End node problem

Last updated

The end node problem arises when individual computers are used for sensitive work and/or temporarily become part of a trusted, well-managed network/cloud and then are used for more risky activities and/or join untrusted networks. (Individual computers on the periphery of networks/clouds are called end nodes.) End nodes often are not managed to the trusted network‘s high computer security standards. [1] End nodes often have weak/outdated software, weak security tools, excessive permissions, mis-configurations, questionable content and apps, and covert exploitations. [2] Cross contamination and unauthorized release of data from within a computer system becomes the problem.

Contents

Within the vast cyber-ecosystem, these end nodes often attach transiently to one or more clouds/networks, some trustworthy and others not. A few examples: a corporate desktop browsing the Internet, a corporate laptop checking company webmail via a coffee shop's open Wi-Fi access point, a personal computer used to telecommute during the day and gaming at night, or app within a smartphone/tablet (or any of the previous use/device combinations). Even if fully updated and tightly locked down, these nodes may ferry malware from one network (e.g. a corrupted webpage or an infected email message) into another, sensitive network. Likewise, the end nodes may exfiltrate sensitive data (e.g. log keystrokes or screen-capture). Assuming the device is fully trustworthy, the end node must provide the means to properly authenticate the user. Other nodes may impersonate trusted computers, thus requiring device authentication. The device and user may be trusted but within an untrustworthy environment (as determined by inboard sensors' feedback). Collectively, these risks are called the end node problem. There are several remedies but all require instilling trust in the end node and conveying that trust to the network/cloud.

Cloud computing may be characterized as a vast, seemingly endless, array of processing and storage that one can rent from his or her computer. Recent media attention [ when? ] has focused on the security within the cloud. [3] Many believe the real risk does not lie within a well monitored, 24-7-365 managed, full redundancy cloud host but in the many questionable computers that access the cloud. [4] [5] Many such clouds are FISMA-certified whereas the end nodes connecting to them rarely are configured to any standard.[ citation needed ]

Ever growing risk

From 2005 to 2009, the greatest and growing threats to personal and corporate data derived from exploits of users' personal computers. Organized cyber-criminals have found it more profitable to internally exploit the many weak personal and work computers than to attack through heavily fortified perimeters. [6] One common example is stealing small business's online banking account access. [7]

Solutions

To eliminate the end node problem, only allow authenticated users on trusted remote computers in safe environments to connect to your network/cloud. There are many ways to accomplish this with existing technology, each with different levels of trust.

Many companies issue typical laptops and only allow those specific computers to remotely connect. For example, the US Department of Defense only allows its remote computers to connect via VPN to its network (no direct Internet browsing) and uses two-factor authentication. [8] Some organizations use server-side tools to scan and/or validate the end node's computer[ citation needed ], such as communicating with the node's Trusted Platform Module (TPM).

A far higher level of trust can be obtained by issuing an immutable, tamper-resistant client [ permanent dead link ] with no local storage, allowing it to connect only after device and user authentication, remotely providing the OS and software (via PXE or Etherboot), and then only providing remote desktop or browser access to sensitive data.

A less expensive approach is to trust any hardware (corporate, government, personal, or public) but provide a known kernel and software and require strong authentication of the user. For example, the DoD’s Software Protection Initiative [9] offers Lightweight Portable Security, a LiveCD that boots only in RAM creating a pristine, non-persistent, end node while using Common Access Card software for authentication into DoD networks.

See also

Related Research Articles

A virtual private network (VPN) is a mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet.

<span class="mw-page-title-main">Mobile computing</span> Human–computer interaction in which a computer is expected to be transported during normal usage

Mobile computing is human–computer interaction in which a computer is expected to be transported during normal usage and allow for transmission of data, which can include voice and video transmissions. Mobile computing involves mobile communication, mobile hardware, and mobile software. Communication issues include ad hoc networks and infrastructure networks as well as communication properties, protocols, data formats, and concrete technologies. Hardware includes mobile devices or device components. Mobile software deals with the characteristics and requirements of mobile applications.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It can, for example, allow private network communications to be sent across a public network, or for one network protocol to be carried over an incompatible network, through a process called encapsulation.

<span class="mw-page-title-main">Wireless security</span> Aspect of wireless networks

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some protocols and optional in others (TLS).

<span class="mw-page-title-main">Computer network</span> Network that allows computers to share resources and communicate with each other

A computer network is a set of computers sharing resources located on or provided by network nodes. Computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are made up of telecommunication network technologies based on physically wired, optical, and wireless radio-frequency methods that may be arranged in a variety of network topologies.

Network access control (NAC) is an approach to computer security that attempts to unify endpoint security technology, user or system authentication and network security enforcement.

In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely from one system, while being displayed on a separate client device. Remote desktop applications have varying features. Some allow attaching to an existing user's session and "remote controlling", either displaying the remote control session or blanking the screen. Taking over a desktop remotely is a form of remote administration.

A mobile virtual private network is a VPN which is capable of persisting during sessions across changes in physical connectivity, point of network attachment, and IP address. The "mobile" in the name refers to the fact that the VPN can change points of network attachment, not necessarily that the mVPN client is a mobile phone or that it is running on a wireless network.

Mobile device management (MDM) is the administration of mobile devices, such as smartphones, tablet computers, and laptops. MDM is usually implemented with the use of a third-party product that has management features for particular vendors of mobile devices. Though closely related to Enterprise Mobility Management and Unified Endpoint Management, MDM differs slightly from both: unlike MDM, EMM includes mobile information management, BYOD, mobile application management and mobile content management, whereas UEM provides device management for endpoints like desktops, printers, IoT devices, and wearables as well.

SAINT is computer software used for scanning computer networks for security vulnerabilities, and exploiting found vulnerabilities.

<span class="mw-page-title-main">GraphOn</span> Application publishing software

GraphOn GO-Global is a multi-user remote access application for Windows. GO-Global is a product of GraphOn Corporation.

Check Point GO is a USB drive that combines an encrypted USB flash drive with virtualization, VPN and computer security technologies to turn a PC into a secure corporate desktop. By plugging Check Point GO into the USB port of a Microsoft Windows OS-based PC or laptop, users can launch a secure virtual workspace that is segregated from the host PC. This allows users to securely access company files and applications from any remote location, including insecure host environments such as a hotel business center or Internet café.

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

A Secure End Node is a trusted, individual computer that temporarily becomes part of a trusted, sensitive, well-managed network and later connects to many other (un)trusted networks/clouds. SEN's cannot communicate good or evil data between the various networks. SENs often connect through an untrusted medium and thus require a secure connection and strong authentication. The amount of trust required is commensurate with the risk of piracy, tampering, and reverse engineering. An essential characteristic of SENs is they cannot persist information as they change between networks.

<span class="mw-page-title-main">SoftEther VPN</span> Open-source VPN client and server software

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

A software-defined perimeter (SDP), also called a "black cloud", is an approach to computer security. Software-defined perimeter (SDP) framework was developed by the Cloud Security Alliance (CSA) to control access to resources based on identity. Connectivity in a Software Defined Perimeter is based on a need-to-know model, in which device posture and identity are verified before access to application infrastructure is granted. Application infrastructure is effectively “black”, without visible DNS information or IP addresses. The inventors of these systems claim that a Software Defined Perimeter mitigates the most common network-based attacks, including: server scanning, denial of service, SQL injection, operating system and application vulnerability exploits, man-in-the-middle, pass-the-hash, pass-the-ticket, and other attacks by unauthorized users.

The following outline is provided as an overview of and topical guide to computer security:

The zero trust security model, also known as zero trust architecture (ZTA), and sometimes known as perimeterless security, describes an approach to the strategy, design and implementation of IT systems. The main concept behind the zero trust security model is "never trust, always verify", which means that users and devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified.

References

  1. Tim Fisher (12 December 2018). "What Is a Node in a Computer Network: Your computer and printer are both network nodes" . Retrieved 24 December 2018.
  2. Natalia Chrzanowska (23 March 2017). "Why to Use Node.js: Pros and Cons of Choosing Node.js for Back-end Development" . Retrieved 24 December 2018.
  3. "How Secure Is Cloud Computing?".
  4. "Architecture from the 
top down". Archived from the original on 2021-08-13. Retrieved 2014-01-07.
  5. "VPN users: The weak link in network security?". Archived from the original on 2009-05-11. Retrieved 2010-02-06.
  6. "Business Insights and Resources" (PDF).
  7. "Cyberthieves stealing from large percentage of small businesses". USA Today. 9 March 2010.
  8. "Fort Sill Virtual Private Network (VPN) Policy". Archived from the original on 2011-06-17. Retrieved 2010-02-06.
  9. DoD Software Protection Initiative Archived 2010-05-13 at the Wayback Machine
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.