100 3.1 Preventative Measures for Information Security Managers
be used in combination with other strategies. For example, risk trans-
fer can also refer to shifting a physical risk, or part thereof, elsewhere.
3.1 Preventative Measures for Information
Security Managers
The preventive measures for information security (or InfoSec) managers
to implement as a part of the continuity planning are very important.
They can be organized in terms of Virtual Private Networks (VPNs) and
remote access, firewalls, encryption, intrusion detection and prevention
systems, antivirus, anti-spyware, and anti-spam software, all of which will
be discussed in the following paragraphs.
3.1.1 VPNs and Remote Access
Virtual private networks (VPNs) are “tunnels” between two endpoints that
allow data to be securely transmitted between the nodes and, in many cases,
an extension of a private network. A private network is one where all data
paths are hidden from everyone except a limited group of people, generally
the customers or employees of a company. In theory, the simplest way to
create such a private network would be to isolate it entirely from the Inter-
net. However, for a business with remote location needs, this is clearly not a
practical solution. While it is technically possible to create a private net-
work using frame relay, ATM, or some other leased-line solution, that solu-
tion could easily become cost-prohibitive. Also, that solution may not even
provide the required degree of security needed for the organizations remote
access users.
When using leased lines to establish a private network, another consid-
eration to factor into the mix is what happens when (not if) the line goes
down. This outage situation would cause all connected nodes in the private
network to go “COMM OUT” until the leased line came back up. Clearly,
this is not a practical solution either. What if we wanted to share resources
on the private network with customers? That would not be possible over a
physically separated or isolated network. A remote dial-up server may solve
the problem, but then we would have to question the very concept of “vir-
tual” in our virtual private network.
In todays environment, a VPN makes use of existing infrastructure,
public or private. This may encompass the use of both LANs and WANs.
The transfer of data over a public network is accomplished by using what is
referred to as tunneling technology (further explained below) to encrypt
3.1 Preventative Measures for Information Security Managers 101
Chapter 3
data for secured transmission. The preferred definition of a VPN, as used in
this text, is “a dedicated private network, based on use of existing public
network infrastructure, incorporating both data encryption and tunneling
technologies to provide secure data transport.”
There are several good reasons why organizations choose to use VPNs.
Data security is undoubtedly a prime consideration, but we must also
understand the risks and corresponding trade-offs involved when using
remote access technologies. For example, if a company can provide remote
access to its employees, it is an assumed benefit that they will be able to
access the network and be productive regardless of where they happen to be
physically located when they connect to the VPN. The risk to providing
such remote access is that if the data they are attempting to transmit or
access is not secured in some fashion, it could become compromised
through a variety of means. This may or may not be a devastating issue to
that particular company, but each organization must make such determina-
tions as a matter of deciding the level of risk they are willing to take for pro-
viding a remote access capability.
Most companies today choose to use a technology that fully supports
data protection. This generally means that in order to gain access to the
company network, a remote access user must first authenticate to the
remote host server. Additionally, once an authenticated connection is estab-
lished, the client and host machines jointly establish a shared secure chan-
nel (often referred to as establishing a tunnel) in which to communicate.
The advantage of using this secure channel for communication is that all
subsequent data packets transmitted and received are encrypted to mini-
mize risk of data compromise.
The current VPN growth that has emerged in the industry in the last
couple of years is mostly centered on IP-based networks, such as the Inter-
net. One of the major problems of VPN technologies is that there are a
wide variety of implementation styles and methods, which cause a lot of
confusion when trying to develop a strategy for their use in a company.
Currently, the following VPN implementations are in use:
Router-to-router VPN-on-demand “tunnel” connections between
sites
Router-to-router VPN-on-demand multiprotocol “tunnel” connec-
tions between sites over an IP network
Router-to-router VPN-on-demand encrypted session connections
between sites

Get Business Continuity and Disaster Recovery for InfoSec Managers now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.