Docstoc

White Paper

Document Sample
White Paper Powered By Docstoc
					                              STATE
                                OF
                              OHIO




REMOTE ACCESS SECURITY
White Paper




                   IT Security Series
                          March 2008
                                                                                                                        REMOTE ACCESS SECURITY


Contents
Purpose and Scope ............................................................................................................................... 1
Introduction ............................................................................................................................................ 1
Technical Discussion ............................................................................................................................ 1
      Web-Based Remote Access ............................................................................................................. 1
      Client-Based Remote Access ........................................................................................................... 3
      Authentication ................................................................................................................................... 3
      Rights and Privileges ........................................................................................................................ 4
      Internet ............................................................................................................................................. 4
      Dial-In Access ................................................................................................................................... 5
      Wireless Network Access ................................................................................................................. 5
      Host Security .................................................................................................................................... 5
      Encryption......................................................................................................................................... 6


List of Figures

Figure B.5-1. SSL process ...................................................................................................................... 2
Figure B.5-2. VPN connectivity and authentication.................................................................................. 3
Figure B.5-3. Cisco VPN client authentication window ............................................................................ 4




White Paper                                                                                                                          Page i
IT Security Series
                                                                                  REMOTE ACCESS SECURITY



Purpose and Scope
Ohio IT Policy ITP-B.5, “Remote Access Security,” describes the state’s overall requirements regarding
the acquisition and implementation of remote access technologies and strategies. This educational white
paper is designed to provide a deeper understanding of the most commonly used remote access security
strategies and to assist state of Ohio personnel who may be responsible for acquiring, implementing or
monitoring remote access security in understanding the technology and strategies available.


Introduction
Remote control and remote access are quite different. For instance, the TV remote is a true remote
control, which gives a person control of a device at a distance. This is in contrast to remote access,
which means “the ability to access files and information on a computer over the Internet or other network
connectivity.”

An employee at a location that is not on the network, but who can work on the computer in their office as
if they were sitting in front of it, is using remote control, sometimes referred to as remote desktop.
Remote control programs such as PC Anywhere, Microsoft Remote Desktop and Virtual Network
Computing can accommodate this requirement with the added convenience of eliminating the need to
synchronize files between laptops and desktops. These applications are not inherently secure, nor are
they meant to be.

Remote access technology ranges from the commonplace, such as Internet access to a Web site, to
software that requires strong authentication and encrypts traffic into and out of the network. This kind of
secure software sets up a communication path through a firewall just like building a tunnel through it to
the “inside” or “safe” side of the network. This is known as a virtual private network (VPN) and is probably
the most secure way to access a network from the outside.

Remote access is a powerfully useful feature for users, businesses and governments, bringing
productivity to a whole new level. Unfortunately, the risks associated with remote access are significant
and agencies must take extra precautions against the lax user and the aggressive perpetrator.
Fortunately, technologies are available to thwart them. This paper describes some of these technologies.


Technical Discussion
It is important to have a fundamental understanding of the underlying technologies that enable remote
access. Two primary types of remote access technology, Web-based remote access and client-based
remote access, are in use today.

Web-Based Remote Access
There are two primary types of remote access technology in use today: Web-based remote access and
client-based remote access.

Web-based remote access is the simplest for the end user since it requires nothing more than an SSL
compliant Web browser such as Microsoft’s Internet Explorer or Mozilla’s Firefox. SSL stands for “secure



White Paper                                                                                Page 1
IT Security Series
                                                                                                                                 REMOTE ACCESS SECURITY

sockets layer.” Simply put, a “socket” is one end of a communication channel. Each end establishes its
own socket. “Layer” refers to the portion of the IP packet that tells the browser to turn on its encryption to
ensure that certain information is exchanged correctly.

Many commercial Web sites use this form of secure communication to protect transactions that involve
personal or financial information. For example, when a Web browser is in use, a small picture of a
padlock may appear in a lower corner of the screen. The hook on the top part of the lock will be either
          open or closed. If the lock is open, then transmissions are “in the clear” and not encrypted or
          authenticated. If, however, the lock is closed as in the example here, then an authentication
          step has taken place and the transmission is secure.

           If SSL is used to provide access to state employees over a Web site, an authentication or
“identity management” server is needed as well. This is illustrated in Figure B-5.1. Additional information
on identity management and authentication is available in the IT white paper, Password and PIN
Security.

The SSL process begins when a user accesses a Web site that uses the SSL protocol. Examples include
a bank or credit card Web site, or a state of Ohio Web site that allows employees to work remotely on
sensitive information. The user’s browser automatically makes a request to the Web server for a secure
communication path. If the server has a digital certificate, which is like a unique digital signature, it will
respond to the user request by sending a copy of its certificate and the public portion of its encryption
key, as shown in Figure B-6.4. The browser verifies the public key against the certification authority
(authentication server) to ensure that it has not been tampered with. Once the public key is accepted, the
browser encrypts the transmission, creating an algorithm that tells the browser how to scramble the data
so it cannot be read by anyone who doesn’t have the corresponding key. The encrypted message is then
sent to the server, which decrypts the message using the private portion of the key stored on the server.
                                                                                       We can have the certificate
                                                                                       server check the user’s
                                                                                       identity against our
                                                                                       directory server to be sure
                                                                                       she’s supposed to have
                                                                                       access to the information
                                                                                       accessible through the
                                                                                       Web site.
                                               rv st the s
                                             Se in f ifie
                                            e ga y o er
                                          at a it v


                                                       e
                                        ic e tic r


                                                 er th
                                     tif at n se
                                   er ic e w
                                  C ertif uth bro
                                    c e a r’s
                                        th se
                                           U




                                                               Certificate Server
                                                               (Authentication)                                      Directory Server
                                                                                                                      (User Identity)
                                                                            Internet


                                                      Browser now maintains an authenticated, encrypted path from
                                                      the laptop to the Web site.


                                                     Authorized user accesses a “secure” Web site and the server
                                                     “downloads” certificate to the user’s browser.

                       Authorized User
                                                                                                                   Web Server
                                                                                                              (Running SSL Protocol)


                                                      Figure B.5-1. SSL process




White Paper                                                                                                                             Page 2
IT Security Series
                                                                                                                                     REMOTE ACCESS SECURITY

Client-Based Remote Access
Client-based remote access is the second method for providing secure remote access. Rather than a
Web browser, client-based remote access depends on software typically referred to as the client or VPN
client. Additional information on VPNs can be found in the IT white paper, Boundary Security.

A VPN is a private network used to communicate confidentially over a public network environment. This
can be thought of as a “tunnel” that allows traffic to travel through public networks without exposing the
agency’s IP packet information to the outside world. Typically, VPNs use encryption to ensure
confidentiality, sender authentication and message integrity and thus achieve privacy.

For remote access configurations, remote access client software is installed on the remote computing
device. This software will create the VPN tunnel from the remote computing device through the firewall to
the VPN hardware providing the secure connection.


                                                                                 Step 3- VPN server or device checks
                                                                                 information against identity manager to be sure
                                                                                 user is authorized. This is usually encrypted to
                                        Step 1- Authorized user starts           prevent anyone on the “outside” of the firewall
                                        VPN remote access software.              from intercepting user ID information.


                                               Step 2- VPN remote access
                                               software prompts user for login




                                                                                                            Trusted Network
                                               information.




                      Authorized User
                       (VPN Client )
                                                                 Internet                                                     Directory Server
                                                                                                                               (User Identity)



                                                                          Firewall with VPN “Tunnel”




                                                                 Step 4- VPN server or device establishes full                 Applications
                                                                 connection to the “trusted” network and
                                                                 applications. This is usually unencrypted on the
                                                                 “safe” side of the firewall.



                               Figure B.5-2. VPN connectivity and authentication

This process is illustrated in Figure B.5-2. Note that before the VPN establishes the secure session or
transmission, proper authentication must take place. If remote access requires the security of a VPN,
typically at least two forms of authentication will be required. This is known as “two-factor” authentication
and provides a higher level of security than a user name and password. Additional information on two-
factor authentication is available in the IT white paper, Password and PIN Security.

Authentication
One of the most important aspects of remote access or remote control is proper authentication of the
person attempting to access the network and resources. As noted above, the user is validated with a
certificate or digital signature. To be sure that this is the approved user and not someone else accessing
their computer, a second form of identification is required and a second check is made against another


White Paper                                                                                                                                      Page 3
IT Security Series
                                                                                    REMOTE ACCESS SECURITY

identity database. In Figure B.5-2, we see the identity checked against the directory server for Web-
based access.

With client VPN software, authentication usually takes place against a local database (on the VPN server
or device) and against a second identity manager, such as the directory server used to log onto the local
area network every day. The VPN server will prompt the user for their credentials (the minimum is a user
ID and password), then checks this against the appropriate databases. See Figure B.5-3.




                             Figure B.5-3. Cisco VPN client authentication window

In both SSL and client-based VPNs, all password information is encrypted as it is exchanged with the
identity manager to prevent interception and misuse of the information.

Rights and Privileges
Establishing an easy method for adding and deleting users from the VPN and directory databases is
another good way to be sure that sensitive data and infrastructure are protected. A common error is not
deleting users in a timely manner when they no longer need remote access. There are numerous stories
about ex-employees who still have remote access capability months after they have left an organization.

A good practice is to link the established set of network identities, rights and privileges to human
resources’ new-employee processing. In this model, human resources notifies the information technology
department that an employee needs remote access (or not). This also defines the initial set of rights and
privileges granted to the new employee. In this model, any subsequent increase or decrease in rights for
a user must come from human resources. Remember, users should be granted only the rights necessary
to do their jobs and no more. This is known as “least privilege.” Additional information on least privilege is
available in Ohio IT Policy ITP-B.5, “Remote Access Security.”

Internet
Before providing Internet access to authorized state employees on state networks or using the Internet
for remote access, appropriate boundary protection such as firewalls, intrusion detection and intrusion
prevention, and appropriate authentication should be required. Additional guidance can be found in Ohio
IT policies ITP B.5, “Remote Access,” and ITP-B.6, “Internet Security.”

VPN connectivity should be established to provide secure network and Internet connections between
and among state agencies and departments when frequent access is required. Additional information on
VPNs can be found in the IT white paper, Boundary Security.




White Paper                                                                                 Page 4
IT Security Series
                                                                                     REMOTE ACCESS SECURITY

Dial-In Access
Dial-in access is being used less and less every day due to the increasing availability of inexpensive
high-speed Internet service.
                     The dangers of dial-in came to the public’s attention with John Badam’s movie, War
                     Games, in June of 1983. In the movie, actor Matthew Broderick hacked into a
                     Department of Defense mainframe computer and nearly started World War III. This
                     movie was, of course, fiction, but if we don’t take some basic precautions, we make it
                     easier for the bad guys to get onto our networks. If your organization still depends on
                     dial-in access, take these precautions:
                          Use the same authentication database used for Internet VPN or SSL
                              authentication. This will eliminate the need for duplicating this security control.
                              For more sensitive information, require two-factor authentication.
                        Use one of the newer secure modems that provides a call-back feature. A
      secure modem maintains an internal database of phone numbers that can call it. When a user
      calls from a valid number (usually the user’s home or cell phone number) the modem records the
      number and hangs up. The modem then calls the number back and forces the user to
      authenticate. The authentication can be tied back to an active directory or any form of two or
      three-factor authentication we choose.
For more information see Ohio IT Policy ITP-B.1, “Information Security Framework.”

Wireless Network Access
Wireless network access is quickly becoming the most common way to obtain remote access. The
danger here is, of course, that the radio waves used to transmit and receive information can be
intercepted and transmissions eavesdropped on. This is not acceptable when it comes to state
information and resources. The wireless cards available as plug-ins to your laptop or desktop computer
provide only a minimal level of security known as Wired Equivalency Protocol (WEP), which was
compromised the same week it was introduced. The only sure way to protect transmissions over a
wireless network, whether in a Starbuck’s or using a cell phone as a modem, is to use a VPN as
illustrated in Figure B.5-2. The only difference is that access to the Internet is through the wireless device
instead of a physical jack on the back of the computer.

Host Security
To secure the host server used for remote access, basic industry best practices should be followed:
    Make sure that all the operating system and security patches are downloaded and installed. This
      is particularly true for Windows; new patches are issued at least monthly. A good practice is to
      configure an offline environment where the patches can be tested before they are distributed to
      the users to ensure they do not adversely affect normal operations.
    Turn off or shut down any process or functionality on the host server that is not needed to perform
      work activities. This action will help ensure that no processes, such as a Web service or telnet
      server, are running as “servers” on the host server. Having more ports open than necessary just
      provides hackers with more ways to access your computers.
    Typically hardware firewalls are in place between outside networks and state resources, but a
      host-based software firewall such as Black Ice or Zone Alarm can also help prevent malicious
      code or an unauthorized person from accessing your host server from the Internet.
    Turn on the logging function. Logs provide good information if your host server is hacked or
      compromised in some way. A host-based intrusion detection or intrusion prevention application

White Paper                                                                                    Page 5
IT Security Series
                                                                                   REMOTE ACCESS SECURITY

         will usually perform this logging automatically and provide an alert in the event of an attempted
         compromise. Additional guidance can be found in Ohio IT Policy ITP-B.12, “Intrusion
         Prevention/Detection.”

Encryption
Both the Web-based and client-based methods of remote access security use encryption embedded in
their technologies, such that the encryption is transparent to the user. Another type of encryption is link
encryption, also called end-to-end encryption, which is used in systems requiring very secure
transmission. Governments transmitting classified information or banks using electronic funds transfer
will use link encryption or possibly a proprietary system.




White Paper                                                                                 Page 6
IT Security Series

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:5
posted:5/26/2012
language:
pages:8