Securing Access to Network s Data Track Technology October, 2003 A corporate information security strategy will not be effective unless IT administrative services are protected through processes that safeguard voice and data network infrastructure devices. This paper attempts to identify the issues involved in delivering secure remote access to network devices, the first basic step of infrastructure security, and to discuss the solutions that Data Track Technology offers for resolving them. Introduction An integral part of the discussion of securing access to network devices is to identify how the steps of authentication, authorization, and auditing relate to information security, in general, and to secure remote access, specifically. To that end, definitions of the terms used in this paper follow. Authentication is the control over who is allowed to gain access to a network device, usually through a login/password process. Once a user is authenticated and has gained access, he may still need to use additional authentication mechanisms for access to specific services. Authorization is the ability to limit network services and therefore capabilities available to different users and/or groups of users. This is usually achieved by the application of a user profile based on unique username/password combinations. Auditing/Accounting collects and logs user activities on the network. The information collected can then be used for internal billing purposes, and as source material for security investigations. Issue: Administering Network s at Remote Locations Administrative access to voice and data network infrastructure devices such as routers, firewalls, PBXs, etc. usually takes place either remotely over a wide area network, remotely over a local area network, or locally with a serial cable from a computer to the console port of the device. A remote location within an organization will have voice and data network devices located on the premise, but the IT staff charged with maintaining these devices is often located elsewhere. Access methods are needed to administer and configure network devices, but the methods must be secured from hackers on the outside and from malicious persons on the inside.
Example: Remote Branch Office A typical example of network devices at a remote location would be a branch office that has a router that connects the office to the corporate WAN for data communications and a small PBX for telecommunications. There is no IT staff at this site. When there is a performance problem with the router, a system administrator (SA) or support engineer (SE) at the regional headquarters uses the telnet program to connect to the router across the WAN to read system logs, and then to possibly reconfigure a route table. When a new user needs to be added to the PBX, a telecom manager at the regional headquarters uses a Windows software program from the PBX manufacturer to connect to the PBX across the WAN and add a user to the system. SA/SE WAN Router PSTN PBX Legend Ethernet network Unrestricted dial-up Voice Mail LAN Figure 1 - Remote branch office with voice and data equipment. If the wide area network connection to this site is not functioning due to a failure of the router or the transport between the router and the WAN backbone, in-band access is not available for either data communications or telecommunications administration. In this case, a system administrator connects to a modem on the router via a telephone line, logs in directly to the router, and then uses the command line interface on the router to debug the wide area network interface. If the router is unresponsive, a technician has to be dispatched to the site to power cycle the router and to check the integrity of the IOS image in the system. The telecom manager connects to the service modem on the PBX via a telephone line, logs in directly to the PBX, and then uses a command line tool on the PBX to add a user to the system. If there are no service modems on the router or the PBX, a technician is dispatched to the site.
Security Shortcomings In this example scenario with in-band access over the WAN and out-of-band access via individual modems on each device, there are several serious security disasters waiting to happen. In-band Access From within the WAN, there may be many sections of the corporate intranet that have routes to remote corporate locations. Unless route-based vulnerability assessments have been performed, there can be little assurance that users on the WAN, other than authorized system administrators, are blocked from reaching remote devices. And since the voice and data network devices may well have telnet, tftp, ftp, and even http servers running to offer access to system administrators, these devices are vulnerable to attack from insiders through the administrative access points available across the WAN. (See the discussion below on administering network devices on the LAN for a more detailed discussion of insider attack issues.) Out-of-band Access The voice and data network devices to be managed remotely may have relatively weak access methods. In addition, adding only a simple modem to be the service access point for a network device magnifies the opportunity for the device to be compromised. Hackers using war dialer mechanisms will eventually find the modem and will attack the login prompt of the device. Issue: Administering Network s on the LAN Methods of access to voice and data network devices located where IT staff reside also need to be secured not only from the same outsider threats as remote locations but also from insider threats. A host of studies from well-known sources including the FBI, SANS Institute, and the Office for Critical Infrastructure Assurance at the White House have shown that sophisticated insiders pose the greatest security threat to corporate networks. Disgruntled staff and those attempting to masquerade as administrators are at the top of the insider threat list. Example: Regional Headquarters An example of network devices on a large local area network is a regional headquarters facility that has a direct connection to the Internet, a series of routers and firewalls for data communications, and a large PBX for telecommunications. There are IT staff members at this location. When there is a performance problem with the router, a local system administrator uses the telnet program to connect to the router across the LAN to read system logs, and then to possibly reconfigure a route table. When a new user needs to be added to the PBX, a local telecom manager uses a Windows software program from the PBX manufacturer to connect to the PBX across the LAN and add a user to the system.
POWERFA ULT DATA ALARM NetworkingPS, LLC Internet Router DMZ Email Firewall SA/SE IDS Web Legend Ethernet network PBX Voice Mail Figure 2 - Regional headquarters with voice and data equipment If the local area network at this site is not functioning, in-band access is not available for either data communications or telecommunications administration. In this case, IT staff members would directly access the consoles of voice and data network devices to remedy the situation. It would be unusual to have modems connected to the network devices at a site where there is a sizable IT staff. Security Shortcomings In this example, the greatest vulnerability is not via out-of-band access but rather in-band access since there will be few situations where modems will be present as a standard operating procedure on network devices. In our example regional headquarters, administrative access to network devices is via the corporate network and not via a separate administrative VLAN or a separate physical network. At the regional headquarters, there will be users on the corporate network attempting to gain unauthorized access to network resources. It may be a former IT staff member who has maintained back door access to the network. It may be a visitor to a company site sitting down at a logged-in PC. It may be a current employee who has some time on his or her hands and thinks they have hacking skills, or it may be a short-term contractor. It may be a bored vendor s representative handling a service event. Or it could even be a hacker that has actually penetrated the network and is looking for the soft, chewy center now that he is past the hardened borders.
In-band Access In a typical corporate network, critical network infrastructure devices such as routers, servers, firewalls, LAN switches, and PBXs are relatively unprotected from compromise from within. The former IT employee may still have an active password to a web server, and in just a few minutes on the network, he adds a back door for future mischief. The visitor or current employee may decide to download one of the many hacker tools available on the Internet and propagate a flood of packets to the open telnet port on the nearest router. The vendor s representative adding a software upgrade to a PBX may decide to try and telnet around the network seeing which devices he can gain access to. The hacker that has successfully penetrated the network perimeter is roaming about trying to find, compromise, and reconfigure any internal servers found running insecure services such as tftp. Data Track s Secure Remote Access (SRA) Data Track s solution delivers a consistent, secure system to connect IT personnel to voice and data network devices across local and wide area networks. It uses proven methods of authentication, authorization, and auditing/accounting. Beyond the secure connectivity functions, there are a number of services within Data Track s SRA solution to monitor network devices. One of these services keeps track of the connection status of each monitored device. Another records the activity of system administrators on each monitored device. A power management service allows remote support engineers to power cycled network devices. A logging service provides a data collection facility for monitored devices either through a serial port or via TCP. There is also a facility that allows local storage and retrieval of configuration data for network devices. And an alerting service offers a message delivery facility to an upstream network management system. The overall benefits of deploying Data Track s SRA are: Improved management of system administration activity Reduced technician dispatches (and associated costs) Increased network infrastructure security Methodology A key element of Data Track s Secure Remote Access solution is that rather than connecting directly into a network device, a system administrator or support engineer connects to a security appliance called a Tracker. It is a reliable and robust platform based on the Linux operating system. The operating system, the configuration parameters, and the Tracker applications are stored in non-volatile memory, making them resilient to power failures. The configuration parameters of the Tracker can be set remotely, and system upgrades can be uploaded using or dial-up connections.
Many voice and data network devices can be connected to a single Tracker security appliance via either a serial connection to the console port of the network device, or a TCP/IP Ethernet network connection, or both. When the connection is via a Tracker serial port, the unit s full auditing capabilities are available, including logging the commands that an administrative user enters at the console of the managed device. Note that when the Tracker is used as the administrative access point to a network device, any other administrative access to that device can be disabled, further increasing the reliability of the network device from a failure due to an attack. Security within Tracker When a system administrator wants to administer a network device, the first step is to set up a VPN tunnel to the Tracker security appliance, if the connection is over a TCP/IP network, or to set up a CHAP- authenticated PPP session to the Tracker, if the connection is over a dial-up network. The next step is to logon to the Tracker via a password protected terminal session. Once the logon is successful, the firewall in the Tracker ensures that system administrators have access only to authorized equipment and/or applications. When the Tracker is fitted with multiple Ethernet ports, its internal routing tables are used to restrict the traffic flow between these interfaces, creating a secure routing environment. In addition to the security of the logon process and the firewall rules, the administrator of the Tracker also configures the logon methods allowed per user, and enables the level of access required per user.
System Administrator Tracker Serial Serial PSTN Modem Ethernet Ethernet System Administrator Serial Serial Legend Restricted dial-up Serial to device console Corporate network Admin VLAN Internal firewall Figure 3 Logical diagram of Tracker s internal firewall in a secure remote access installation. When managing network devices via a Tracker using a TCP/IP network, the highest security level would have a Tracker Ethernet interface and the administrative Ethernet interfaces of the network devices on a VLAN or at least a sub-net separated from the rest of the local area network. This would allow for internal network segmentation methodologies to be used to severely limit the number of users that have access to the administrative interfaces of network devices. System Applications The Tracker provides a series of extensible services and system applications to support secure remote access and to serve as building blocks for other solutions. These include: VPN tunnels to provide secure in-band sessions across a LAN or WAN. Firewall to isolate system administrators from network segments where there are no authorized network devices. Monitoring service to provide a basic connection status of managed devices. Management service that captures and filters SNMP traps, and then redirects them to one or more management applications Auditing service to show system administration activity on each device Alerting service to provide a message delivery facility to send alarms to a management application. Logging service to provide a data collection facility for devices connected via serial ports or TCP/IP sockets.
Power management facility to allow remote support engineers to power cycle network devices. Local storage and retrieval of network device configuration data via restricted TFTP. In-band and Side-band Access to Network s For in-band access across a LAN, an administrator connects one Ethernet port on the Tracker to the corporate network. For more protection, an admin VLAN or even a separate admin LAN would be in use, and another Ethernet port on the Tracker would be connected to it. (Using a VLAN or a separate LAN for administrative purposes is often called side-band access.) For in-band or side-band access across a WAN, the Tracker would be connected to an Ethernet network and it would have a TCP/IP route available to traverse the WAN to connect to the devices to be administered. A system administrator looking to connect via in-band or side-band access to a network device managed by a Tracker will telnet to the IP address of the Tracker s Ethernet interface on the corporate network, and then select the authorized device to administer. Out-of-band Access to Network s For out-of-band access, a telephone line is connected to the Tracker s integral modem. The Tracker can be configured to restrict answering to a set of originating numbers. A system administrator looking to connect via out-of-band access to a network device managed by a Tracker must call from a phone line whose number is authorized by the Tracker. A CHAPauthenticated PPP session will start up; the user will logon; and then the user will select the authorized device to administer from a menu. North American Distributor: NetworkingPS, LLC EMAIL: Info@NetworkingPS.com PHONE: (908) 595-2136 FAX: (908) 595-2139
Appendix A: Alternative Solutions Data Track s Secure Remote Access versus alternatives Tracker Terminal server LAN modem Access Methods Modem restricted answering VPN server telnet server Security Firewall Audit trail Comfort alarm Network Management Alerting service Logging service Monitoring service SNMP agent SNMP capture / redirect Other Digital I/O ports Application scripting Menu-driven interface Remote configuration Remote upgrade 19 rack mount UPS options