Basic rules for protecting remote maintenance accesses

Transcription

1 BSI publications on cyber security RECOMMENDATION: IT IN THE COMPANY Basic rules for protecting remote maintenance accesses The use of more and more complex hardware and software products makes it necessary for many users to permit remote access - i.e. normally via the Internet - to IT components within the local network for maintenance or troubleshooting purposes. As a matter of principle, opening such a remote maintenance access (e.g. to a company's or government agency's internal network) constitutes a significant basic threat. Even if efficient and complex access protection mechanisms are implemented, this does not change the basic fact that the remote maintenance interface allows for direct access to the internal network and the data processed in it for persons outside of the organisation. Therefore, if opening the internal network to the outside by means of a remote maintenance interface is absolutely necessary for an organisation for economic or operational reasons, this interface should at least be provided with the best possible protection. The goal of the present overview document is to outline technical solution possibilities and to derive some basic rules that must be taken into account. 1 Home networks and small-scale companies Small-scale companies (e.g. handicraft businesses) or freelancers usually do not have the money to permanently employ specifically trained personnel to administrate their IT. The home user also often feels overwhelmed with the configuration of his/her PC or the installation of specific software. In this situation, it is convenient to know somebody who "knows what's what". Some internet providers also provide their customers with support in the event of PC problems as a service. Regardless of whether for private or professional assistance (at least companies should give preference to the latter): it usually turns out to be too expensive to have the expert pay a personal visit in order to solve the problems directly on site. There is a broad range of products for establishing a support or remote maintenance interface in the market, covering a broad spectrum of application scenarios from the professional to the semi-professional and/or private areas. From the large number of products offered, two exemplary technologies will be explained briefly in this document, specifically regarding a "small-scale" solution, that are also available for free - at least when used for private purposes. With the help of the Remote Framebuffer Protocol (RFB; specified in RFC 6143) based control software Virtual Network Computation (VNC), it is possible to transfer the screen content of PC 1 (e.g. the PC to be maintained remotely) to the desktop of PC 2 (e.g. PC of the remote maintenance service provider) using a network (LAN or WAN). BSI-CS 054 Version /06/2013 Page 1 of 6

2 Thus, the expert sitting in front of PC 2 sees the events on PC 1 as if he/she was looking directly at its screen. Here, the software can be configured in different ways: the remote maintenance service provider may either be granted complete access to PC 1 (via keyboard and mouse) or his/her rights may be restricted to purely passive observation. For example, the latter may make sense if a phone connection is established between customer and service provider in parallel and the expert guides the user through the support routine. This means that the user performs all actions by following the expert's instructions, and so the user maintains full control over his/her system and no actions are performed without the user's consent. However, this approach usually turns out to be very time-consuming and inconvenient in practice, which is why the expert normally is granted full access to the maintenance object. In this case, the user only visually follows the work on his/her computer, but may abort it at any moment by interrupting the session using his/her mouse if he/she no longer trusts the expert's approach. A VNC-based software is already integrated into many operating systems in different forms (e.g. RealVNC in diverse Linux distributions, remote support in MS Windows). Technical details regarding the establishment of a VNC connection suitable for remote maintenance and support purposes can be found on the Internet 1. However, those who consider the configuration effort for a VNC connection too high may also use alternative remote control solutions such as the products "Teamviewer" or "Netviewer", for example. This and comparable software has the advantage that the type of connection to the Internet does not play any role when establishing the connection between PC 1 and PC 2. This is because the proprietary software installed on both PCs is used to establish a connection to a central server in each case, with this server establishing a secure communication channel between both sides without having to change the configuration of the respective Internet connections for this. However, this advantage comes with the disadvantage that the operator of the central servers may in principal also access the exchanged data when using this solution. This should be considered a factor particularly during remote maintenance operations in areas that are sensitive from a data protection law point of view. Irrespective of the technical implementation eventually adopted: The goal of the statements provided up to this point was to provide a short explanation of the principle of remote control solutions in order to now derive some basic rules as to how such a connection can actually be used securely as a remote maintenance interface. Thus, assuming a working remote connection between user and remote maintenance service provider, the following is applicable initially: Basic rule 1: The initiative for establishment of a support or remote maintenance session must always come from the user. Since user and expert normally communicate with each other via the phone while performing remote maintenance operations in the private or semi-professional area, as already mentioned above, this route also lends itself regarding the initiation of a session: The user calls the remote maintenance service provider on the phone and opens the access manually. As an alternative, sending an containing a one-time password would also be a possibility, with this password enabling the remote maintenance service provider to establish a connection to the computer to be maintained using the remote control software within a limited time frame (e.g. a few hours). If there is no telephone connection, a chat program may also be used as communication medium between user and expert, as is already integrated in diverse remote maintenance programs. 1 Comprehensive technical instructions on how open source software can be used to configure a support interface for private users and smallscale companies can be found on the web portal of the Heise publishing company in the article at: BSI-CS 054 Version /06/2013 Page 2 of 6

3 The two basic rules described below may not necessarily be relevant regarding the use in the private environment or in small-scale companies where only support regarding the configuration of the PC and/or troubleshooting is required. However, once the remote maintenance service provider may have access to confidential data at least in principle, the following must be observed: Basic rule 2: The remote maintenance connection should be encrypted. Basic rule 3: The remote maintenance service provider must provide secure authentication before it is granted access to the system. Encryption is already integrated in diverse remote maintenance programs. Products such as VNC, for example, where this is not the case by default, should therefore be operated using an SSH or a VPN tunnel (SSH = Secure Shell, VPN = Virtual Private Network). Similarly to VNC, configuring SSH using the Internet certainly requires some configuration effort if the computers are connected via a router and, protected by a firewall, to the public network in each case 2, 3. The VNC connection using an encrypted tunnel has the advantage that not only the data exchanged during maintenance can neither be viewed nor manipulated by an attacker, but also the user name and the password used by the remote maintenance service provider in order to authenticate prior to the commencement of the session. According to basic rule 3, such an authentication is necessary as a matter of principle and is already implemented in many VNC programs accordingly. However, the authentication data may be transmitted partially unencrypted via the Internet in the absence of an SSH tunnel, and could therefore possibly be intercepted and misused, which can then no longer be deemed "secure". Normally, an attacker has little use for the encrypted form of the user name and the password, since it is not possible to draw any conclusions about the plain text based on this information. Nevertheless, he/she is still able to use a brute-force attack, i.e. the process of trying a large number of potential combinations, in order to "guess" the access data. In order to also rule out this attack, it therefore is more secure if the remote maintenance service provider authenticates using a certificate instead of a user name and a password. 2 Larger companies and government agencies The remote control solutions described in the paragraph above (protected by reliable encryption and authentication mechanisms) are especially suitable for scenarios where a user wants to sporadically enlist the assistance of an external expert in the event of occurring IT issues. For such purposes, larger companies (e.g. medium-sized and large-scale companies, government agencies, etc.) normally employ well-trained personnel (network and system administrators) who are responsible for professionally maintaining the organisation's IT. However, this only applies to organisations that have not outsourced their IT support to an external service provider. In addition, large-scale companies and government agencies normally use complex hardware and software, the maintenance of which requires such specific know-how that the maintenance work can only be performed by the manufacturer. Therefore, permanently configuring a remote maintenance access could be required in both cases. One essential aspect distinguishing the IT of a larger organisation from the scenario discussed in the last paragraph includes the size and the complexity of the network. In general, the network consists of a series of central servers with manifold applications (e.g. databases, account 2 The article "Fernzugriff auf Desktops mit VNC" (remote access to desktops using VNC) in the magazine "Computerwoche" provides a short overview of how a VNC connection can be configured using an SSH tunnel. This article can be found at: 3 At this point as well, remote control programs such as Teamviewer, where the session runs via a central server, provide the advantage that the data is encrypted automatically between PC 1 and the server, as well as between server and PC 2 regardless of the type of Internet connection. However, it must be taken into consideration that the keys are exchanged via the central server here as well and that the server operator may therefore decrypt the data at any time - at least in principle. BSI-CS 054 Version /06/2013 Page 3 of 6

4 ing, purchasing, sales, warehousing, etc.) accessed by a large number of client computers. Here, a remote maintenance session for example, when the software manufacturer installs an update for the accounting department usually only affects one or a few of the servers. In order to endanger the integrity of the remaining network as little as possible by the remote maintenance access, there is another basic rule: Basic rule 4: The remote maintenance object should be isolated as much as possible from the remaining network at least during a remote maintenance session in order to prevent deliberate or inadvertent accesses of the remote maintenance service provider to other computers and servers. For this, at least a separation through packet filters must be used so that the remote maintenance service provider does not have any access to computers outside of the remote maintenance zone. Furthermore, the three rules already defined in the paragraph above naturally remain valid, i.e. the remote maintenance service provider must authenticate securely prior to establishing a session preferably using a certificate and the connection must be encrypted using an SSH or a VPN tunnel. In this case, the technical implementation of these safeguards is naturally more sophisticated when compared to the VNC connection in the paragraph above. Before we discuss this, we will first formulate another basic rule connected directly to the last: Basic rule 5: The modifications to be performed on the central security gateways in order to establish the remote maintenance access should be as minor as possible. Simply put, this means: if you have to drill a hole into the firewall, this hole should be as small as possible. However, in most cases it is not possible to implement this rule ideally in practice, since every re-configuration of the firewall always entails the risk of misconfiguration. Instead of only permitting access to the maintenance object, the administrator may accidentally open the entire network, for example, and undermine the isolation of the maintenance object achieved beforehand as part of the implementation of basic rule 4 as a consequence. Furthermore, if the maintenance configuration is established permanently on the firewall, this increases the risk of attackers exploiting this and entering the network from the outside. On the other hand, if the firewall configuration is changed for every single maintenance operation, the risk of misconfigurations and/or simply forgetting to reset the firewall from the maintenance mode at the end of a session increases proportionately with the number of interventions. In order to minimise these threats caused by direct tunnelling of the firewall, the connection should be established using an intermediate coupling server. Similarly to the web, , or FTP servers of the organisation also accessible from the outside, such a coupling server is also located in the demilitarised zone (DMZ) of the firewall Instead of directly accessing the maintenance object within the internal network, the remote maintenance service provider is initially only provided with the option of establishing an SSH or a VPN tunnel to the coupling server. Only after the user authenticates securely on the server does an administrator from the internal network open a corresponding tunnel from the maintenance object to the coupling server and, by doing this, establishes an end-to-end connection between remote maintenance service provider and maintenance object (rendezvous principle). Since all connections from the outside through the firewall now initially end on the coupling server, neither the remote maintenance service provider nor an attacker can obtain unauthorised access to the internal network. Furthermore, the requirements in the fields of secure encryption and reliable authentication in accordance with basic rules 2 and 3 are also implemented elegantly from a technical point of view. Ultimately, basic rule 1 is also complied with, since no remote maintenance session is established without the active cooperation of the internal administrator. BSI-CS 054 Version /06/2013 Page 4 of 6

5 Products for implementing such a solution are available on the market. Finally, we would like to formulate another basic rule: Basic rule 6: The performance of remote maintenance must be logged. This logging procedure should not only be performed on the maintenance object itself, but also on the packet filter which isolates the maintenance object from the remaining network, as well as on the coupling server. If an internal administrator monitors the work continuously, it is sufficient to document the start and end times of the remote maintenance process, as well as the persons involved. On the other hand, if it is not possible for the remote access to be supervised by an internal IT employee over the entire duration of the maintenance activities, all activities must be logged. This way, the work performed can be comprehended in detail on the maintenance object at a later point in time. It may be apparent from the logs of the packet filter and the coupling server if the remote maintenance service provider, despite all security mechanisms, tries to gain unauthorised access to the internal network. 3 Safeguards regarding the remote maintenance service provider The safeguards described above were always focused on the network of the remote maintenance customer. Since the latter not only grants the remote maintenance service provider access to his/her internal IT, but also high levels of authorisation (up to administrator rights), the customer should select the service provider carefully. Regarding rights management, the following rule is applicable in particular: Basic rule 7: The remote maintenance service provider must never be granted more rights than required for fulfilling its tasks. Since the customer does not have any direct influence on the way the service provider works, its negligence or unreliable personnel may result in uncontrollable risks for the customer. In order to minimise these risks, contractual agreements must be concluded. These should cover the following, amongst other things: a precise description, e.g. in the form of an IT security concept, as to how the IT systems of the remote maintenance service provider are protected, a precise specification of the competences and duties of the maintenance personnel, a non-disclosure agreement, an agreement stating that data that had to be stored externally during the maintenance work must be deleted immediately upon completion of the work in such a way that it cannot be reproduced. In order to have a certain level of control regarding the compliance with these duties, the customer should grant itself the contractual right to perform audits of the service provider itself of to have such audits performed by a specialised independent company. In order to be sure that the service provider also complies with the essential standards regarding the security of its own IT, the customer should ensure that the service provider has an ISO certification on the basis of IT-Grundschutz. BSI-CS 054 Version /06/2013 Page 5 of 6

6 In summary, we formulate the last basic rule: Basic rule 8: The reliability of the remote maintenance service provider should be the decisive criterion when selecting the provider. Regarding this reliability, the customer should contractually stipulate corresponding control mechanisms. 4 Final remark More detailed information on the "Remote maintenance" topic can also be found in the IT- Grundschutz Catalogues of the BSI ( particularly in safeguard S 5.33 and the further references quoted therein. By means of the BSI publications, the Federal Office for Information Security (BSI) publishes documents about current topics in the field of cyber security. Comments and advice from readers can be sent to info@cyber-allianz.de. BSI-CS 054 Version /06/2013 Page 6 of 6