Remote access security
I. Introduction
Providing remote access to a network over the Internet has added an entirely
new dimension to keeping business critical information and resources secure.
"The U.S. mobile and remote working population will increase 9
percent, from 39 million in 2000 to 55 million in 2004. Telecommuting
will skyrocket as more users adopt handheld devices, as wireless and broadband
technologies for remote workers improve, and as technologies to deliver
mission critical applications to home workers are enhanced."
-2000 IDC (www.idc.com).
This is why it is imperative that companies develop and implement solutions
to ensure the reliability and security of their remote systems. Obviously
the primary concern of remote access security is ensuring that no unauthorized
users gain access to the network and internal resources. However, it is
also critical to authenticate legitimate remote users and distribute them
according to their resource needs and permission levels. Organizations
need to assess the level of security needed, and define and implement
a security system that is appropriate for their operational needs. The
extent of remote access security needed in an organization varies from
simple to complex depending on the associated business risks and costs.
II. System vs. User Threats
There are two main pieces to remote access security, the hardware/network
and the telecommuter. Many of the security concerns associated with telecommuting
can be addressed and hopefully eradicated by proper user training. Most
IT departments focus more attention on the mobile devices and remote access
systems, and often neglect the human factor in the equation. 80% of those
surveyed by the FISC (Financial Information Security Consortium) have
implemented training for telecommuters, and the other 20% are simply opening
themselves up for future problems. Not only does internal training enhance
security but it also improves the reliability of the remote service for
the end user. No matter how successful the remote access security system
in place is, if the users do not adhere to it, it is useless.
III. Remote Access System Threats
Remote access threats include data intrusion, system damage, and data
destruction. Hackers or employees can gain unauthorized access to trade
secrets, company data, and classified information, as well as damage stored
information. Remote access obviously relies on the use of an open system,
the Internet. This is one of the reasons there are so many significant
security threats associated with remote access. A recent survey conducted
by Cisco, CMGI, and Verio found that as many as three quarters of businesses
on the Web have at least one of 20 widely known security holes. The increasing
complexities surrounding new remote access systems and technologies, have
resulted in a wide range of security vulnerabilities for administers to
combat.
Some of the significant risks and vulnerabilities are:
Weak Passwords:
Uncontrolled (does not require user to provide any authentication information)
or weakly authenticated (a guest account where default password was never
changed) dial-ins. Default passwords on terminal servers or RAS (Remote
Access Servers) devices; Default passwords can be particularly dangerous,
one brand of terminal server even shipped with its IP address as the default
password.
Multiple passwords:
Different resources or applications may require different passwords. In
this situation a user is required to remember multiple passwords and may
be tempted to write down their passwords, nullifying any existing security
systems and precautions. The need for multiple passwords, may also lead
the telecommuter to using similar or repeat passwords. Requiring different
passwords for multiple levels of telecommuting security can actually have
the unintended affect of compromising security.
Authentication data observation and replay:
This results in a significant remote access threat via the Internet. Hackers
may use publicly available packet sniffing tools to capture information.
Remote users using telnet, over the Internet, to connect to their office
are transmitting their username and password in the clear. Those with
access to the physical wire or router can easily record the data. All
sensitive data, in this case username and password, should be encrypted
when traveling across the Internet.
Dial-back spoofing:
In dial back spoofing the attacker tricks a dial-back system into calling
the incorrect number, or calling none at all. Call forwarding has been
used to automatically redirect the dial-back to the desired number. Another
approach involves dialing into the outbound modem port. However, recent
dial-back systems have made this type of attack obsolete.
IP spoofing and DNS attacks:
IP spoofing and DNS attacks involve a perpetrator lying about or masking
their IP address, in order to gain the trust of the system configuration.
Session hijacking:
Session hijacking is another Internet enabled attack, in which an attacker
listens to an existing authenticated session. They then attempt to use
IP spoofing and sequence number guessing to take over the current connection.
The transition will be transparent to the system, and the user will most
likely suspect a typical failed connection. The best defenses for this
type of attack rely on strong cryptography such as SSL- enabled tools.
For applications or systems with high security concerns, authentication
should be performed continuously throughout the session, to reduce the
risk of hijacking. Methods such as applying a digital signature to every
packet will also help to eliminate these concerns.
IV. Remote Access Security Policy
A robust and user friendly remote access policy, can help to eliminate
many of the threats that exist. Remote access policies in most organizations
tend to supplement the standard security policy already established. Many
organizations today require remote users to sign policy agreements, which
can also serve as receipts for the hand-held authentication tokens or
other equipment that may be issued. Maximum connection times for remote
users should be established to prevent idle users for staying connected.
Idle sessions could provide easy targets for physical hardware access
and session hijacking.
Remote access security policies should meet the following objectives;
Provide adequate security:
It goes without saying, but a system should use significant authentication
methods (strong passwords, etc.) to protect the network from unauthorized
remote access.
Provide ease of administration:
The security systems used should be somewhat easy to implement and maintain
over time. If the process of administrating the security features becomes
too much of a burden, administrators may opt to take costly shortcuts
or provide lackluster monitoring.
The security system should be transparent
to users:
To the extent possible, logging on remotely should be as easy as logging
on at the office. This may not always be entirely possible, but if the
remote system is too difficult, users may attempt to circumvent established
security procedures.
Page: 1 | 2 | 3
next >
|
