Lesson 12: Implementing Secure Network Access Protocols Flashcards

1
Q

Dynamic Host Configuration Protocol (DHCP)

A

provides an automatic method for network address allocation. As well as an IP address and subnet mask it can include optional parameters, such as the default gateway, Domain Name Server (DNS) address, DNS suffix, or NetBIOS name server address. This avoids the configuration errors that can occur if addresses are specified manually.

The key point about DHCP is that only one server should be running. DHCP broadcasts are typically limited to the local subnet. A router can be configured to forward the packets to another network (as is often the case with networks divided into separate VLANs, for instance). More than one DHCP server may be running for fault tolerance, as long as they are all configured correctly, and address pools don’t overlap. If a rogue DHCP server is set up, it can perform DoS (as client machines will obtain an incorrect TCP/IP configuration) or be used to snoop network information. There are various tools that can be used to detect rogue DHCP servers, including DHCPLOC for Windows® (https://gallery.technet.microsoft.com/DHCPLOC-Utility-34262d82) and dhcp_probe for Linux® (https://www.net.princeton.edu/software/dhcp_probe). Windows DHCP servers in an AD environment automatically log any traffic detected from unauthorized DHCP servers.

Another DoS attack against DHCP is installing a rogue client; that is, one that repeatedly requests new IP addresses using spoofed MAC addresses, with the aim of exhausting the IP address pool (DHCP starvation). It is possible to configure a DHCP server to bind only to known MAC addresses (DHCP Registration), but this is time-consuming and quite easily subverted, as it is trivial to harvest and spoof valid MAC addresses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The best defenses against attacks on DHCP are accomplished by general network security best practices:

A

Use scanning and intrusion detection to pick up suspicious activity.

  • Enable logging and review the logs for suspicious events.
  • Disable unused ports and perform regular physical inspections to ensure that unauthorized devices are not connected via unused jacks.
  • Enable DHCP snooping on switch access ports to prevent the use of unauthorized DHCP servers.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Domain Name System (DNS)

A

resolves host names and domain labels to IP addresses. It uses a distributed database system that contains information on domains and hosts within those domains. The information is distributed among many name servers, each of which holds part of the database. The name servers work over port 53. The distributed nature of the system has the twin advantages that the maintenance of the system is delegated and the loss of one DNS server does not prevent name resolution from being performed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

DNS spoofing

A

an attack that compromises the name resolution process. One use of DNS spoofing is to facilitate a pharming attack. In a pharming attack, the attacker compromises the process of DNS resolution in some way to replace the valid IP address for a trusted website such as mybank.com with the attacker’s IP address. The attacker can then receive all the packets directed to mybank.com at a malicious site, designed to fool the user into thinking it is genuine, with the intention of capturing credentials when the user attempts to authenticate. Alternatively, DNS spoofing could be used for a Denial of Service attack, by directing all traffic for a particular FQDN to an invalid IP address (a black hole).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

DNS Cache/Hosts File

A

Before DNS was developed (in the 1980s), name resolution took place using a text file named HOSTS. Each name:IP address mapping was recorded in this file and system administrators had to download the latest copy and install it on each Internet client or server manually. Even though all name resolution now functions through DNS, the HOSTS file is still present and most operating systems check the file before using DNS. Its contents are loaded into a cache of known name:IP mappings and the client only contacts a DNS server if the name is not cached. Therefore, if an attacker is able to place a false name:IP address mapping in the HOSTS file and effectively poison the DNS cache, he or she will be able to redirect traffic. The HOSTS file requires administrator access to modify. In UNIX and Linux systems it is stored as /etc/hosts, while in Windows it is placed in %SystemRoot%\System32\Drivers\etc\hosts.

An attacker can also compromise a DNS client by performing a Denial of Service attack on the victim’s legitimate DNS server. The attacker could then use ARP spoofing to respond to DNS lookups from the victim network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

DNS server cache poisoning (or pollution)

A

another redirection attack, but instead of trying to subvert the name service used by the client, it aims to corrupt the records held by the DNS server itself. The intention is to redirect traffic for a legitimate domain to a malicious IP address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A typical attack would proceed as follows:

A
  1. The server in grommet.com wants to find an address in widget.com. It queries the root and .com name servers and gets an address for the name server for widget.com.
  2. The attacker spoofs the name server for widget.com. To do this, the attacker must compromise the genuine widget.com name server through some sort of DoS attack. The attacker just needs to ensure that his or her malicious DNS responds to grommet.com’s queries before the legitimate one.
  3. The attacker spoofs responses to the grommet.com server and poisons its cache, meaning that traffic for widget.com from grommet.com gets directed to the attacker’s IP address.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Berkley Internet Name Domain (BIND)

A

Attacks on DNS may also target the server application and/or configuration. Many DNS services run on BIND (Berkley Internet Name Domain), distributed by the Internet Software Consortium (http://www.isc.org). There are known vulnerabilities in many versions of the BIND server, so it is critical to patch the server to the latest version. The same general advice applies to other DNS server software, such as Microsoft’s. Obtain and check security announcements and then test and apply critical and security-related patches and upgrades.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

DNS footprinting

A

means obtaining information about a private network by using its DNS server to perform a zone transfer (all the records in a domain) to a rogue DNS or simply by querying the DNS service, using a tool such as nslookup or dig. To prevent this, you can apply an Access Control List to prevent zone transfers to unauthorized hosts or domains, to prevent an external server from obtaining information about the private network architecture.

You should also consider that DNS is a critical service that should be configured to be fault tolerant. DoS attacks are hard to perform against the servers that perform Internet name resolution, but if an attacker can target the DNS server on a private network, it is possible to seriously disrupt the operation of that network. Active Directory® (for instance) relies on DNS to work properly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

DNS Security Extensions (DNSSEC)

A

help to mitigate against spoofing and poisoning attacks by providing a validation process for DNS responses. With DNSSEC enabled, the authoritative server for the zone creates a “package” of resource records (called an RRset) signed with a private key (the Zone Signing Key). When another server requests a secure record exchange, the authoritative server returns the package along with its public key, which can be used to verify the signature.

The public zone signing key is itself signed with a separate Key Signing Key. Separate keys are used so that if there is some sort of compromise of the zone signing key, the domain can continue to operate securely by revoking the compromised key and issuing a new one.

The Key Signing Key for a particular domain is validated by the parent domain or host ISP. The top-level domain trusts are validated by the Regional Internet Registries and the DNS root servers are self-validated, using a type of M-of-N control group key signing. This establishes a chain of trust from the root servers down to any particular subdomain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Cybersquatting

A

an attack where an adversary acquires a domain for a company’s trading name or trademark, or perhaps some spelling variation thereof. While there are often trademark and intellectual property laws against doing this, companies need to be careful to renew domain names that they want to continue to use and to protect the credentials used to manage the registration. A domain name must be re-registered every year.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

following attacks all exploit the domain name registration process in some way:

A
  • Domain hijacking—an adversary gains control over the registration of a domain name, allowing the host records to be configured to IP addresses of the attacker’s choosing. This might be accomplished by supplying false credentials to the domain registrar when applying for a new domain name or re-registering an existing one. An attacker might also be able to exploit the legitimate account used to manage the domain (via a weak password or RAT installed on a client computer) or even to compromise the domain registrar’s security procedures in some way.
  • Typosquatting—misspelled domains can be profitable depending on the frequency that users enter the misspelled name (for example, visiting amazoon.com or amazun.com). This is also referred to as URL hijacking. Such domains can generate advertising revenue through Google™ or be used to host malware or launch pharming attacks.
  • Kiting—a domain name can be registered for up to five days without paying for it. Kiting means that the name is continually registered, deleted, then re-registered.
  • Tasting—this is the registration of a domain to test how much traffic it generates within the five-day grace period; if the domain is not profitable, the registration is never completed.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Simple Network Management Protocol (SNMP)

A

Apart from address allocation and name resolution, several other protocols are used in network housekeeping. Simple Network Management Protocol (SNMP) is a widely used framework for management and monitoring. SNMP consists of an SNMP monitor and agents.

• The agent is a process (software or firmware) running on a switch, router, server, or other SNMP-compatible network device.

This agent maintains a database called a Management Information Base (MIB) that holds statistics relating to the activity of the device (for example, the number of frames per second handled by a switch). The agent is also capable of initiating a trap operation where it informs the management system of a notable event (port failure, for instance). The threshold for triggering traps can be set for each value. Device queries take place over port 161 (UDP); traps are communicated over port 162 (also UDP).

• The SNMP monitor (a software program) provides a location from which network activity can be overseen. It monitors all agents by polling them at regular intervals for information from their MIBs and displays the information for review. It also displays any trap operations as alerts for the network administrator to assess and act upon as necessary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

If SNMP is not used, you should remember to change the default configuration password and disable it on any SNMP-capable devices that you add to the network. If you are running SNMP v1 or v2c, keep to the following guidelines:

A
  • SNMP community names are sent in plaintext and so should not be transmitted over the network if there is any risk that they could be intercepted.
  • Use difficult-to-guess community names; never leave the community name blank or set to the default.
  • Use Access Control Lists to restrict management operations to known hosts (that is, restrict to one or two host IP addresses).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

SNMP v3

A

SNMP v3 supports encryption and strong user-based authentication. Instead of community names, the agent is configured with a list of usernames and access permissions. When authentication is required, the SNMP message is signed with an MD5 (or SHA) hash of the user’s passphrase. The agent can verify the signature and authenticate the user using its own record of the passphrase.

SNMP v3 can also use DES or (in most products) AES to encrypt the contents of traps and query responses.

A query can be set to use no security (noAuthNoPriv), authentication only (authNoPriv), or authentication and encryption (authPriv).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Network Time Protocol (NTP)

A

Many applications on networks are time dependent and time critical, such as authentication and security mechanisms, scheduling applications, or backup software. The Network Time Protocol (NTP) provides a transport over which to synchronize these time dependent applications. NTP works over UDP on port 123.

Top-level NTP servers (stratum 1) obtain the Coordinated Universal Time (UTC) from a highly accurate clock source, such as an atomic clock. Lower tier servers then obtain the UTC from multiple stratum 1 servers and sample the results to obtain an authoritative time. Most organizations will use one of these stratum 2 servers to obtain the time for use on the LAN. Servers at lower tiers may then perform the same sort of sampling operation, adjust for the delay involved in propagating the signal, and provide the time to clients. Clients themselves usually obtain the time using a modified form of the protocol (Simple NTP).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Remote access

A

Remote access means that the user’s device does not make a direct cabled or wireless connection to the network. The connection occurs over or through an intermediate network, usually a public Wide Area Network. Historically, remote access might have used analog modems connecting over the telephone system or possibly a private link (a leased line). These days, most remote access is implemented as a Virtual Private Network (VPN), running over the Internet. Given that, administering remote access involves essentially the same tasks as administering the local network. Only authorized users should be allowed access to local network resources and communication channels. Additional complexity comes about because it can be more difficult to ensure the security of remote workstations and servers and there is greater opportunity for remote logins to be exploited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Tunneling

A

a technology used when the source and destination computers are on the same logical network but connected via different physical networks. Historical remote access methods such as secure leased lines or dial-up connections are slow and expensive. A more practical solution is to use Internet access infrastructure and set up a secure tunnel for private communications through the Internet connection. This is referred to as a Virtual Private Network (VPN). Most business and residential sites have Internet connectivity, so this solution is very efficient in terms of cost. The main concerns are providing security for the transmissions that pass through the public network and preventing unauthorized users from making use of the VPN connection.

19
Q

A VPN can be implemented in one of two topologies.

A
  • remote access VPN
    In this scenario, clients connect to a VPN gateway (a VPN-enabled router, or sometimes called a VPN concentrator) on the local network. This is the “telecommuter” model, allowing home-workers and employees working in the field to connect to the corporate network. The VPN clients will connect over the Internet.
  • site-to-site
    This model connects two or more local networks, each of which runs a VPN gateway (or router/VPN concentrator). Where remote access VPN connections are typically initiated by the client, a site-to-site VPN is configured to operate automatically. The gateways exchange security information using whichever protocol the VPN is based on. This establishes a trust relationship between the gateways and sets up a secure connection through which to tunnel data. Hosts at each site do not need to be configured with any information about the VPN. The routing infrastructure at each site determines whether to deliver traffic locally or send it over the VPN tunnel.
20
Q

Point-to-Point Tunneling Protocol (PPTP)

A

Several VPN protocols have been used over the years. Legacy protocols such as the Point-to-Point Tunneling Protocol (PPTP) have been deprecated because they do not offer adequate security. Transport Layer Security (TLS) and IPSec are now the preferred options for configuring VPN access.

21
Q

TLS VPN

A

A TLS VPN (still more commonly referred to as an SSL VPN) requires a remote access server listening on port 443 (or any arbitrary port number). The client makes a connection to the server using TLS so that the server is authenticated to the client (and optionally the client’s certificate must be authenticated by the server). This creates an encrypted tunnel for the user to submit authentication credentials, which would normally be processed by a RADIUS server. Once the user is authenticated and the connection fully established, the RAS server tunnels all communications for the local network over the secure socket.

22
Q

OpenVPN

A

open source example of a TLS VPN (https://openvpn.net). OpenVPN can work in TAP (bridged) mode to tunnel layer 2 frames or in TUN (routed) mode to forward IP packets. Another option is Microsoft’s Secure Socket Tunneling Protocol (SSTP), which works by tunneling Point-to-Point Protocol (PPP) layer 2 frames over a TLS session (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sstp/70adc1df-c4fe-4b02-8872-f1d8b9ad806a). The Point-to-Point Protocol (PPP) is a widely used Internet access and remote dial-in protocol. It provides encapsulation for IP traffic (amongst others) plus IP assignment, authentication, and authorization features.

23
Q

Internet Protocol Security (IPSec)

A

set of open, non-proprietary standards that you can use to secure data as it travels across the network or the Internet. A connection security protocol such as Transport Layer Security is designed to protect application data. Unlike SSL/TLS, IPSec operates at the network layer (layer 3) of the OSI model, so the protocol is not application dependent. IPSec can provide both confidentiality (by encrypting data packets) and integrity/anti-replay (by signing each packet). The main drawback is that it is quite processor intensive, adding an overhead to data communications. IPSec can be used to secure communications on local networks and as a remote access protocol.

IPSec can be used with several cryptographic algorithms. Algorithms that an implementation must support to be standards-compliant are defined in https://tools.ietf.org/html/rfc8221. There are also some obsolete ciphers that the RFC deprecates. Vendors can support additional, perhaps proprietary, ciphers as they see fit.

An IPSec policy is a set of security configuration settings that define how an IPSec-enabled system will respond to IP network traffic. The policy determines the security level and other characteristics for an IPSec connection. Each host that uses IPSec must have an assigned policy. Policies work in pairs; each of the endpoints in a network communication must have an IPSec policy with at least one matching security method for the communication to succeed. There are two core protocols in IPSec, which can be applied singly or together, depending on the policy.

24
Q

Authentication Header (AH)

A

protocol performs a cryptographic hash on the packet plus a shared secret key (known only to the communicating hosts), and adds this HMAC in its header as an Integrity Check Value (ICV). The recipient performs the same function on the packet and key and should derive the same value to confirm that the packet has not been modified. The payload is not encrypted so this protocol does not provide confidentiality and is consequently not often used.

25
Q

encapsulation security payload (ESP)

A

This provides confidentiality and authentication by encrypting the packet rather than simply calculating an HMAC. ESP attaches three fields to the packet (a header, a trailer [providing padding for the cryptographic function], and an Integrity Check Value).

IPSec datagram using ESP—The TCP header and payload from the original packet is encapsulated within ESP and encrypted to provide confidentiality.

Note: The principles underlying IPSec are the same for IPv4 and IPv6, but the header formats are different. IPSec makes use of extension headers in IPv6 while in IPv4, ESP and AH are allocated new IP protocol numbers (50 and 51), and either modify the original IP header or encapsulate the original packet (see the following Transport and Tunnel Modes section).

26
Q

IPSec can be used in two modes:

A
  • Transport mode—the IP header for each packet is not encrypted, just the data (or payload). This mode would be used to secure communications on a private network (an end-to-end implementation).
  • Transport mode—the IP header for each packet is not encrypted, just the data (or payload). This mode would be used to secure communications on a private network (an end-to-end implementation).

IPSec datagram using AH and ESP in transport mode.

Tunnel mode—the whole IP packet (header and payload) is encrypted and a new IP header added. This mode is used for communications across an unsecure network (creating a VPN). This is also referred to as a router implementation.

27
Q

shared secret

A

AH and ESP both depend on the idea of a shared secret; that is, a key known only to the two hosts that want to communicate. For this to happen securely, the secret must be communicated to both hosts and the hosts must confirm one another’s identity (mutual authentication). Otherwise, the connection is vulnerable to Man-in-the-Middle and spoofing attacks.

28
Q

Internet Key Exchange (IKE) protocol

A

part of the IPSec protocol suite that handles authentication and key exchange, referred to as Security Associations (SA). IKE is also referred to as Internet Security Association and Key Management Protocol (ISAKMP). IKE negotiations use UDP port 500.

29
Q

IKE negotiations use UDP port 500. The negotiations take place over two phases:

A

• Phase I establishes the identity of the two hosts and performs key agreement using the Diffie-Hellman algorithm to create a secure channel. Phase 1 is usually initiated in Main Mode, which involves six messages (two to propose an IKE SA, two to agree on DH keys, and then two to exchange identifiers securely). The alternative is Aggressive Mode, which packs the information in these six messages into three messages. This is quicker but means that identifiers are exchanged in the clear. This may allow a snooper to perform a dictionary or brute-force password-guessing attack on the authentication information.

Diffie-Hellman key agreement establishes the shared secret used to sign the packets for message integrity. Diffie-Hellman does not authenticate the endpoints, however. Two methods of authenticating hosts are commonly used:

  • PKI—the hosts use certificates issued by a mutually trusted Certificate Authority to identify one another. This is the most secure mechanism but requires PKI architecture.
  • Pre-shared Key (Group Authentication)—the same passphrase is configured on both hosts. A Pre-Shared Key (PSK) is also referred to as group authentication, as a single password or passphrase is shared between all hosts. Obviously, this is not very secure, as it is difficult to keep the pre-shared key a secret known only to valid hosts. It can also be difficult to change the key.
  • Phase II uses the secure channel created in Phase 1 to establish which ciphers and key sizes will be used with AH and/or ESP in the IPSec session.

This first version of IKE is set up to ensure the mutual authentication of two peer hosts. On its own, it does not provide a simple means for a client user account to authenticate to a remote network. Consequently, for remote access VPNs, a combination of IPSec with the Layer 2 Tunneling Protocol (L2TP) VPN protocol is most often used. With L2TP/IPSec, the client and server machines can authenticate using digital certificates or a pre-shared key. The user can then authenticate to the remote access server using whatever method is supported (MS-CHAP or EAP, for instance). L2TP uses UDP port 1701 for data and connection control.

30
Q

The drawbacks of the original version of IKE were addressed by an updated protocol. IKE v2 has some additional features that have made the protocol popular for use as a standalone remote access VPN solution. The main changes are:

A
  • Support for EAP authentication methods, allowing, for example, user authentication against a RADIUS server.
  • Simplified connection set up—IKE v2 specifies a single 4-message setup mode, reducing bandwidth without compromising security.
  • Reliability—IKE v2 allows NAT traversal and MOBIKE multihoming. Multihoming means that a client such as a smartphone with multiple interfaces (such as Wi-Fi and cellular) can keep the IPSec connection alive when switching between them.

Compared to L2TP/IPSec, using IKE v2 is more efficient. This solution is becoming much better supported, with native support in Windows 10, for instance.

31
Q

Network Access Server (NAS) or Remote Access Server (RAS)

A

All the major NOS are bundled with software supporting VPNs. A server configured in this role is usually called a Network Access Server (NAS) or Remote Access Server (RAS).

32
Q

VPN concentrator

A

Where the functionality is part of a router or dedicated security appliance, it may be called a VPN concentrator. In either case, the server would be placed on the network edge, protected by a firewall configuration in a Demilitarized Zone (DMZ).

The drawbacks of using a software solution for VPN are security (the server is exposed to the Internet) and performance (if the server is performing other tasks). A hardware or appliance-based solution overcomes these problems and a range of devices is available to meet different performance requirements at different price points. Many SOHO routers support IPSec and/or SSL VPNs with tens of simultaneous connections. These are all-in-one boxes combining the functions of VPN, Internet router, firewall, and DSL modem.

There are also dedicated SSL VPN concentrator appliances, such as those from Netgear®, again aimed at the SME market. These are intended to be installed alongside a router, firewall, or IPSec VPN to enable secure access to web applications on the corporate intranet or extranet. Heavyweight, dedicated VPN concentrator appliances, such as Cisco’s 3000 and 5000 series, provide scalable performance for hundreds or thousands of users. This type of product is no longer marketed, however (both the 3000 and 5000 series have been discontinued), as the same functionality is more economically incorporated into enterprise-class routers.

33
Q

The creation of a remote access server should be accompanied by documentation describing the uses of the service, security risks and countermeasures, and authorized users of the service. There should also be authorization to run the service from the network manager. The remote access policy should then implement the measures identified through compiling the documentation. Typical policy restrictions would be:

A
  • Restricting access to particular users or groups.
  • Restricting access to particular times of day or particular days of the week.
  • Restricting privileges on the local network (ideally, remote users would only be permitted access to a clearly defined part of the network).
  • Logging and auditing access logons and attempted logons.

In addition to this, a management plan should ensure that remote access servers and other hardware are kept up to date with the latest software or firmware updates. Administrative access to the devices should also be secured, using strong authentication.

34
Q

VPN client configuration

A

To configure a VPN client, you may need to install the client software if the VPN type is not natively supported by the OS. For example, OpenVPN requires client installation. You then configure the client with the address of the VPN gateway, the VPN protocol type (if it cannot autodetect it), the username, and the account credentials. You may also need to deploy a client certificate that is trusted by the VPN concentrator to the machine and make that available to the VPN client. In addition, you might need to configure settings for how the VPN connection operates.

35
Q

always-on VPN

A

Traditional VPN solutions require the user to initiate the connection and enter their authentication credentials. An always-on VPN means that the computer establishes the VPN whenever an Internet connection over a trusted network is detected, using the user’s cached credentials to authenticate. Microsoft has an Always On VPN solution for Windows Server 2016 and Windows 10 clients (https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment) and an OpenVPN client can be configured to autoconnect (https://openvpn.net/vpn-server-resources/setting-your-client-to-automatically-connect-to-your-vpn-when-your-computer-starts).

36
Q

When a client connected to a VPN uses the Internet, there are two ways to manage the connection:

A
  • Split tunnel—the client accesses the Internet directly using its “native” IP configuration and DNS servers.
  • Full tunnel—Internet access is mediated by the corporate network, which will alter the client’s IP address and DNS servers and may use a proxy.

Full tunnel offers better security, but the network address translations and DNS operations required may cause problems with some websites, especially cloud services.

37
Q

Remote access is a serious network security problem, mainly because control of the client computer often falls outside the reach of security mechanisms set up to protect the network. The integrity of the client computer presents many issues:

A
  • Malware protection—the computer may not be accessible to network systems used to update and enforce malware protection. This may have to be left to the end-user. If a worm or Trojan is installed, network security may be compromised. This is especially true as using a VPN connection will make traffic between the client and network invisible to many network firewalls.
  • Security information—authentication information may be stored on the client (saving a password, for instance), making the network vulnerable if the computer is stolen.
  • Data transfer—files copied to the client may no longer be properly secured, raising the potential that confidential information could be stolen along with the device.
  • Local privileges—the user of a remote computer configured with administrative privileges might have no understanding of how such privileges can be exploited or misused. He or she might install unauthorized software on the machine or make it more vulnerable to malware by browsing the web using his or her administrative account.
  • Weak authentication—relying on a username and password combination is simply not secure enough in a remote access scenario. Two-factor authentication using smart cards or biometric recognition in addition to a PIN or password should be enforced. If this is not an option, a strong password policy must be enforced and users made aware of the very real risks of writing down or sharing their password.

The principal solution to remote access security problems is to educate remote users about security risks and their responsibilities. Enforcement can be provided by having remote devices audited periodically to ensure that anti-virus, firewall, and OS/browser/ application patches are being kept up to date and to check that unlicensed software has not been installed. It is also wise to limit what remote users can access on the local network and to severely restrict the rights of remote computer accounts. The principle of least privilege should be applied. Technologies such as Remote Desktop provide an opportunity to lock down the user’s privileges more than they would have been in the past. Technicians can provide support and assistance without having to go offsite or having the machine brought onsite.

38
Q

Follow these guidelines when configuring secure remote access protocols:

A
  • Implement VPN technology to support access to your networks by remote clients over the Internet and secure communications between sites across public networks.
  • Select a VPN protocol that gives the most effective security while also being supported by your servers and client devices.
  • Install the VPN concentrator to the network edge using a secure firewall configuration to prevent compromise.
  • Develop a remote access policy to ensure only authorized users can connect and ensure that the network is not compromised by remote clients with weak security configurations.
39
Q

Telnet

A

Remote administration tools allow administrators to manage and configure a computer over a network. They can work over a local network, over a VPN, or even across the Internet, if the appropriate ports are opened on the firewall. Remote administration tools are enormously useful, but they also represent a significant security exploit if their use is not secured.

Telnet is terminal emulation software to support a remote connection to another host. It does not support file transfer directly, but when you connect, your computer acts as if your keyboard is attached to the remote host and you can use the same commands as a local user. In order to support Telnet access, the remote host must run a service known as the Telnet Daemon. Telnet uses TCP port 23 by default.

Telnet is not secure. Telnet daemon software has exploitable vulnerabilities and Telnet communications, including passwords, are sent in cleartext. One option would be to ensure Telnet is only used over a secure channel, such as an IPSec tunnel. However, most hosts support more secure remote administration mechanisms.

40
Q

Secure Shell (SSH)

A

he principal means of obtaining secure remote access to a UNIX® or Linux® server. The main uses of SSH are for remote administration and secure file transfer (SFTP). There are numerous commercial and open source SSH products available for all the major NOS platforms (UNIX, Linux, Windows, and macOS®). The most widely used is OpenSSH (https://www.openssh.com).

SSH servers are identified by a public/private key pair (the host key). A mapping of host names to public keys can be kept manually by each SSH client or there are various enterprise software products designed for SSH key management.

41
Q

The server’s host key is used to setup a secure channel to use for the client to submit authentication credentials. SSH allows various methods for the client to authenticate to the SSH server. Each of these methods can be enabled or disabled as required on the server:

A
  • Username/password—the client submits credentials that are verified by the SSH server either against a local user database or using an AAA server, such as RADIUS or TACACS+.
  • Kerberos—the client submits the Kerberos credentials (a Ticket Granting Ticket) obtained when the user logged onto the workstation to the server using GSSAPI (Generic Security Services Application Program Interface). The SSH server contacts the Ticket Granting Service (in a Windows environment, this will be a domain controller) to validate the credential.
  • Host-based authentication—the server is configured with a list of authorized client public keys. The client requests authentication using one of these keys and the server generates a challenge with the public key. The client must use the matching private key it holds to decrypt the challenge and complete the authentication process. This provides non-interactive login but there is considerable risk from intrusion if a client host’s private key is compromised.
  • Public key authentication—host-based authentication cannot be used with fine-grained access controls as the access is granted to a single user account. The same sort of public key authentication method can be used for each user account. Each remote user’s public key is added to a list of keys authorized for each local account on the SSH server. The user’s private key can be configured with a passphrase that must be input to access the key, providing an additional measure of protection compared to host-based authentication.
42
Q

Remote Desktop Protocol (RDP)

A

A GUI remote administration tool sends screen and audio data from the remote host to the client and transfers mouse and keyboard input from the client to the remote host. Remote Desktop Protocol (RDP) is Microsoft’s protocol for operating remote connections to a Windows machine. RDP uses TCP port 3389. The administrator can specify permissions to connect to the server via RDP and can configure encryption on the connection. RDP has acquired several security enhancements as the product has developed.

43
Q

Two of the most important are NLA and credential guard:

A
  • Network Level Authentication (NLA) requires the client to authenticate before a full remote session is started. An RDP server that does not enforce NLA can be subject to DoS attacks, as the server uses resources to prepare for each requested session. It also sends information about the server to an attacker (such as the computer and domain names) regardless of whether they have valid authentication credentials.
  • RDP Restricted Admin (RDPRA) mode/Remote Credential Guard—making an RDP connection to a compromised workstation means an adversary could obtain the password hash for the account used to connect and then use it in a Pass-the-Hash (PtH) or ticket-forging attack. RDPRA was unsuccessful in mitigating this (it was itself vulnerable to PtH). Remote Credential Guard means that any access requests are processed by the RDP client machine, not on the server.

There are several popular alternatives to Remote Desktop. Most support remote access to platforms other than Windows (macOS and iOS, Linux, Chrome OS, and Android for instance). Examples include TeamViewer (https://www.teamviewer.us) and Virtual Network Computing (VNC), which is implemented by several different providers (notably https://www.realvnc.com).