Businesses in all industries often need to provide their employees with a way to access their internal networks when they’re away from the office. Such functionality is especially important when employees travel for business, and to assure continuity if a disaster strikes a work site. Remote access is also useful for technical support that’s provided by an off-site party.
It’s vital to keep internal networks secure, for a multitude of reasons. Some industries deal with highly sensitive data, such as finance and medicine. But the confidentiality and availability of corporate data is vital, regardless of industry. Internal network security is easy to overlook until there’s an attack. After an attack, a company can lose an awful lot of money when equipment is harmed and data is stolen. Network attacks can also make a company subject to litigation and reputation damage. For example, consider the payment system attacks that have happened to a few major retailers recently. However expensive it is to properly secure a network in the first place, there’s always a significant return on investment in the long run.
Nothing can ever be made invincibly secure, but there are a number of ways to provide remote access in a reasonably secure way.
Over the past dozen or so years, many remoting applications have grown in popularity. Some of them have been widely deployed for corporate use. Which application you choose will depend on your budget, what kind of computers you have in your local network, which operating systems they run, the number of employees who will have remote access, and what kind of technology they have at home and while traveling. It’s also vital to consider corporate policies related to IT and the management of data.
Here’s a comparison of a few of the remote access applications I recommend.
TeamViewer is an excellent choice if you’d like online meeting functionality in addition to remote access.
The online meeting features include support for video conferencing and VoIP. Most notebook PCs and newer models of smartphones and tablets have front-facing video cameras these days. So, if you’d like to take advantage of the video conferencing feature, chances are your employees have their own compatible devices to use when they’re away from the office.
TeamViewer can be installed in Windows, OS X, some of the more popular GNU/Linux distros, iOS, Android and Windows Phone 8. So, there’s a lot of platform flexibility both on the desktop end and the mobile end.
If an employee may be using different PCs while they’re away, it’s possible to install a TeamViewer client on a USB stick, which can have their personal configurations on it.
Only buy the Business license if you’re only going to set up remote access on a few computers. The Premium license is good if you’ll be remoting from a large number of computers, and any individual computer being remoted to will only have one session at a time. If you need the ability to have up to three devices remoting to the same PC similtaneously, you’ll need to purchase the Corporate license. Like the other remoting applications I mention here, TeamViewer offers a free trial. I highly recommend installing the free trial first. Then, you can try TeamViewer in your network and see if it’s a good fit, according to your needs and what sort of technical configuration you have.
Good encryption standards for remote sessions are a must. Remote sessions are often an attractive target for blackhats, as cracking into one can give them access to your corporate network. All versions of TeamViewer support VPN. If your network doesn’t have a heavily secured WAN (wide area network) connection, you will need to deploy VPNs for a reasonable level of security. I will get into the security considerations for VPNs later in this article. TeamViewer encrypts sessions with 256-bit AES. 256-bit keys are good for that purpose, and I wouldn’t use a remoting application that uses encryption standards with keys that are any shorter.
TeamViewer can be downloaded from their website, http://www.teamviewer.com.
Of all of the remoting applications in the market that use the VNC protocol, RealVNC is the one I recommend.
The main advantage of the VNC protocol, as far as I’m concerned, is that it transmits a pixel-based view of remote sessions. That means, considering the wide variety of screen resolutions between devices, especially mobile, your view of a remote session will be as close to what would be displayed on the local screen as possible. The downside is that pixel-based session views require greater data transmission than application-based session views. Make sure that you have good, stable bandwidth from your internal network if you choose to deploy a VNC remoting application like RealVNC.
RealVNC has all of the functionality of TeamViewer, except that there’s only a chat option for online meetings, no VoIP or video conferencing.
Of the licenses that RealVNC sells, I would choose Enterprise. Only their Enterprise license offers 256-bit AES encryption, their other licenses only offer 128-bit AES. As I mentioned before, I strongly believe that remote sessions should be encrypted with a standard that uses at least 256-bit keys. Like TeamViewer, RealVNC offers a free trial, and I recommend that you use that before making a commitment to the application.
RealVNC supports all of the operating systems TeamViewer does, minus Windows Phone 8, but plus a few Unix distros, including Solaris and AIX. RealVNC Server must be installed on each computer you’d be remoting from, which can run Windows, OS X, GNU/Linux distros or Unix distros. Then, VNC Viewer can be installed in any of those OSes plus Android or iOS, to remote to when away from the office.
Like with TeamViewer, I insist on running RealVNC over a VPN or a heavily secured WAN.
RealVNC can be downloaded from their website, http://www.realvnc.com.
LogMeIn products use their own propriatery protocol. Windows or OS X based PCs can be remoted to. LogMeIn Hamachi is being beta tested for GNU/Linux, but I wouldn’t install it on a GNU/Linux based PC until the stable release becomes available. There’s no support for Unix distros as of yet. Whichever LogMeIn application you use, you can remote to your local machine using Windows, OS X, Android or iOS.
The LogMeIn applications that are appropriate for corporate use are Pro and Hamachi. LogMeIn Pro has the features the business versions of TeamViewer and RealVNC have. LogMeIn Hamachi is special, because it can virtualize your entire local network. So, if your Hamachi installation is configured to do so, a remoting employee can access multiple clients and servers in your LAN, not just one particular machine.
Both Pro and Hamachi secure communications with OpenSSL. In response to the Heartbleed bug, the version of OpenSSL used has been tested and updated so that’s there’s no Heartbleed and no major known vulnerabilities. LogMeIn offers different SSL ciphers. As I’ve mentioned, I would insist on using 256-bit AES, because the other SSL encryption standards have shorter bit length keys. In my professional experience, if a cracker has a botnet and rainbow tables, anything less isn’t secure enough. If a symmetric key is used, such as AES, you’re not making life difficult enough for a botnet wielding cracker unless there’s at least a 256-bit key. I dream about when future versions of SSL/TLS use much more complex keys, as that should make Internet communications more secure.
LogMeIn Pro is very similar to the other corporate remoting solutions I’ve mentioned. Install the server on each licensed PC in your local network, and PCs and mobile devices with LogMeIn clients can access individual machines. But as Hamachi virtualizes your entire LAN, you will need to install Hamachi server software on a server machine in your LAN that has control of the clients you’d like to access.
Like all the other products I’ve mentioned, there are free trials available for Pro and Hamachi as well. Definitely run a free trial before you decide to buy the software.
The Importance of a Good VPN
The remoting solutions I’ve mentioned offer VPNs. If your corporate network doesn’t have a WAN that’s managed by security certified professionals, using VPNs is crucial. All of the products I’ve mentioned encrypt their communciations, but I don’t believe that alone is enough. Banking institutions, militaries and intelligence agencies run their already encrypted communications through VPNs. Given how affordable and accessible that technology is these days, make sure your company does the same.
VPNs offer an additional layer of encryption and authentication, and the latest VPN technology shouldn’t noticeably slow down your uploads and downloads at all. Certainly not the way a proxy network can.
PP2P, IPSec and SSL are all protocols that can be used. For best security and ease of use and configuration, I recommend SSL whenever possible.
Like any other computing technology, there are VPN vulnerabilites that should be considered when implemented.
When blackhats scan Internet activity for attractive targets, they may take particular interest in your VPN. Unencrypted and partially encrypted communications might not be considered to be an attractive target. If it’s not secret, it might not be a useful find. It can’t be too important if the parties didn’t bother encrypting thoroughly, right? But VPN communications usually lead to lucrative, sensitive data in internal networks, often including banking and credit card information.
The devices used to implement VPNs can usually be fingerprinted a bit, even by just openly revealing the makes and models of the devices used. When a particular make and model is known to an attacker, they can then research vulnerabilities that are specific to that device.
Just like with any other system that requires username and password authentication, if insecure credentials are used, that’ll be the weakest point. All of the other security measures used become close to useless if an adminstrator is “Admin,” with “password” or even “p455w0rd” as the password. Change all defaults. Keep in mind that letter/number substitution isn’t such a clever method any more. All of the dictionaries I’ve downloaded for dictionary crackers in the past few years c0nt4in the5e k1nd 0f w0rd5. Also, you want passwords that contain no real words in any human language, and a combination of upper and lower case letters, numbers, and special characters. Exhaust as much of the maximum password length as possible. And if every username is your network is different and unique, that’s all the better. For good measure, implement a policy that requires changing passwords every six months or so.
VPN communications are subject to Man-in-the-Middle attacks like any other network communications. Make sure that your remoting solution has a specific MitM system. A well designed MitM system doesn’t make such attacks impossible, but it’ll sure make them a lot more difficult, and may make a cracker give up in frustration.
Make sure your remoting application lockouts accounts if a certain number of failed authentication attempts are made. Otherwise, it’s easier for enough computing power with enough time to crack your VPN communications.
When you configure a remoting system that uses the best security practices, your company can enjoy convenience and flexibility without too much risk. Remoting security will continue to evolve, so keep up with the latest products and technologies, or else your implemetation will lose security by obsolescence.
LogMeIn Hamachi Security Whitepaper http://help.logmein.com/KnowledgeLinkPublicRenderer?type=Link&id=kA230000000NAoTCAW&search=0
How (and why) to set up a VPN today- PCWorld http://www.pcworld.com/article/2030763/how-and-why-to-set-up-a-vpn-today.html
NTA VPN Security Flaws Whitepaper, Roy Hills
VPN Security Whitepaper, The Government of the Hong Kong Special Administrative Region