CompTIA CASP+ CAS-004 – Chapter 05 – Implementing Security for Cloud and Virtualization Technologies Part 4
- Dial-Up Access
Even though they are rarely used these days, with the exception of particular scenarios, people in remote areas and whatnot that don’t have access to high speed Internet. We still want to just understand the basics of dial up. Okay? A dial up connection uses the PSTN, the public switch telephone network, and is a connection over analog phone lines. Because it’s over analog phone lines, the computer communicates in digital. Then you need a modem, a modulator demodulator that converts the digital data to analog. There’s a modem on the receiving end that converts it back to digital. Right. Your standard phone lines operate at up to a whopping fifty six k per second.
That’s one of the disadvantages, is that it’s not high speed, but it’s almost universal availability, so that’s where it might be still used. In some cases, the dial up connections will use either one of two remote access protocols serial line, Internet protocol, or point to point protocol. Both of these protocols operate at layer two. Slip is much older and has been made obsolete. Slip was plain text, so you’ll generally never be using that. That’s a 25 year old protocol. Point to point protocol is the one that we would be using. It provides authentication, also provides multilink capability if you had dual phone lines, dual
modems, and supports authentication and encryption. Now, when you authenticate against the remote server, that authentication can be handled individually by that remote access server, or it can be centralized, and you can centralize it through Radius Remote Authentication Dial and User Service, or Tacax Plus, which is a Cisco proprietary product that essentially does the same thing. In either case, if you are utilizing those, then the VPN, the remote access Server, is simply forwarding your authentication request to a central device.
Some basic measures that you should have in place with dial up for security purposes is to have the remote access server call the initiating caller back at a preset number. Don’t allow call forwarding that can be used to thwart that security measure. You have a callback number, it’s configurable on the user’s attributes in like active Directory.
We should also use the strongest authentication method that is possible. There are going to be multiple options. We didn’t really talk about those, but the authentication methods are chap ms chap ms chat v two EAP EAP with TLS. We had talked about them in a previous chapter in relation to VPN, so always try to use the strongest one that’s supported by both the client and the server, and then possibly consolidate modems into a single location. For physical security, always disable modems that are not in use. Those are some basic security measures for dialup.
- Virtual Private Networks
As we’ve talked about before, the virtual Private network connection is the method of choice. It provides access to high speed data connections along with strong authentication and encryption mechanisms to ensure the production of data. Now these are primarily used over the Internet. The Internet is definitely an untrusted network, but we are also able to use these on any shared or public type of network connection. So Metro, Ethernet, other Wan type connections, MPLS, Networks, et cetera. Since the connection is going out over a public network, encapsulation, authentication and encryption all become extremely important for us to use. And we’re not going to spend a whole lot of time with VPNs because we kind of already have.
But we know they come in different varieties. The SSL VPN, the IPsec VPNs and the older PPTP and L. Two TP protocols. The latter two there are very rarely used these days. IPsec only the IC and ICV one ICV two VPNs are the most common type of VPN these days, at least from what I’ve seen. When we talk remote access VPN, we are specifically talking about a situation where you have a VPN client installed on that particular computer and we’re making a tunneled connection with a remote access server. That remote access server could be an actual VPN server, it could be a VPN concentrator, it could be a router, could be a firewall, all of those things. But it gives users access to the remote workplace via a secure high speed connection.
- Remote Access Purposes
Now in a lot of cases, administrators or network technicians are also going to need to use remote access. They’re going to remotely manage devices using remote administration. Okay? So that might be one reason I need to remotely access the machine. Another reason is just access to internal resources and services. We call this telecommuting and it’s become a lot more common in today’s world. If I have an hour commute, I’m probably going to work out a deal where a couple of days a week I can stay at home and I can telecommute as opposed to driving that distance every day.
In fact, I tried to do that and I live five minutes from the office. But everything I do literally is online. It’s accessible anywhere with an Internet connection. My home computers have VPNs back to the office and so what’s the point really? Right? At least from the perspective of the employee. But no. These resource access scenarios can vary based on different deployment models. Sometimes users need to use remote desktop to get to their machines because not only do they want to access internal resources and services, they actually need to run programs that are installed on their work computer but not their home computer. They need to access databases and they don’t have the front end application on their home computer. So often the VPN tunnel is just opened up so that I can use remote desktop to my machine. And of course you could use something else VNC, SSH on Linux, other methods but Remote Desktop and a Windows network seems to be the most likely.
So basically as security pros we need to work with management to try to figure out what the remote access needs of the organization are so that we can deploy the appropriate solution and controls. We want to make sure that we’re meeting the needs of the organization but at the same time meeting the security needs. Okay, so the last thing there says desktop sharing and application sharing. Of course, again, remote desktop is already built into the operating system. So if you’re using Windows then you probably just want to utilize that in conjunction with a VPN connection.
If an organization has a business requirement to allow users to access their internal resources from the outside and they don’t have the technology to set up a VPN or the desire to implement it, then we could look at some of the client based desktop and application sharing. Historically, PC anywhere and go to my PC have been probably the most popular ones. But Log me in is another very popular one team Viewer, another very popular one. So then there are many others. There are a lot of third party applications that will allow access to those operating systems without a VPN infrastructure having to be in place.
- Security Considerations
Now, these different products that we’ve been talking about in VPNs, they make managing remote computers and users easier. But remote administration software is actually one of the most common attack vectors for use by hackers. And so there are a number of issues that reduce the security of a remote administration solution, especially like log me in, go to my PC, and those. So we need to be careful. Misconfiguration or poor deployment is one outdated software. So you need to keep the software up to date. Cached administrative credentials and poor password management makes it easy to get into a system and now it’s getting into it from the outside. Failure to adopt any sort of two factor authentication, failure to use encryption or weak encryption.
Those are some of the issues. How do we mitigate those? Well, some of these are price selfexplanatory as you read the issues that could reduce security. So we always want to use the latest version of the products. We always want to make sure that we have all the updates installed.
If there’s an automatic update option, then you should turn it on. Okay. If the solution is only accessible on the local area network, then we need to block the port to it at the network perimeter. In many cases, that’s not going to be the situation, but if that is the case, then okay, go ahead and do that. For mobile users, you would want to make sure you turn off automatic listening on the device because we don’t want to have that port open on an untrusted network. It’s a good idea to just regularly audit the security logs and you’re looking for evidence of port scans in there.
You want to secure access to any config files that are used by the solution. You want to implement strong encryption. You want to control administrative access to it, make sure you’ve got audit trails from logging, and then finally that just remove it when it’s no longer in use. It’s a good idea to train people and just make sure that they’re aware of the potential security ramifications of this software. Know how to go about guarding themselves against those.
- Unified Collaboration Tools
There are two intersecting trends in the industry today that are introducing new headaches for security pros. That is, people are working together or collaborating more while at the same time becoming more mobile and working in more nontraditional ways like working from home. And so that means that sensitive data is being shared in ways that we haven’t really had to secure before. And so there are some specific issues related to the different collaboration tools and methods and we need to just understand what these technologies are, be clear on that and then the additional security measures that we can take. So what are we talking about? We’re talking web conferencing, audio, video conferencing, storage and document collaboration, unified communication tools, email, instant messaging, all of these. So we just want to make sure that we have looked at all of the different types of communication and we’ve focused on that type not just for what it is, but how to mitigate security risks.
- Web Conferencing
Okay, so web conferencing is the first. Web conferencing allows company to save a ton of money. They can still have real time contact with people, but they don’t have to travel. And web conferencing services and software have robust meeting tools. They allow for chatting, sharing documents, viewing the screen of the presenter. Many will allow for video conferencing as well. But the fact fact remains that these just lead to particular security issues. The information you’re chatting about, the documents you’re sharing, often they’re of a sensitive nature. Well then security issues arise and so you need to take special care during a web conference. They’re a great tool, but they are a tool that we just need to think about and make sure that we are going through the proper steps to secure it. So what is the security issue? Well, data leakage typically the web conference data is actually residing on a shared server for a little while. So there’s always a possibility of the data leaking out of the conference into hostile hands. You have uninvited guests, some systems just use a simple conference code for entrance. So there’s always a possibility that somebody who’s uninvited will arrive. Obviously the smaller your web conference, the less likely that’s going to happen.
But I’m in conferences once a month, conferences that have a couple of hundred people in them that would be you could easily slip in there. Even with 20 or 30, you could probably slip in there unnoticed, especially if you dial in as a phone user, things like that. So anyway, data capture in route, the possibility of just information being detected and captured in route, it’s pretty high. You can use encrypting technologies to prevent this.
And then there’s the denial of service, the possibility of Dos attacks on the local servers. When your web conferencing, a solution is integrated with existing applications and you could have Dos on a third party as well, but it’s not as much your concern. So how do we address these issues? First, take ownership of the process. We should take ownership of the process of selecting the web conferencing solution. We should not let the individuals in other departments select that product, it and security departments, we don’t just want to react, we want to actually look, evaluate and choose the best product, not solely based on security and features, but not solely be based on security, but based on security and features in conjunction with the business needs. So you’ll find business users often are just thinking about business needs as It people. We don’t want to just think about our own department, just our needs. We do want to address the business needs, but we want to do so in a secure manner. So we don’t want to have to react. We should take ownership of that process if at all possible, and part of that is making sure that it’s compatible with all the devices on the network.
Right, I definitely want devices that are going to use standard security and network components like SSL TLS. I want to make sure the underlying network is secured. Then we should define a process for selecting and using the product. Really, four steps at minimum should be done. This is what the solution is allowed to be used for. Step number one. Step two. Here are the security needs that we need to identify before selecting a product. Three would be just making sure usage scenarios and security needs are built into any proposals for this software.
And four is just make sure we’re including security practitioners in the whole process. If that’s you, then you want to be involved in that. Another way to mitigate is to disable or strongly audit the read write desktop mode if that’s supported on the product. That does allow meeting participants to access the host desktop. We should always use unique passwords for each individual conference. That’s going to help to prevent the reuse of passwords for unauthorized users. And then be careful about conferences that would be giving sensitive data. In fact, you might even consider NDA’s nondisclosure agreements for conferences that have confidential information or contain intellectual property.
Another one we didn’t mention, it said something about encryption, but you might require a VPN connection to the company network to attend conferences. Okay, so just kind of think about those things. We want to try to make this as secure as possible while still retaining the functionality.
- Video Conferencing
Most or all of your videoconferencing products produced in the last ten years are going to use at least 128 bit advanced encryption standard. It is important to remember that no security solution, however, is infallible. So recently, the NSA was accused of cracking military grade encryption, which is actually better than AES 128 bit it, and they were accused of doing that to spy on the UN video conference. Actually, the same source reported the NSA discovered that the Chinese were attempting to crack the encryption too. Now, nobody knows if either the NSA or the Chinese actually succeeded in this, but what the story does is highlight the fact that risk will always exist.
Okay, so in high security, high security networks, those of like DoD, Department of Homeland Security, et cetera, that use video conferencing, they always use some additional security measures to augment the solution. So what are some of those? Well, obviously, again, one is the use of 128 bit or higher. Second is device level physical encryption keys.
These are keys that have to be inserted each time the system is used, and they’re typically exchanged every 30 days or so. Additional password keys that limit the access to the device’s functions. Session keys are generated at the start of each session that are changed automatically during the session, and then traffic is always transmitted on secure data networks that use advanced encryption technologies.
A nonproprietary approach to securing video conferences is to extend the H 323 standard to support Des encryption. H 323 is a standard for AV communication sessions, web conferences, video conferences, as well as voiceover IP. And there are some extensions through the H 235 extensions that can provide some additional security. Most cases, security issues don’t involve shortcomings in recent products, but they involve these things. It’s not that the product can’t do it. It’s that you didn’t enable encryption. It’s not that there aren’t products out there that can meet your needs. It’s that you chose to use an outdated video system that doesn’t support encryption or can’t be updated anymore. Or maybe you have a new system, but you’re not installing updates on it.
So it’s those kinds of things. Network devices like gateways and video bridges, not supporting encryption or having encryption turned off, poor password management. We want to try to avoid these issues, and typically you can accomplish that by just creating and following a process for selecting to use a product or selecting a particular product, which we’ve just mentioned. And we need security people involved in that, so that we choose products that are going to not only meet the business needs, but also the technical and security needs of the organization.