2. Your vendor will not sign up to a security SLA. Security breaches are a common occurance these days. There are many well publicised breaches that have cost millions of dollars to cleanup and untold dollars in customer confidence. Yet, for you to compete effectively requires real-time access to store and customer data to make sure shelves are stocked and customers can fly through the checkout lanes. However, the constant movement of data increases your exposure to the risk of data loss. A security SLA will ensure your network provider keeps up with the latest PCI-DSS requirements and will help you sleep better at night. 

3. The quality of Vendor support declines as your contract ages. All vendors promise good customer service, but few can deliver. How long does it take to make a change to your network configuration? How responsive is your Support Representative? When was the last time you received a call from your vendor just to ‘check in”? Is 24×7x365 Level 1 support included in your contract? Retailers are constantly challenged to deliver outstanding customer service. You should receive nothing less from your network provider.

4. Your network prevents you from rolling out innovative revenue generating programs. With consumers spending less during these lean economic times, retailers must get creative in how they capture and maintain the customer relationship. Inevitably this means developing loyalty programs that require customer data during an in-store transaction. If your network is incapable of rapidly delivering data, you will likely be unable to introduce the types of programs that diferentiate you from the competition. A next generation fast, low cost data network will provide the foundation for deploying data intensive programs that increase sales and keep customers.

5. You are constantly hit with unexpected charges and expenses. Running on tight margins, retailers especially, need to have a handle on their network costs. Providers that get your business with a low monthly bid just to “nickel and dime” you throughout the term of the contract make the budgeting and reporting processes difficult at best and create an environment of distrust. Look for data network providers that charge a fixed monthly fee, regardless of the number of network changes or helpdesk calls. Also negotiate with the provider to deploy your network with no up front capital expenses.

Blue Ridge Can Significantly Lower Your Store Connection Costs and Increase Connection Speeds

At a Black Hat Europe Conference last April a team of researchers released tools that can automate attacks on MPLS and Ethernet backbone technologies.  According to one of the researchers,”These technologies do not provide any security themselves, but just rely on the assumption that the underlying network is secure.”

As MPLS VPNs evolved from proprietary networks to supporting internet-based services, so did their risk of attack increase. German researcher Ray says,”Enterprises that use these VPN services should be aware they are vulnerable. Perform risk analysis and encrypt your traffic.  ”Just because it’s called MPLS VPN [doesn't mean] you should [automatically] trust it.”

Many retailers followed their service providers advice and simply migrated from Frame Relay and ATM networks to MPLS.  However, over time the majority of problems meant to be solved by MPLS no longer exist, and holes in the technology are being exploited. 

Total information security for retail data networks is possible.  Solutions using PKI technology, unique digital certificates with mutual mandatory authentication between security appliances, end-to-end data encryption and data integrity checking can provide a standalone data network solution or act as the security layer for
an existing MPLS VPN network.

Retailers need to re-examine wide area networking technologies and topologies as they seek to optimize the security, reliability and cost of their current data network.

Blue Ridge Military Grade VPN, Fully Managed Solution

ActiveX components require admin rights to be installed and upgraded. So, maintaining these ActiveX components requires administrators to centrally manage the components like traditional software. Unfortunately, this defeats the original premise of SSL VPNs: running from browsers from any computer without any desktop management overhead.

The other way to install and upgrade these ActiveX components is to provide end-users admin rights. Unfortunately again, this represents a major security risk. End-users with admin rights tend to operate their PCs at this highest privilege level instead of using a separate least privilege account for every-day use. This generally eases the level of effort required to infest a PC with practically undetectable malware.

Management issues and admin rights aside, when PCs operating in least privilege mode rely on SSL VPN technology, the organization that owns the PCs is exposed to many other risks as well.

SSL VPNs are facilitated by ActiveX and other “mashed-up” web technologies. As a result, SSL VPNs inherit many of the vulnerabilities from these underlying technologies:

Any security vulnerability affecting a browser translates into an SSL VPN vulnerability. As reported in Bypassing Browser Memory Protections, Windows Vista’s security feature of running Internet Explorer Brower in protected mode is easily bypassed by improperly developed 3rd party or malicious plug-ins like ActiveX controls.

Web browsers will always have zero-day exploits. Organizations that rely on SSL VPNS are at significant risk of information leaks or information poisoning (i.e., altering) through Web browsers.

Browsers will always be susceptible to attacks including phishing and well known variations of XSS (Cross-Site Scripting). Even if the browser had no defect, SSL VPNs are based on Web application technologies that are fundamentally flawed.

SSL VPN suffers from classic SSL vulnerabilities: DNS poisoning and Man-In-The-Middle (MiM) attacks. Certificates for MiM are obtained via social Engineering. As demonstrated in BlackHat2008, using TSeep Proxy, an SSL VPN MiM attacker is able to see any information flowing between the SSL VPN client and the VPN Server.

ActiveX has complete access to a computer’s file system and registry with the user’s privileges. More significantly, for unmanaged desktops, ActiveX site-locking is not practical. This opens new possibilities for attackers.

Without Site-locking, an SSL VPN vendor’s ActiveX component can be utilized by any hostile website visited by the user for a re-purposing attack. This was recently documented regarding the Juniper ActiveX Command Execution vulnerability.

An attacker can use a spoofed version of the Juniper ActiveX component to launch an arbitrary executable.
This Juniper SSL-VPN Client ActiveX Control was also vulnerable to a remote buffer overflow attack. When exploited, the attacker could inject and run arbitrary code on the user’s machine.

SSL VPNs’s rely on weak security within the web browser. The Novell SSL VPN ActiveX component is suppose to perform rudimentary checks on a host’s health posture to regulate whether the PC may establish a normal VPN connection. Unfortunately, this ActiveX component can be replaced or spoofed without the Novell SSL VPN gateway knowing.

Endpoints running SSL VPNs need serious protection from the vulnerabilities of the mashed-up technologies that enable major SSL VPN features. A trustable security agent technology is required to counter these and other SSL VPN vulnerabilities. The ultimate such agent will leverage a Trusted Platform Module (TPM) to not only provide high assurance VPN but also robust network access control (NAC), practically eliminating all the above risks.

Related Articles:

SSL VPN Exposes Enterprises to More Data Leak Risks than IPsec VPN

Using Two or More Separate Web Browsers can Reduce Online Theft and Data Leak Risks

Never Ending Vulnerabilities for Web Browsers

Rene would have had to work a lot harder at his USB thumb drive based theft if Countrywide had deployed some technology to keep unknown machines off its LAN. The most basic approach limits admission to machines that are part of their Windows domains.

Today’s enterprise, however, requires access to networked resources for contractors and others with their own PCs. The Countrywide administrators could have created non-domain credentials for these guest workers. The individual server applications would refer to any one or more of a variety of tools in the typical enterprise to handle these authentications between the individual server applications and the endpoints/end-users.

This provides nice but not great compartmentalization. It does not prevent machines from sending malicious data to the application servers or other client machines. It also does not prevent eavesdropping.

Administrators could implement a more robust form of compartmentalization involving 802.1x via their Ethernet switches. This enables the Ethernet switches to regulate what part of the network a particular PC may utilize based on the identity of the end-user or machine.

Unfortunately, 802.1x can only limit network admission based on who the machine or end-user is, not what is the apparent risk of that machine being on the network. If a machine has absolutely no preventative measures in place to mitigate important security risks, then it should not be admitted.

So, Countrywide had employed technology on all employee PCs to disable USB storage devices. Clearly they were concerned with data leaks. So, this implies that they would not want machines with enabled USB storage capabilities onto their LAN.

Network admission control (NAC) is an excellent technology for satisfying such a risk mitigation policy. I recommend Microsoft NAP because it scales better than alternatives, requires less infrastructure upgrades (if any) than alternatives, and it’s extremely extensible.

To those charged with reducing the risks of data leaks, you require two hammers. One resides on each PC to disable or regulate write-operations to USB thumb drives. The second hammer, NAP, prevents endpoints without the first hammer from accessing networked resources.