Ciencia

A vastly better (but more expensive) solution is to simply use a real device-based firewall for every home user. This device category is becoming very broad, with entries from firewall vendors like SonicWALL and WatchGuard below the $500 mark, that include VPN connectivity. These devices are true firewalls and support features like NAT, VPN, and sophisticated filter setup. When you connect these firewalls to a home user's broadband Internet connection, you are ensuring their security with the same level of protection that you use to ensure your company's security.

But $500 can be expensive when multiplied by every remote user you need to support. Fortunately, devices called NAT routers made by companies like Linksys, NETGEAR, and D-Link can provide very strong firewall security for less than $100. These devices were originally devised as a way to share a single broadband Internet connection. Because they are NAT devices, they automatically block all inbound connections since there's no route to the interior private network. Because they are devices in general, they don't require any software

setup on the protected computers and won't interfere with file sharing for interior machines. The latest versions of these devices support IPSec passthrough for a single connection, which allows remote users to use VPN software from a machine protected by the NAT device. Most of these devices contain an embedded web server for administration, so you just point your web browser to their LAN address to manage them.

NAT routers

Small routers that provide (typically) just the network address translation function of a firewall. Originally used to share a single IP connection for home users, they have recently become more important for home computer security since they are natural firewalls. These devices are frequently marketed as 'cable-DSL routers.'

Linksys has just released a version of its very popular NAT router for well under $200 that includes a full IPSec client, so it can be directly connected to your company LAN to provide all the computers in a home office or even a small branch office with a true VPN connection. My company has used these devices to connect to various high-end firewalls with great success. The competitors are certain to follow suit shortly.

When you consider that VPN client software typically runs $70 per client, and a firewall application costs $40 per client, paying for a VPN-enabled NAT router that requires less administration, causes fewer problems, and is highly reliable makes sense.

Data Protection and Reliability

The laptops of traveling users can't be secured with NAT routers very conveniently, especially if the laptop users frequently use modem connections. For these users, there's little choice but to use VPN clients and software firewall applications.

To mitigate the loss of control over information when a laptop is stolen, use encryption software like ScramDisk (my personal favorite), Windows 2000 Encrypting File Service, or any of a number of other encryption services. Most of these services work by creating a single large encrypted volume that is mounted like a normal hard disk drive once you enter the key phrases. The Encrypting File Service encrypts individual files and directories based on a key stored in the registry, which could theoretically be retrieved unless you use Microsoft's Syskey utility for encrypting the Security Accounts Manager portion of the registry and configure it to request a password at boot time. In any case, any reasonable type of encryption will prevent most hackers and thieves from retrieving anything of value from your computer. Warning You must configure Syskey to ask for a password during the boot process in order

for it to remain secure, as its default mode (with a key stored in the registry) is only one iteration of obscurity beyond the SAM itself, and it has already been cracked. To prevent files from being lost when a laptop is damaged by dropping it, store your documents on a flash memory device like a PCMCIA card, CardFlash, Smart Media,

Memory Stick, Secure Digital or MultiMedia Card, or USB Flash memory fob. These devices are solid state and impervious to normal failure and most accidental damage. An easy way to achieve true data protection is to encrypt the contents of the flash device, so that if the memory card is lost or stolen it won't compromise your information.

flash memory

A trade name for Electrically Erasable Programmable Read-Only Memory (EEPROM) that can be erased using the same voltage levels with which it can be programmed. Flash memory is non-volatile permanent storage that is exceptionally reliable, and is now used in almost every computing device on the market to store upgradeable boot loaders or operating systems. Flash memory is also used to make a wide variety of convenient memory storage for cameras, PDAs, and laptops in various form factors.

Separation of Security

My company uses USB keychain flash memory to store secure information. Our laptops have the encryption software, and the file containing the encrypted disk is stored on the USB keychain, which is kept with each user's car keys. This way, encrypted data isn't lost when the laptops are stolen or broken, and the keychains don't suffer from hard disk failure because they're solid state. Also, the USB interface is ubiquitous (unlike PCMCIA, CardFlash,

Memory Stick, or Smart Media memory solutions) and can be mounted on any computer with the encryption software. The encryption software we use performs steganography, so our encrypted disk stores are actually large sound files that remain playable with encrypted data in them, thus fooling anyone who happens to find the keychain into thinking that it's just a dongle with a song on it.

Backups and Archiving

Laptops almost never get backed up, because it's exceptionally difficult to attach a tape drive to them, and most other forms of removable media are too inconvenient to bother with.

I break with tradition on this problem and recommend that you don't bother trying to enforce a backup policy for laptops. Rather, it is most effective for users to simply keep their working documents on removable flash memory in the laptop, which isn't going to fail when the hard disk fails.

This doesn't protect against theft or accidental loss, however. To protect against those problems, teach users to remove the flash memory whenever they aren't actually using the laptop and store it somewhere safe and not along with the laptop. I recommend using USB keychain-style flash memory for this purpose, because people never forget to remove their keychain from the laptop when they're done and they're good about keeping track of their keys.