Securing Access to Network Devices

Similar documents
Securing CS-MARS C H A P T E R

WHITE PAPER: IRONSHIELD BEST PRACTICES MANAGEMENT VLANS

Secure Remote Access And Password Management

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

IC32E - Pre-Instructional Survey

NETWORK THREATS DEMAN

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

CN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

WHITE PAPER. Session Border Controllers: Helping keep enterprise networks safe TABLE OF CONTENTS. Starting Points

Exam: : VPN/Security. Ver :

Hosted Testing and Grading

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

ASA/PIX Security Appliance

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Xceedium Xio Framework: Securing Remote Out-of-band Access

CompTIA Network+ Study Guide Table of Contents

Securely Deliver Remote Monitoring and Service to Critical Systems. A White Paper from the Experts in Business-Critical Continuity TM

CHAPTER 7 ADVANCED ADMINISTRATION PC

Exam: Title : VPN/Security. Ver :

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

3050 Integrated Communications Platform

Application Note Asterisk BE with Remote Phones - Configuration Guide

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Spectrum Enterprise SIP Trunking Service Vertical TM Wave IP500TM / Wave IP2500 TM Release 4.0, 4.5 IP PBX Configuration Guide

MEETING ISO STANDARDS

ON-LINE EXPERT SUPPORT THROUGH VPN ACCESS

10 FOCUS AREAS FOR BREACH PREVENTION

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Simple and Powerful Security for PCI DSS

Hands-On TCP/IP Networking

5. Execute the attack and obtain unauthorized access to the system.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Getting Started with the VG248

Application Note. Microsoft OCS 2007 Configuration Guide

Opengear Technical Note

Easy-to-Use PCI Kit to Enable PCI Compliance Audits

Mobile MOUSe ROUTING AND SWITCHING FUNDAMENTALS ONLINE COURSE OUTLINE

Security Solutions. Overview. Business Needs

Security Guide SAP Supplier InfoNet

Cisco 5921 Embedded Services Router

Chapter 9. Firewalls

XO SITE SECURITY SERVICES

Secure Network Design Document

Recommendations for Device Provisioning Security

Total Security Management PCI DSS Compliance Guide

CoreMax Consulting s Cyber Security Roadmap

Fundamentals of Network Security v1.1 Scope and Sequence

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Securing Wireless Networks by By Joe Klemencic Mon. Apr

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Texas Health Resources

Cisco Network Admission Control (NAC) Solution

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

Cisco 4: Enterprise Networking

Truffle Broadband Bonding Network Appliance

Top-Down Network Design

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

Metasys System Extended Architecture

RIPE RIPE-17. Table of Contents. The Langner Group. Washington Hamburg Munich

Gigabit SSL VPN Security Router

COMPUTER NETWORK SECURITY

Networks with Cisco NAC Appliance primarily benefit from:

Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

G-4200 SMB PAC with built-in AAA

Application Note Asterisk BE with SIP Trunking - Configuration Guide

Industrial Control System Security white paper

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Communications Transformations 2: Steps to Integrate SIP Trunk into the Enterprise

MANAGED WAN SERVICE GENERAL Service Definition Standard Service Features. Monitor and Notify Service Level Monitoring Notification

Improving Business Continuity for the

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

CompTIA CAS-002. CompTIA Advanced Security Practitioner (CASP) Download Full Version :

Children s Health System. Remote User Policy

Introduction. The Safe-T Solution

Computer Network Vulnerabilities

Remote Desktop Security for the SMB

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Google Cloud Platform: Customer Responsibility Matrix. December 2018

NGN: Carriers and Vendors Must Take Security Seriously

McAfee Network Security Platform

CompTIA Security+(2008 Edition) Exam

CCNA Exploration Network Fundamentals

Network+ Guide to Networks 6 th Edition

Virtual Private Networks (VPNs)

Information System Security. Nguyen Ho Minh Duc, M.Sc

Message Networking 5.2 Administration print guide

Firewall Configuration and Management Policy

CORPORATE GLOBAL ROAMING PRODUCT SPECIFICATION

User Guide IP Connect CSD

Information Services IT Security Policies L. Network Management

Securing the Empowered Branch with Cisco Network Admission Control. September 2007

Chapter Three test. CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it.

Transcription:

Securing Access to Network s Data Track Technology October, 2003 A corporate information security strategy will not be effective unless IT administrative services are protected through processes that safeguard voice and data network infrastructure devices. This paper attempts to identify the issues involved in delivering secure remote access to network devices, the first basic step of infrastructure security, and to discuss the solutions that Data Track Technology offers for resolving them. Introduction An integral part of the discussion of securing access to network devices is to identify how the steps of authentication, authorization, and auditing relate to information security, in general, and to secure remote access, specifically. To that end, definitions of the terms used in this paper follow. Authentication is the control over who is allowed to gain access to a network device, usually through a login/password process. Once a user is authenticated and has gained access, he may still need to use additional authentication mechanisms for access to specific services. Authorization is the ability to limit network services and therefore capabilities available to different users and/or groups of users. This is usually achieved by the application of a user profile based on unique username/password combinations. Auditing/Accounting collects and logs user activities on the network. The information collected can then be used for internal billing purposes, and as source material for security investigations. Issue: Administering Network s at Remote Locations Administrative access to voice and data network infrastructure devices such as routers, firewalls, PBXs, etc. usually takes place either remotely over a wide area network, remotely over a local area network, or locally with a serial cable from a computer to the console port of the device. A remote location within an organization will have voice and data network devices located on the premise, but the IT staff charged with maintaining these devices is often located elsewhere. Access methods are needed to administer and configure network devices, but the methods must be secured from hackers on the outside and from malicious persons on the inside.

Example: Remote Branch Office A typical example of network devices at a remote location would be a branch office that has a router that connects the office to the corporate WAN for data communications and a small PBX for telecommunications. There is no IT staff at this site. When there is a performance problem with the router, a system administrator (SA) or support engineer (SE) at the regional headquarters uses the telnet program to connect to the router across the WAN to read system logs, and then to possibly reconfigure a route table. When a new user needs to be added to the PBX, a telecom manager at the regional headquarters uses a Windows software program from the PBX manufacturer to connect to the PBX across the WAN and add a user to the system. SA/SE WAN Router PSTN PBX Legend Ethernet network Unrestricted dial-up Voice Mail LAN Figure 1 - Remote branch office with voice and data equipment. If the wide area network connection to this site is not functioning due to a failure of the router or the transport between the router and the WAN backbone, in-band access is not available for either data communications or telecommunications administration. In this case, a system administrator connects to a modem on the router via a telephone line, logs in directly to the router, and then uses the command line interface on the router to debug the wide area network interface. If the router is unresponsive, a technician has to be dispatched to the site to power cycle the router and to check the integrity of the IOS image in the system. The telecom manager connects to the service modem on the PBX via a telephone line, logs in directly to the PBX, and then uses a command line tool on the PBX to add a user to the system. If there are no service modems on the router or the PBX, a technician is dispatched to the site.

Security Shortcomings In this example scenario with in-band access over the WAN and out-of-band access via individual modems on each device, there are several serious security disasters waiting to happen. In-band Access From within the WAN, there may be many sections of the corporate intranet that have routes to remote corporate locations. Unless route-based vulnerability assessments have been performed, there can be little assurance that users on the WAN, other than authorized system administrators, are blocked from reaching remote devices. And since the voice and data network devices may well have telnet, tftp, ftp, and even http servers running to offer access to system administrators, these devices are vulnerable to attack from insiders through the administrative access points available across the WAN. (See the discussion below on administering network devices on the LAN for a more detailed discussion of insider attack issues.) Out-of-band Access The voice and data network devices to be managed remotely may have relatively weak access methods. In addition, adding only a simple modem to be the service access point for a network device magnifies the opportunity for the device to be compromised. Hackers using war dialer mechanisms will eventually find the modem and will attack the login prompt of the device. Issue: Administering Network s on the LAN Methods of access to voice and data network devices located where IT staff reside also need to be secured not only from the same outsider threats as remote locations but also from insider threats. A host of studies from well-known sources including the FBI, SANS Institute, and the Office for Critical Infrastructure Assurance at the White House have shown that sophisticated insiders pose the greatest security threat to corporate networks. Disgruntled staff and those attempting to masquerade as administrators are at the top of the insider threat list. Example: Regional Headquarters An example of network devices on a large local area network is a regional headquarters facility that has a direct connection to the Internet, a series of routers and firewalls for data communications, and a large PBX for telecommunications. There are IT staff members at this location. When there is a performance problem with the router, a local system administrator uses the telnet program to connect to the router across the LAN to read system logs, and then to possibly reconfigure a route table. When a new user needs to be added to the PBX, a local telecom manager uses a Windows software program from the PBX manufacturer to connect to the PBX across the LAN and add a user to the system.

POWERFA ULT DATA ALARM NetworkingPS, LLC Internet Router DMZ Email Firewall SA/SE IDS Web Legend Ethernet network PBX Voice Mail Figure 2 - Regional headquarters with voice and data equipment If the local area network at this site is not functioning, in-band access is not available for either data communications or telecommunications administration. In this case, IT staff members would directly access the consoles of voice and data network devices to remedy the situation. It would be unusual to have modems connected to the network devices at a site where there is a sizable IT staff. Security Shortcomings In this example, the greatest vulnerability is not via out-of-band access but rather in-band access since there will be few situations where modems will be present as a standard operating procedure on network devices. In our example regional headquarters, administrative access to network devices is via the corporate network and not via a separate administrative VLAN or a separate physical network. At the regional headquarters, there will be users on the corporate network attempting to gain unauthorized access to network resources. It may be a former IT staff member who has maintained back door access to the network. It may be a visitor to a company site sitting down at a logged-in PC. It may be a current employee who has some time on his or her hands and thinks they have hacking skills, or it may be a short-term contractor. It may be a bored vendor s representative handling a service event. Or it could even be a hacker that has actually penetrated the network and is looking for the soft, chewy center now that he is past the hardened borders.

In-band Access In a typical corporate network, critical network infrastructure devices such as routers, servers, firewalls, LAN switches, and PBXs are relatively unprotected from compromise from within. The former IT employee may still have an active password to a web server, and in just a few minutes on the network, he adds a back door for future mischief. The visitor or current employee may decide to download one of the many hacker tools available on the Internet and propagate a flood of packets to the open telnet port on the nearest router. The vendor s representative adding a software upgrade to a PBX may decide to try and telnet around the network seeing which devices he can gain access to. The hacker that has successfully penetrated the network perimeter is roaming about trying to find, compromise, and reconfigure any internal servers found running insecure services such as tftp. Data Track s Secure Remote Access (SRA) Data Track s solution delivers a consistent, secure system to connect IT personnel to voice and data network devices across local and wide area networks. It uses proven methods of authentication, authorization, and auditing/accounting. Beyond the secure connectivity functions, there are a number of services within Data Track s SRA solution to monitor network devices. One of these services keeps track of the connection status of each monitored device. Another records the activity of system administrators on each monitored device. A power management service allows remote support engineers to power cycled network devices. A logging service provides a data collection facility for monitored devices either through a serial port or via TCP. There is also a facility that allows local storage and retrieval of configuration data for network devices. And an alerting service offers a message delivery facility to an upstream network management system. The overall benefits of deploying Data Track s SRA are: Improved management of system administration activity Reduced technician dispatches (and associated costs) Increased network infrastructure security Methodology A key element of Data Track s Secure Remote Access solution is that rather than connecting directly into a network device, a system administrator or support engineer connects to a security appliance called a Tracker. It is a reliable and robust platform based on the Linux operating system. The operating system, the configuration parameters, and the Tracker applications are stored in non-volatile memory, making them resilient to power failures. The configuration parameters of the Tracker can be set remotely, and system upgrades can be uploaded using or dial-up connections.

Many voice and data network devices can be connected to a single Tracker security appliance via either a serial connection to the console port of the network device, or a TCP/IP Ethernet network connection, or both. When the connection is via a Tracker serial port, the unit s full auditing capabilities are available, including logging the commands that an administrative user enters at the console of the managed device. Note that when the Tracker is used as the administrative access point to a network device, any other administrative access to that device can be disabled, further increasing the reliability of the network device from a failure due to an attack. Security within Tracker When a system administrator wants to administer a network device, the first step is to set up a VPN tunnel to the Tracker security appliance, if the connection is over a TCP/IP network, or to set up a CHAP- authenticated PPP session to the Tracker, if the connection is over a dial-up network. The next step is to logon to the Tracker via a password protected terminal session. Once the logon is successful, the firewall in the Tracker ensures that system administrators have access only to authorized equipment and/or applications. When the Tracker is fitted with multiple Ethernet ports, its internal routing tables are used to restrict the traffic flow between these interfaces, creating a secure routing environment. In addition to the security of the logon process and the firewall rules, the administrator of the Tracker also configures the logon methods allowed per user, and enables the level of access required per user.

System Administrator Tracker Serial Serial PSTN Modem Ethernet Ethernet System Administrator Serial Serial Legend Restricted dial-up Serial to device console Corporate network Admin VLAN Internal firewall Figure 3 Logical diagram of Tracker s internal firewall in a secure remote access installation. When managing network devices via a Tracker using a TCP/IP network, the highest security level would have a Tracker Ethernet interface and the administrative Ethernet interfaces of the network devices on a VLAN or at least a sub-net separated from the rest of the local area network. This would allow for internal network segmentation methodologies to be used to severely limit the number of users that have access to the administrative interfaces of network devices. System Applications The Tracker provides a series of extensible services and system applications to support secure remote access and to serve as building blocks for other solutions. These include: VPN tunnels to provide secure in-band sessions across a LAN or WAN. Firewall to isolate system administrators from network segments where there are no authorized network devices. Monitoring service to provide a basic connection status of managed devices. Management service that captures and filters SNMP traps, and then redirects them to one or more management applications Auditing service to show system administration activity on each device Alerting service to provide a message delivery facility to send alarms to a management application. Logging service to provide a data collection facility for devices connected via serial ports or TCP/IP sockets.

Power management facility to allow remote support engineers to power cycle network devices. Local storage and retrieval of network device configuration data via restricted TFTP. In-band and Side-band Access to Network s For in-band access across a LAN, an administrator connects one Ethernet port on the Tracker to the corporate network. For more protection, an admin VLAN or even a separate admin LAN would be in use, and another Ethernet port on the Tracker would be connected to it. (Using a VLAN or a separate LAN for administrative purposes is often called side-band access.) For in-band or side-band access across a WAN, the Tracker would be connected to an Ethernet network and it would have a TCP/IP route available to traverse the WAN to connect to the devices to be administered. A system administrator looking to connect via in-band or side-band access to a network device managed by a Tracker will telnet to the IP address of the Tracker s Ethernet interface on the corporate network, and then select the authorized device to administer. Out-of-band Access to Network s For out-of-band access, a telephone line is connected to the Tracker s integral modem. The Tracker can be configured to restrict answering to a set of originating numbers. A system administrator looking to connect via out-of-band access to a network device managed by a Tracker must call from a phone line whose number is authorized by the Tracker. A CHAPauthenticated PPP session will start up; the user will logon; and then the user will select the authorized device to administer from a menu. North American Distributor: NetworkingPS, LLC EMAIL: Info@NetworkingPS.com PHONE: (908) 595-2136 FAX: (908) 595-2139

Appendix A: Alternative Solutions Data Track s Secure Remote Access versus alternatives Tracker Terminal server LAN modem Access Methods Modem restricted answering VPN server telnet server Security Firewall Audit trail Comfort alarm Network Management Alerting service Logging service Monitoring service SNMP agent SNMP capture / redirect Other Digital I/O ports Application scripting Menu-driven interface Remote configuration Remote upgrade 19 rack mount UPS options

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback