Threats to Remote Access Solutions

Threats to Remote Access Solutions

When you extend network connectivity to remote access clients, several threats exist that can compromise your network s security. These threats exist because the remote clients are no longer directly connected to the corporate network, but they are connected to public networks (phone or Internet) and are connecting to the corporate network over public networks. The threats caused by this extension of the corporate network to remote clients are listed below.

  • Authentication interception

  • Data interception

  • Bypass of the firewall to the private network

  • Nonstandardized policy application

  • Network perimeter extended to location of dial-in user

  • Denial of service caused by password attempts

  • Stolen laptops with saved credentials

Authentication Interception

Remote access solutions require users to send authentication credentials to your private network across public networks. Some early remote access authentication protocols do not provide security mechanisms, or they provide weak security for these credentials.

If you use authentication protocols such as PAP, SPAP, or CHAP, be aware that some tools can intercept these authentication streams and determine the password of the authenticating user through inspection or brute force techniques. Likewise, the implementation of CHAP weakens security of a user s password at domain controllers because CHAP requires that the password be stored in a reversibly encrypted format. The interception of the user s password compromises the user s remote access password. Also, in a Windows 2000 network, the remote access password is the user s domain password.

Although the risk of password interception is more likely in a VPN scenario, it is still possible for a dial-in client s password information to be intercepted if the required tapping equipment is attached to the phone system.

Data Interception

When connecting remotely to a corporate network, the protocols you use for authentication and VPNs determine the level of protection against interception. For dial-up connections, encryption of transmitted data is performed only if you use EAP-TLS, MS-CHAP, or MS-CHAPv2 as the authentication protocol. Only these authentication protocols determine encryption keys for MPPE.

For VPN connections, varying strengths of encryption are provided. If you implement PPTP, the highest level of encryption possible is MPPE with 128-bit encryption. PPTP can also implement 40-bit and 56-bit encryption. If you implement L2TP/IPSec as your VPN protocol, IPSec encryption strengths range from 56-bits for DES encryption to three 56-bit keys for 3DES encryption. The stronger the encryption, the less chance you have of data being deciphered.

The MPPE encryption implemented by dial-up and PPTP connections is based on the user s password. If the user implements a poor password, the MPPE encryption strength is weakened. L2TP s use of IPSec for encryption ensures that the encryption strength is not affected by the user s password strength.

Bypass of the Firewall to the Private Network

If a user s account is provided local administrative access to computers, it is possible for him to install and configure RRAS to accept dial-up connections, thereby bypassing perimeter network security devices such as firewalls.

Establishing unauthorized remote access servers weakens your network s security because doing so enables unauthorized users or attackers to bypass existing perimeter security. In addition, these unauthorized remote access servers do not have the required remote access policy applied and might allow less secure connections.

Nonstandardized Policy Application

If more than one remote access server exists on your network, it is possible that remote access security is being applied in a nonstandard fashion. If the different sets of constraints and policies are applied, connection attempts might yield varied results.

The nonstandardized application of remote access policy can lead to unauthorized connections to the network or, in some cases, connections that do not meet your company s security policy. For example, your company might require that all remote access connections use MS-CHAPv2 or EAP-TLS for authentication. If you do not uniformly mandate that the remote access policy require this authentication for a successful connection attempt, a user might be able to connect by using PAP authentication, which transmits the authentication credentials in cleartext.

Network Perimeter Extended to Location of Dial-In User

When you implement remote access solutions, the perimeter of your company s network is extended to the location of the remote access client. The security of your network is now lowered to the level of security implemented at the remote client. For example, if clients are connect to a remote network that is infected with a new virus, they might become infected and in turn infect your network through their remote access connection. Ensure that all computers that participate on your network whether attached locally or connecting by remote access solutions are protected with the latest antivirus software.

Likewise, if clients modify their routing table so that they have routing entries to both the Internet and the company s network through the VPN or dial-up connection, it might be possible for attackers to route information through the remote access client to the corporate network. This modification of the routing table by clients to simultaneously access both the Internet and the intranet is referred to as split tunneling.

Denial of Service Caused by Password Attempts

Sometimes taking good security measures can lead to security threats. For example, your company might implement an account policy that locks out a user account after a specified number of incorrect password attempts.

Although this security setting is intended to prevent online dictionary attacks against the user account, it is possible for attackers to use this setting to launch a denial-of-service attack. Rather than attempt to guess a user s password, attackers can use this setting to intentionally lock out the user s account by inputting the required number of incorrect passwords, resulting in the user s account being locked out from all network activities. The user can participate in the network only after her account is unlocked by a user account administrator. The user account is not protected against subsequent attacks because the attacker is not attempting to guess the user s password.

Stolen Laptops with Saved Credentials

Remote users typically use notebook or laptop computers to connect to the corporate office. Because these computers are removed from the corporate offices and are taken to public locations, they are more susceptible to theft. If a laptop is stolen, it is subject to attacks against the local account database if local SAM accounts are used. Likewise, if a user saves his credentials for dial-up or VPN connections, an attacker can simply launch the connection, rather than attempt to guess the user s domain credentials.

Another threat to your remote access security exists if you implement shared secrets, rather than certificates, for IPSec authentication of L2TP/IPSec VPN connections. When you implement a shared secret as described in 240262, How to Configure a L2TP/IPSec Connection Using Pre-shared Key Authentication all remote access clients use the same shared secret to authenticate with the remote access server for the IPSec security association (SA). If one laptop is compromised, all laptops effectively are compromised and a new shared secret must be deployed. This is because the shared secret is stored in cleartext in the registry of the laptop.



Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net