By Ed Tittel and James Michael Stewart This column starts with the premise that companies have a strong and vested interest in securing and managing their telecommuting employees' home office connections to the Internet. In fact, our guiding assumption is that such organizations want to manage and control their remote employees' networks and connections in much the same way that they seek to protect their corporate networks and IS operations from unauthorized access and use. The remote security management problem is not unlike its on-premises equivalent, except that it is far more broadly distributed and must inevitably work with a variety of different connection types and speeds. Although one might hope to find a whole set of products that combine all the necessary security, access control and connection management features in a single package, a search of offerings available at present is bound to be somewhat disappointing. A quick sanity check against our initial search criteria turned up only three products that met most of those criteria (these are documented in the article entitled "Hitting the Target" at the conclusion of this column). In fact, most home office connectivity products available today appear to focus on creating and sharing LAN broadband connections such as cable modem or DSL, rather than on protecting or managing such connections. While these kinds of solutions
Requires Free Membership to View
When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by Windows professionals today.
Cathleen A. Gagne, Senior Editorial Director
may be desirable for
individual home-based or small office users, they are not well suited
when it comes to providing centralized control over distributed
remote networks or computers and their Internet connections.
It's interesting to consider a "wish list" of features and functions
that most savvy IT organizations would like to see in such products
before they could take them seriously, and deploy them effectively:
* Secure external management access: Be it to create an initial
installation, to download updates or changes, or simply to
investigate the state and operating condition of a small home
office/remote network access device, support for secure remote access
using secure telnet (stelnet) or some encrypted remote access
technology would be required. For routers and other manageable
network devices, such links often occur through a special sideband
dial-up connection. The devices currently available on the
marketplace do not support either of these configurations terribly
well.
* Centralized security policy management: By and large, the
preference in most IT organizations is to define a single security
policy and then to take advantage of a mechanism to distribute (and
update) that policy as it manifests itself on various networked
devices throughout an enterprise. Though remote/small office devices
are not alone in failing to support such functionality directly (and
instead require reformulation of configuration files at best and
instantiation of equivalent settings through some GUI or command-line
interface at worst), none of the remote devices currently available
offers this capability.
* Remote IP agent capabilities: New developments in mobile IP
technology permit workstations (such as laptops) to maintain the same
static IP address assignment and use local and remote routers to
establish a tunnel from a foreign subnet to a home subnet. This
permits end-to-end services such as IPSec, voice over IP, or
streaming media, that sometimes require specific IP addresses to be
available to work properly. Again, as of this writing no small home
office devices support this kind of functionality.
* Basic firewall/bastion host services are as necessary for remote
users as they are for corporate networks, including packet screening
and filtering, proxy services, stateful inspection of application
layer protocols and services, network address translation, DHCP and
so forth. The picture here is less grim; many currently available
remote devices support most or all of these kinds of functions. These
functions aren't as amenable to centralized setup and management as
most enterprises might like, but at least they're available.
* Remote control/operation: For many IT operations it's eminently
desirable that their tech support staff be able to take over and
remotely manage or control remote devices, PCs and so forth. At least
one currently available small home office device supports this kind
of capability, and we expect to see support for this kind of
capability burgeon as more service companies form "management
partnerships" with equipment vendors, or as enterprises outsource
management and technical support of their local and remote networks
to service providers.
I could continue with this list indefinitely, but whereas the
preceding items represent core "must-have" requirements, other items
tend to fall into the "nice to have" category. Nevertheless, it's
plain that small home office device vendors haven't targeted the
remote enterprise as their primary sales targets. As the potential of
this market makes itself known in the next year or two, we expect
this situation to change and for centralized management, control and
operation of such devices to become commonplace and routine. Even
cable companies and DSL providers could benefit from the kind of
architecture that helps to protect users not only from external
security threats, but also from their own blissful ignorance of basic
principles of network security and management!
In the final analysis, it looks like the market for small home
office/remote connectivity solutions is heading toward a centrally
managed security and connectivity environment for remote locations,
but is only taking its first steps in that direction. These baby
steps are promising and represent a trend toward making security
concerns an important part of managing connections between employers
and employees, even when they're off the employers' premises. With
the right solution in place, this helps end-users connect remotely
with confidence that their locations are protected, while also
permitting companies and organizations to rest assured that their
remote data and communications are likewise safe and sound.
# #
Hitting the Target
By Ed Tittel and James Michael Stewart
* Simple firewall capabilities
* Simple traffic screening on domain name, IP address, or port address
* Network Address Translation (NAT) services
* DHCP for LAN clients Those products that came closest to meeting our original search criteria also included remote management capabilities, some of which supported centralized management from the vendor, others from a centralized, authorized IS location inside the purchasing organization. The first product in this category is WatchGuard's Firebox SOHO. It supports DSL, cable or ISDN, but an external modem is required. It can automatically download software and security updates, and no installation or client software is required (the box handle everything from firmware). It can share a share a single connection with up to 10 users (and is upgradeable to a maximum of 50 users). The Firebox SOHO also acts as a hub for connected systems, and VPN services are available as a recommended, add-on feature. This device is managed remotely by the vendor through a yearly subscription contract, and some configuration control may be gained if the recommended VPN software is also installed. The second product in this category is McAfee's FireWall ASaP (or http://www.mcafeeasap.com/content/vpn_asap/default.asp). FireWall ASaP combines the functions of a managed firewall with VPN services, antivirus checks and content filtering capabilities, and it delivers a general security solution that is pre-configured by McAfee to meet your security requirements. As with the WatchGuard product, this product is also managed and monitored by McAfee as needed. Thus, if your needs change, you must contact McAfee to implement such changes and pay for support service on a yearly contract. This device requires a statically-assigned IP address and is designed for use with McAfee's ASaP VPN product. Although we were unable to find exact details on the connection types support, we'd guess that they include cable modem and DSL at a minimum, perhaps along with ISDN and/or analog telephone support, depending on the precise configuration selected. The third and final set of products in this category comes from Cisco Systems (or http://www.cisco.com/warp/public/cc/pd/rt/1700/) and includes both their 800 and 1700 Series routers. These devices support ISDN, serial connections (Frame Relay, leased lines, X.25 or asynchronous dialup), IDSL and ADSL (modem integrated). Cisco also allows service providers to deploy value-added services, such as security with integrated stateful firewalls and/or IPSec virtual private networks, third-party VPNs, integrated toll quality voice over IP and differentiated classes of service through Quality of Service Features. Cisco recommends setting up these routers by their using Cisco 800 Fast Step, a Microsoft Windows-based configuration tool (or by making arrangements with a service provider to do this for you). The Cisco 800 Fast Step software ships with both types of router and is also available on Cisco Connection Online on the World Wide Web. Obviously, relationships with third-party service providers for small home office security and configuration management will involve some kind of service contract or billing relationship, but we find it extremely interesting that Cisco built third parties into this set of product offerings from the get-go. In fact, we expect to see this entire market segment migrate in that direction in the next year or two. About the authors
Ed Tittel and Michael Stewart are both searchNetworking experts. Click over to ask them a question or read more about them.