remote access and remote working

Remote Access - Secure Remote Working

- How to do remote access safely and save the planet.


Having remote access is more than just having an office at home. It is the ability to take greater control of your greatest asset - time.

Everyone has a limited amount of time on this planet. Many of us have surprisingly little control of what we do with this time because we are chained to a nine to five existence. Commuting to and from an office job and sitting at a desk between commutes.

Americans spend more than 100 hours commuting to work each year, according to American Community Survey (ACS) data released [in March 2005] by the U.S. Census Bureau. This exceeds the two weeks of vacation time (80 hours) frequently taken by workers over the course of a year. In some countries the numbers are far worse.

To break free of the nine to five existence and work remotely you need to be confident that you can get safe secure remote access to your work tools and information, whenever and where ever, you need them.

One remote access solution that achieves this is Secure VPN Gateway from www.ttc4it.com

Lets take a closer look at the idea of using remote access to work remotely and the benefits it can offer to employees, employers, and the global community we all share.


I started working with Unix 22 years ago and for the past 12 years I've been dedicated to Linux and providing a more Open solution to business problems. By Open I mean solutions that open my client up to take advantage of more possibilities as they come available. As opposed to the solutions from some other vendors that seem to be all about tying their users into a future of reliance on them and only them.

I run a IT company from my office at home. Like many companies my clients are based across the globe and I communicate and work with these clients via the Internet.

Working from home has the primary advantage of increasing the amount of time that I can spend with my family and increasing the amount of available leisure time.

Working from home also provides a significant advantage to my clients. There is no lost time due to travel between offices. If they require assistance outside normal office hours it only takes me 30 seconds to commute from home (upstairs) to the office (downstairs).

But more importantly, remote access, gives me the ability to work from anywhere that I can get an Internet connection.

As a person who provides solutions for a living I've found that a solution is not very useful if there is no problem that requires it.

So lets look at todays problems that would benefit from a secure remote access solution.

Increased Profitability

All companies want to be profitable. This requires that they keep their costs under control. A major cost for all companies is the cost of staff and providing an environment that they can happily and safely work from. Consider the cost of running a large office from a central London location. The numbers are mind boggling.

What if you could have the same sized work force but only needed an office half the size. What if you didn't need an office at all?

What could the company do with the money saved:

Providing their staff with remote access to work remotely would allow this to happen.

Ever considered a pay cut?

People do not usually like to consider taking a pay cut. But what if the condition was “Take a pay cut and your employer will relocate you to the location of your choice. Spain, a sunny bay in Australia, New Zealand maybe.”

Working remotely with a secure remote access system would allow you to live almost anywhere.

Retain your valuable staff

Improved staff retention can also achieved this way. Consider a software development company that is based in Silicon Valley. While based in the Valley their highly skilled staff can switch companies with ease. But if they relocated their staff to a beautiful sea side town, the staff would be not only be living in a happy stress free environment, they would also be out reach for competitors.



Benefits of breaking free from a desk

My children have never known life where I kept a nine to five office job. I have always been at home to send them off to school and welcome them home. Take them to swimming lessons in the middle of the day and attended their various sporting activities.

I get to spend a lot of quality time with my family. Not because I work less hours than others dads but because working remotely gives me better control over my time than most others dads.

Since I do not have to be in a corporate office to be on the job I can work when and where it suites me. Weather that be in my office at home, at the beach, or in a cafe on the ski slopes.

I am not alone in recognizing that there are benefits to be had by detaching yourself from the corporate office.

A recent UK survey showed that most employees felt that they would benefit from being able to work via remote access rather than being restricted to working from an office provided by their employer.

UK workers valued the increased time that working from home would allow them to spend with their family the most. Saving money and managing stress levels were also considered to be of great importance.

Health and wellbeing were also important home working considerations, according to the workers surveyed. More than half (54 per cent) said that cutting their commuting by working from home would, or had, led to them having greater control over their productivity and stress levels as well as their workload.

Stephen Beynon, MD, ntl:Telewest Business said "The home working revolution is continuing to gather pace in this country. The pressures of the rat race mean that many people want to work from home permanently or occasionally.

As more employers make home working an option, so employees are recognizing the impact that commuting and office environments have on our planet and on themselves. Equally, home working can be positive for employers. If your people work from home more, you're likely to have a healthier and more productive workforce, as well as lower office overheads.”

In my view working remotely is more than just working from home. After all whats the point in trading a desk at the office for a desk at home. The Internet is a global network so why not work from anywhere.

I used to lug my laptop with me where ever I went. It was a heavy unflattering bag that screamed computer nerd at the top of its vinyl lungs. These days I make use of other people computers and Internet cafes. All I carry now is a tiny USB Ram drive. Getting access via the Internet is simple. Doing it without attracting possible security risks for the systems you are connecting to takes some smart software.

The remote access solution

Five years ago one of my clients came to me for help with solving a remote access problem they were having.

Their VPN (virtual private network) solution used IPSec as a communication standard. Many of their users had routers performing NAT (network address translation) and could not achieve a IPSec connections. They also had users who were not computer skilled and struggled with configuring the network settings on the VPN client software. This was resulting in their computer help desk spending many hours talking people through configuring software that ultimately did not work.

The solution I came up with ultimately became the product called “Secure VPN Gateway”.

The advantages of remote access with Secure VPN Gateway are that it will operate over almost any network connection and the Secure VPN Client does not require any configuration at all. Whats more its security mechanism is one of the strongest available, providing excellent protection against Spy Ware that will normally capture user name password combinations.


Part of the issue is the way we work.

Most people work in an environment where they are paid a salary. Ie; x number of dollars for turning up for a 40 hour week. There is not a direct relationship between the work they perform and the the money they get paid. I believe that this leads toward inefficiency in the work place and requires greater management supervision to ensure that work is being performed as required. This is a long way from the ideal environment for sending workers off to work remotely.

To really take advantage of working remotely you need to break out of the salary mold and start getting paid for the work you are doing.

Try breaking your day down into mini projects and assign values to them that relate to your current salary.

Your current day might look like this:

Task Description

Time

Value

Corporate email correspondence

1:30

50

Meetings

1:00

30

Processing inward accounts

3:00

60

Reconciling general ledger

1:00

30

Dynamic work

2:00

50

Once the structure of your day has been agreed and values been assigned to each task it is over to you to get the work done. The time is now no longer important. The location of where you perform the work is also not important.

If you can perform the task, delivering the required quality of work in less time, it is to your advantage.

With the time you have saved by working more efficiently you may choose to take on more tasks making more money, or you may choose to increase your available leisure hours. As an alternative you could make yourself more valuable to the company by renegotiating your task values down and taking on more work. This would make you more competitive than other workers in your department improving your chances of retaining your job and being offered more work.

You are now in control of your life.

Providing Remote Access

- its really a question of maintaining security

All companies have some form of security on the front door. There may even be armed guards and chances are the doors will be locked when the office is closed.

Yet so many companies leave the back door open and unguarded, in the form of an Internet accessible network connection.

It is because it's so easy to open up network access to the Internet. Many companies lack policies and procedures regarding the provision and maintenance of remote access.

So the first step in providing remote access is to come up with a company policy on what is required. Be sure to include the following:

Port Forwarding

Keep firewall port forwarding rules to an absolute minimum.

By far the worst method of providing remote access to your network is by setting up port forwarding rules on your primary firewall.

The reason this is not a good idea is that as the number of port forwarding rules increases it becomes increasingly difficult to maintain security.

Each port forwarding rule enables remote access via every account on the destination system.

So if you have a system with 100 user accounts and you only want to provide 2 people with remote access. Using port forwarding would enable access via any of the 100 user accounts on the system.

If you have setup remote access to a variety of systems by installing port forwarding rules onto your primary firewall then disabling a users remote access is going to be very disruptive and time consuming. You will have to connect to every system that the user can reach via port forwarding, then disable their account on that system. Chances are that these same systems will be accessed by that user from inside your LAN as well. So disabling the account will probably stop them from working completely.

By having all remote access coming through a single gateway and that gateway having separate security credentials to the systems behind it, you will have the ability to shut off remote access without disrupting internal LAN access to the same systems. You can also stop access to all systems by disabling a single access account.

If you must use port forwarding I would encourage you to check your access logs daily. It is only a matter of time before you will start to see basic attacks in the form of hundreds of failed connections. One company I recently worked with was receiving failed ssh logins at a rate of more than 100 per minute.

Here is Step 2. Provide a turn style onto your network. A single point of entry through which all remote access must pass. Your method of providing this will require these features:

Full encryption. All communication over the open Internet should be encrypted.


Passwords

Remember, security that relies on user names and passwords is open to attack. Password based security is only as good as your users efforts in maintaining effective password policies. The more user accounts you have the lower your chances of keeping out unwanted users.

Since user names and passwords can be obtained by Spy Ware or simply looking over someones shoulder, or even security camera footage, it makes sense to have a security feature that can not be easily captured.

Security can be greatly improved by including a physical component. It is like having a key lock as well as a combination lock on a safe door.

The more access information you keep hidden the better. In the case of Secure VPN Gateway the VPN client kit is generated by the Secure VPN Gateway Server so the user of the client kit never has to know, or enter the access details of the Secure VPN Gateway Server.

The Secure VPN Client kit uses a digital token as its physical key component. This must be validated before the users will be prompted for a user name and password to be entered.

The result of this is that Spy Ware or someone watching over your shoulder will not see the access details of the server you are connecting to. Nor will they see the digital token that was validated prior to the user name and password being entered.

Secure VPN Gateway also associates remote user names with specific security tokens. So employees of the same company each with Secure VPN Client kits can not use each others client kits.

This gives us Step 3. Devise a way of over coming the inherent weakness of username password security. This could be done by:

Easy for the end user to use. The simpler it is to use the more people will use it.

Look for targeted access. The network connection that is created between the client and the remote server

Monitoring

There is no escaping the fact that you need to be familiar with who is connecting to your system and what they are accessing. Without this knowledge it will be impossible to spot access patterns that are not normal.

You remote access turn style solution should provide access information. Ideally it will highlight anything that it considers unusual. Such as login failures and request to access things that are not authorized for the given user account.

The ultimate solution would provide login activity analysis and warn the VPN client user when activity look suspicious.

I suggest checking who is connected at a socket level. Become familiar with the “netstat” command. The output from a netstat -a command will give you an insight into what is connected to and from each system. Once you are familiar with what each systems “netstat -a” profile looks like spotting unusual connections will be easy.

Step 4 is Monitoring. Log file are there for a reason. Focus on records that concern system access. If your remote access gateway logs access information check it on a daily basis.

Communication

Encourage open communication from your users with remote access. They may be your best form of defense. If they notice anything unusual they need to feel comfortable with reporting what they have seen.

Remote users should treat their remote access information the same as their own credit cards. Losses or security breaches should be reported quickly. The standard response should be to immediately disable the users remote access to all systems. Then issue new access credentials.

Step 5. Talk to your users. Listen to their reports of anything unusual that has happened during remote access sessions.

Take Action

Once you have a remote access system in place it important to monitor it for unwanted access. Set the logging to record all user connections and check the logs daily. If you have a guard on the front door then there should be an equivalent guard on the remote access doors as well.

If you find suspicious access records take steps to prevent it from happening again.

Keep the remote access paths to a minimum. Ideally all remote access should pass through a single gateway point in your network. This gives you a single place to monitor who is coming in and when. It also means that if you have to you can block all access quickly.

Step 6. Be ready to act. As soon as you suspect that a security breach has occurred (or about to occur) close down the account and block to hole.

To facilitate this your remote access gateway needs to provide features that enable accounts to be disabled quickly. Ideally this should not require that the account is deleted.

The latest version of Secure VPN Gateway features a “Panic” button. This button causes all remote access sessions to be immediately terminated. Remote access remains disabled until the “Enable” button is clicked.



Spy Ware the silent threat

Software that runs in the background capturing keyboard and screen information with the purpose of storing it or sending it on to another system, is referred to as Spy Ware.

The implications that Spy Ware presents is that any key strokes you enter via the keyboard or actions you perform with the mouse can be captured and read by someone else. The information captured will show the systems you accessed and the user names and passwords you used to get past the security checks.

This makes the systems you accessed vulnerable to unwanted access.

The worst of it is that the attack may be silent. Silent in that it will not be preceded by failed connection attempts. The attacker will gain access using the correct user name & password combination the first time they try. Typically this form of attack is almost impossible to spot.

Most Virus software available today perform checks for Spy Ware. However there are Spy Ware packages available that claim to be undetectable by leading Virus Scanning software. Its a game of leap frog.

Having a physical security token that is not entered via the keyboard or mouse will protect you from attack based on information gathered by Spy Ware.



Economic Impact

The information super highway as it was billed back in the 1990's has been slow to arrive in the form of broad band. Many homes now have direct access to the Internet via a broad band connection that provides reasonable communication speeds. However it is still akin to a two lane motorway rather than the “Super Highway” that we expected. This lack of speed and capacity is a major hurdle to companies and individuals rolling out functionality that would greatly encourage high numbers of individuals to work remotely.

In many ways its a catch 22 situation. Improved functionality will be developed to take advantage of the available capacity. Yet the capacity will only come when the consumers demand it. Of course they will only demand it when they can not do what they want over the available bandwidth.

The basic problem is that communication networks are typically in the hands of private companies with limited budgets. Compared to transport networks which are typically in the hands of government with vast resources at their disposal.

Consider the road transport system. The demand for this is driven by the use of motor vehicles. Motor vehicles have only basic uses. There is not a lot of scope for bright young developers to come up with new and exciting things to do with your motor car.

So here we have an example of people already having a tool that they understand and rely on and yet being frustrated that they can not use it in the way they want to. This puts pressure on government to provide a transport network that will enable people to use their cars in a way that will enhance economic growth.

This is fundamentally different to the use of computers on the Internet. Most users have little understanding of the tools that are at their finger tips. And are not tuned into considering the possibilities of what could be done if only they had a decent high speed connection.

Once you move beyond email and using a web browser you are down to less than 1% of Internet users.

Most businesses are using the Internet as an advertising medium rather than a means of extending the reach of their business tools.

Until you have a clear reliance of economic growth on high speed data communication it is unlikely that governments will get behind the provision of a decent “Information Super Highway”.

Consider the costs involved. How much does it cost to install a kilometer of the highest capacity fiber optic cable in an urban environment (buried urban installation cost much more than rural), compared to the cost of building one kilometer of an eight lane highway (for lanes each way).

Fibre (120 strand)

8 Lane Highway

$330,000.00 per km

$250,000,000.00 per km

The highway costs 750 times more to install.

Then there are the enormous ongoing costs of a highway based transport system.

Consider these highway related costs:

Apart from line maintenance, the ongoing costs of a data communication network are almost non existent.

Most people know that to make something more profitable you need to reduce its costs and increase its return.

So could entire countries be made more profitable by reducing the use/reliance on transport networks by moving more workers to remotely over high speed data networks?

Working remotely is also a solution to over population of large cities.

Nearly 20 years ago I listened to a information technology specialist talk about the over population problems faced by Paris, France.

Paris faced a crisis where, due to pending decline of the rural economy, they faced a migration of 20 million people moving from rural employment to urban employment.

Even back then the solution was for the government to get involved and build the required communication networks to enable companies to setup small satellite communities. This would enable the rural population to stay put and yet gain employment from the cities.

Today the solution is the same but the satellite community is now a virtual community that can span the globe. With individuals working from what ever location they may choose.

We have already seen the isolation walls begin to crumble as people embrace blogs, facebook, utube, skype, etc. When the tools are made available people do use them.

Easy to use Video conferencing and virtual meetings will make the concept of operating a company on a globally distributed model a reality.



Ttc4it.com is the software division of Technology Training Consulting Limited - Wellington, New Zealand.

Recommended Links

Secure Remote Access
Network Security Specialists
Linux Software Support
Web Software Development


Ttc4it.com
PO Box 5444
Lambton Quay, Wellington
New Zealand.