These rules will keep users in their place

24.04.2006
As information security professionals, we tend to throw around certain terms when we talk about how information security should be implemented. Lately, when I've gone to meetings or written an e-mail that gives me a chance to evangelize about our security needs, my terms of preference have been "rule of least privilege" and "separation of duties."

The rule of least privilege arises in regard to our client virtual private network. This IPsec VPN, which is operated using Nortel Networks Ltd.'s VPN Gateway, allows our employees to work remotely as if they were on our internal network, with access to most applications, services and internal infrastructure.

In contrast, Secure Sockets Layer VPNs allow the remote use of only those protocols and applications that are supported by the vendor of the SSL VPN. For example, most SSL VPNs won't support the remote use of our implementation of BMC Software Inc.'s Remedy, which we use as our IT service management application. But our client-based IPsec VPN seamlessly allows users to launch Remedy while on the road and connected to our wireless infrastructure.

The limitations of an SSL VPN can actually be desirable. Many of our company's contractors, vendors, suppliers and partners are given access to our portal environment through an SSL VPN, which naturally limits what they can access. But some of them require client VPN access because they need to use applications that aren't available via the SSL VPN.

At the heart of a client VPN are profiles. Currently, we are using a single profile for every user with access to the VPN, and it provides full access to the network. The idea was to provide an officelike environment for remote users, but naturally, we don't want to give full infrastructure access to nonemployees such as partners, suppliers and contractors.

In fact, often there is no good reason to give full-time employees full access to the network. For example, someone in marketing shouldn't be able to access the administrative interface of a production Oracle database containing financial information.