Symantec United States
global sites
products and services
purchase
support
security response
downloads
about symantec
search
feedback


© 1995-2007 Symantec Corporation.
All rights reserved.
Legal Notices
Privacy Policy
Secure Remote Access

In today’s fast-paced business climate, it’s practically impossible to picture life without mobile technology. Laptop computers (both “wired” and “unwired”) and a dizzying array of new handheld devices have helped usher in a brave new world of on-the-go worker productivity. These same technologies, however, increase small businesses’ exposure to security risks. Indeed, a number of recent threats have focused precisely on remote users. Here’s what you can do to make sure that all remote access to your valuable business data stays secure.

A mobile revolution
Just how much has mobile computing transformed the business landscape? Consider these statistics: According to the U.S. Census Bureau, within three years, 40 percent of all workers will perform a significant part of their job outside of the office. Research firm IDC shows a similar trend and estimates that two-thirds of the U.S. workforce will be considered mobile by 2006.

Reasons for this meteoric growth aren’t hard to find. By one recent estimate, employees with notebook PCs see anywhere from one-half to three hours of increased productivity per week compared to their desktop counterparts. When wireless connectivity is added to those notebooks, the figure increases to as much as 11 hours of additional productivity each week.

At the same time, the latest edition of the Symantec Internet Security Threat Report shows that more complex worms and viruses—known in the antivirus industry as "blended threats"— are becoming the attack of choice among Internet vandals. Blended threats combine the characteristics of viruses, worms, Trojan horses, and/or malicious code with methods of exploiting server and Internet vulnerabilities to initiate, transmit, and spread attacks.

Such threats often exploit several different flaws to increase the chance of infecting a computer system. The number of attacks that could be classified as a blended threat in the first half of 2003 was 20 percent higher than in the previous six months, according to the report.

That's bad news for clients that regularly travel outside the perimeter firewall and connect to the network. Why? Because blended threats such as Nimda, Code Red, and Slammer specifically target laptops outside the firewall in order to gain unauthorized network access during an ISP connection. (Laptop users can also become unwitting victims of Distributed Denial of Service, or DDoS, attacks.)

Relying on antivirus software to protect the client level is no longer sufficient to protect that tier. Similarly, relying on one firewall at the perimeter is no longer sufficient to keep the client level protected. Because clients exist both inside and outside of the firewall, they are as vulnerable as any other part of the network and require specific protection.

To be effective, a client security solution must go beyond firewall and privacy control capabilities to include intrusion detection. A client security solution must also include the ability to examine the packets of data entering a computer in order to identify and stop attacks. The client firewall technology needs to call the antivirus software to scan files and applications as it encounters outgoing traffic. If a virus is found, the antivirus technology should call on the firewall to increase the threat level and block the file from exiting the client.

Only by integrating antivirus, firewall, and intrusion detection technologies can an organization properly reduce the risks posed by laptop-enabled remote users.

Safeguarding handhelds
The same precautions need to be taken with your company’s handhelds. These increasingly ubiquitous devices pose a special challenge, however. According to Gartner Dataquest, more than 20 million handheld computers have been sold during the past five years. Many of them are connecting with the network at work, while being used during off-hours to surf the Internet and connect with other compatible devices. Disturbingly, industry experts estimate that virus protection is on only one percent of these devices; the remaining 99 percent are unprotected. This places both business environments and homes at risk.

Protecting handheld devices from viruses, worms, and other malicious threats requires an effective antivirus solution. Before settling on a particular antivirus package, however, make sure it contains all the features you need.

In particular, the antivirus software should provide real-time and on-demand scanning; enable users with a wireless Internet connection to download virus definitions and product updates directly to their device via the Web; have a small footprint that fits in resource-constrained handheld devices and be easy to install; and run real-time scans continuously and unobtrusively in the background.

One more thing: The software should automatically download virus definition updates to the desktop and then transfer the updates to the handheld during the next synchronization.

Securing wireless networks
Increasingly, small and medium-size businesses are embracing notebook PCs and wireless area networks that support the 802.11b (or Wi-Fi) standard, enabling their employees to stay productive on the road. For many of these companies, the long-held promise of mobile computing – namely, a workforce liberated from cords and wires – is coming true. But keep in mind that there are security risks as well as benefits associated with this new technology.

In many respects, wireless technology is still in its “adolescence,” and wireless equipment is often introduced to organizations by individual employees rather than through the IT department or other proper channels. The result of this “backdoor” introduction is that wireless isn’t put through the normal process of understanding a particular technology’s capabilities and limitations before implementation. Too often there is a lack of emphasis on securing this new technology.

Security experts recommend that you outline very specific procedures for the use of wireless devices, including what the devices can and cannot be used for, what can and cannot be stored on them, and what security technology should be on the devices to protect data from being compromised if it is stolen.

Defining policies and standards for wireless is paramount. For example, whenever a wireless LAN is enabled, VPN (virtual private network) technology should be implemented. And notebooks with Wi-Fi capabilities need to have antivirus and firewall protection installed.

But security doesn’t end there. A wireless network can broadcast far outside your building, allowing anyone nearby your installation to eavesdrop on your data. All it takes is a powerful antenna and some widely available hacking software. For that reason, security experts say companies planning to go wireless should follow these additional precautions:

  • Enable WPA encryption. WEP (Wired Equivalent Privacy) encrypts wireless data streams between clients and servers, helping prevent unauthorized users from reading traffic while it's in transit. The bad news: WEP doesn't offer end-to-end security and can be broken easily. The good news: a new – and much stronger -- security enhancement called WPA (Wi-Fi Protected Access) is now available. The Wi-Fi Alliance began certifying products for WPA interoperability in April. In addition, all new products submitted for certification after August must have WPA capability. (Note: If you already own wireless networking hardware, upgrading may not be possible. Check the Web sites of your hardware makers for WPA upgrades.)
  • Control the broadcast area and lock each access point. Many wireless access points let you adjust the signal strength. Place your access points as far away as possible from exterior walls and windows. Test the signal strength so you can barely get a connection at these locations. Next, make sure to change the default password on all access points. Use a strong password to protect each access point.
  • Use SSID (Service Set Identifier) intelligently. Buy access points that let you disable SSID broadcasting. This prevents access points from broadcasting the network name and associating with clients that aren't configured with your SSID.
  • Use MAC (Media Access Control) address authentication. If you have a manageable number of wireless users (less than 50) and just a few access points, MAC addressing lets you restrict connections to your access points by specifying the unique hardware address of each authorized device in an access control list -- and allowing only those specific devices to connect to your wireless network.
  • Get ready for 802.11i. Currently in development at the IEEE (Institute of Electrical and Electronics Engineers), the 802.11i standard is expected to be available to hardware makers by the middle of next year. Although it will take a few additional months beyond that before 802.11i finds its way into products, manufacturers say the standard is already helping to ease security concerns. For example, 802.11i will incorporate a new encryption technique known as AES (Advanced Encryption Algorithm), which is expected to offer greater security than formulas used in earlier Wi-Fi security standards, including WEP.

Conclusion
Smart businesses understand that the risks accompanying the deployment of laptops, handhelds, and wireless networks must be identified and managed. Failure to do so is tantamount to inviting unauthorized network access. The steps outlined above can help you get the most out of these enabling devices, and help ensure that remote access to your network resources stays secure.
home find a solution library tech resources