Remote access security
V. Remote Access Security Solutions
The first step in combating the remote access security threats described
earlier, is the authentication of the users identity. Not only should
robust authentication be required to remotely enter a network, but it
should also be used to route telecommuters to specific computer systems.
Authentication can be implemented at three different stages or locations
for remote access, at the remote access server, at the network, or at
the application.
Firewall Protection
A firewall is a secure gateway that is used within a network to limit
access from untrusted network. Most firewalls implemented today are based
on packet filters. The filters use predefined rules to examine the incoming
traffic and determine if the packet meets the established security criteria
for the destination requested. Firewalls are used to authenticate remote
users and distribute them according to their resources needed and permission
levels. In another situation, an unauthorized packet may be turned away
by the firewall entirely.
Firewalls can employ sophisticated IP filtering to limit access to resources
for authorized users as well as outside attackers. Restricted address
protection is a front-line defense that prevents unknown users from gaining
access to the network. This type of security must be used in conjunction
with other methods, because alone it does not prevent entry from stolen
equipment.
Firewalls can reduce the need for routers and provide relatively good
security. For most firms, the primary function of a secure gateway or
firewall is to provide robust user authentication, but they can also perform
auditing and session monitoring functions.
However, setting up all encompassing security permissions and regulations
for complex firewall systems can be an extremely challenging task.
In situations where remote users only need access to non-critical or non
sensitive data and resources, this information can be place outside the
firewall. However, in situations where internal databases or other resources
are required (which is often the case), this type of configuration would
not be possible.
Hand-Held Tokens
Many of today's popular remote access security systems operate on the
principle of security by obscurity, in which users must possess a specific
object to access the network. Using a token is one of the most popular
ways of promoting security by obscurity. A token is simply a credit card
with a small built-in computer. Even if this token is confiscated or lost,
it provides an attacker no use without a confidential password or PIN.
Tokens help to reduce the need for remembering multiple passwords.
Whether using usernames and passwords or PIN's and tokens, the user should
be validated by the secure system. The user can be required to possess
a token in addition to a PIN (personal identification number) or password
– something you know and something you have. In most situations,
tokens provide a higher level of security than passwords. A would-be attacker
would have to have both a valid token and corresponding PIN. This is much
harder for an attacker to obtain than a user ID and password combination,
especially because passwords are often proper words or common knowledge
phrases.
One-time passwords and smart tokens
Robust authentication can also use one-time passwords. This greatly reduces
the threat of password hacking via electronic monitoring (eavesdropping
or sniffing). If the one time password was exposed to an unauthorized
person, it would be of no value to them. Many of today's advanced authentication
systems employ the use of smart tokens. In this type of configuration
the user provides a PIN which unlocks a token, which in turn generates
a one time password.
Location validation and call level security:
CLI (Caller Line ID), verifies a remote users call number against a database
of acceptable numbers. Fixed dial-back numbers, in which the system dials
a pre-assigned number for verification, is another method of location
authorization. However, fixed numbers aren't usually an acceptable solution
for mobile workers who don't have a dedicated or predefined number. This
type of authentication is also susceptible to the dial back spoofing and
call forwarding threats described earlier.
PPP (Point to Point Protocol) Security Authentication:
Password Authentication Protocol (PAP) and Challenge-Handshake Authentication
Protocol (CHAP) are the most common of the PPP methods. PAP provides a
simple, although not very secure, method for a peer to establish its identity
via link establishment. PAP sends passwords over the circuit unencrypted
leaving them open for interpretation. CHAP uses a three way handshake
for authentication. First comes the link establishment phase, followed
by the authenticator sending a challenge message to the peer. This type
of authentication relies on a secret known only by the peer and authenticator,
and uses it to encrypt the transmission. CHAP protects against playback
by using an incrementally changing variable challenge value and identifier.
Using repeated challenges limits the time of exposure to a single attack.
Page: 1 | 2 | 3
next >
|
