to protect sensitive information in computer and
telecommunication systems.
This
standard is applicable to all Federal agencies that use cryptographic-based
security systems to protect sensitive unclassified information in computer and
telecommunication systems
(including voice systems).
See
Section 5 of the report for details on operating system security techniques,
including the use of passwords, operating system updates, protection from
viruses and worms, tools for spyware removal, and the use of encryption.
Selection of wireless
and other home networking technologies should be in accordance with security
goals. Several
home networking technologies are available for telecommuters who wish to
connect their home computers together to share resources. Some of these
technologies are the same as their office counterparts (e.g., Ethernet), and
others are designed specifically to meet the needs of telecommuters (e.g.,
phone- and power-line networking). While most of these technologies can be made
relatively secure, some represent a threat to the security of the home network
and, sometimes, of the office network. In particular, wireless
networking has vulnerabilities that should be carefully considered before any
installation. Wireless networking is a
popular and fast- growing
segment of the home networking market. It offers telecommuters the convenience
of easy installation and the ability to stay connected when in their houses and
close-by areas. Wireless networking
broadcasts information that can be intercepted more easily than wired communications.
Security
concerns should be carefully considered before decisions are made to deploy
wireless technology. To
learn more about this technology, see NIST Special
Publication 800-48, Wireless Network
Security: 802.11, Bluetooth, and Handheld Devices (at
http://csrc.nist.gov/publications/http://csrc.nist.gov/publications/nistpubs/index.html).
Section 6 of the report covers the technologies that are available for home networking, including Ethernet, phone-line, power-line, and wireless networking.
Federal agencies should provide
telecommuting users with guidance on selecting appropriate technologies,
software, and tools that are consistent with the agency network and with agency
security policies. Users
have many approaches to choose from in establishing an off-site office. Organizations
can support a range of solutions from low-cost techniques to highly
sophisticated technologies such as virtual private networks (VPNs). VPNs
can provide a high level of security, making it possible for secure
communications to take place over public networks. However, they are more expensive
and complex to implement than other solutions, and must be carefully configured
on both the organization’s central systems and the telecommuter’s system. Because of the complexity of these systems,
users must be informed and supported by their organizations to assure proper
operation.
Whenever
practical, agencies should provide telecommuting users with systems containing
pre-configured security software and necessary hardware. If possible, agency
security administrators should update and maintain the systems as well, to
minimize reliance on users who are not specialists in security features. However,
it may not always financially or logistically practical for agencies to provide
users with pre-configured systems, and it is still possible to maintain an
acceptable level of security with careful implementation of policies and
technology. Many
users, particularly if they do not require interactive access to agency
databases, can obtain an adequate degree of security at very low cost and with
little additional software, easing burdens on both the user and system
administrators at the central computing system.
Sections
7 and 8 provide details on virtual private networks and telecommuting
architectures for voice, electronic mail, and document exchange applications. Section
9 explores organizational considerations for telecommuting security.
Summary
Both
organizations and their staff members benefit when access to computing
resources and office networks is available to those on the road or working from
home. While
remote access to organizational resources always entails risks, most of these
risks can be managed through careful planning and implementation. Although
broadband connections generally represent a greater threat than dial-up
connections, the threat can be reduced through careful configuration and the
judicious use of the security tools and techniques. The benefits and risks of
telecommuting will be important considerations for organizations in the years
ahead.
Supplemental
Information
UPPLEMENTAL
INFORMATION
Under
the Computer Security Act of 1987 (P.L. 100-235), theITL’s
Computer Security Division of the
Information Technology Laboratory (ITL) develops computer security
prototypes, tests, standards, and procedures to protect sensitive information
from unauthorized access or modification. Focus areas include cryptographic
technology and applications, advanced authentication, public key
infrastructure, network security, criteria and assurance, and security
management and support.
NISTITL
issues publications covering research, guidance, standards, and the results of
collaborative outreach efforts with industry, government, and
academic organizations. NIST pPublications
dealing with information security topics, including archived copies of
bulletins, are available in electronic format from the NIST Computer Security
Resource Center at: http://csrc.nist.gov/publications/.
Some publications of general interest covering network security topics include:
NIST Special Publication,
800-31, Intrusion
Detection Systems (IDS), November 2001.
NIST Special Publication 800-40, Recommendations
for Applying
Security Patches, September
2002
NIST Special Publication 800-41, Guidelines on Firewalls and Firewall Policy – a starting point on network security topics, January 2002.
NIST Special Publication 800-44, Guidelines on Securing Public Web Servers, September 2002.
NIST Special Publication 800-45, Guidelines on Electronic Mail Security, September 2002.
NIST
Special Publication 800-47, Security Guide for
Interconnecting Information Technology Systems, September
2002.,
NIST
Special Publication 800-48,:
Wireless Network
Security: 802.11, Bluetooth and Handheld Devices, draft November
2002.
NIST Special Publication 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme, September 2002.
Disclaimer
Any mention
of commercial
products
or reference
to commercial
organizations
is for information
only; it
does not
imply recommendation
or endorsement
by NIST
nor does
it imply
that the
products
mentioned
are necessarily
the best
available
for the
purpose.
U.S. Commerce Department's
Technology Administration.
Last Updated: December 2, 2002