Secure access over the Internet
- — 18 October, 2002 11:52
The soft, gooey centre problem (Back to contents)Encrypting network access and controlling network traffic aren't of much use if they are let down by poor password quality, wrongly configured software or systems which haven't been updated with the latest security patches. All it takes is an easily guessed password and a system which hasn't been updated against a widely publicised flaw and all your systems may be vulnerable. The problem of secure perimeters that break because of some little flaw to reveal vulnerable networks is often called the "soft, gooey centre" scenario. The only way to counter this is through in-depth security -- hardened systems and strong authentication and authorisation.
Authentication (Back to contents)The single biggest gain an organisation can make in securing systems is to ensure password quality. The difference in time a password cracker takes to try out every possible seven digit password as compared to a six digit password is enormous, but if those passwords are never changed it gives the attacker with patience plenty of time to spare. Passwords should have a mix of upper and lower-case letters, numbers and special characters, should be at least seven digits long and should be changed every few months. Using common words and short passwords makes it very easily for attackers to find a way in. Account lockout policies (which stop an account being used after a certain number of incorrect passwords) should also be used to prevent automated attack systems from continually trying to gain access. The problem with enforcing strong passwords is often that the users can't cope with remembering they need to use 'x6%%4dfh' to access the LAN, '88skfhe$$' for their Web applications and '@edt&&y8' for their VPN client. As a result, they write them on post-it notes under their keyboards or call and abuse helpdesk staff for making their lives difficult. The answer lies in integrating authentication across all platforms. Firewalls, Web applications and VPN services can all be tied to internal authentication systems such as Active Directory or NDS, either directly or through extra add-on software. Simply ensuring the users only have to remember one username and password from anywhere makes the task much simpler. For areas requiring a very high level of security, such as providing complete LAN access via VPNs, devices are available to ensure that learning the password isn't enough. Biometrics can be used to replace the password with a fingerprint or a retinal scan, though takeup of these technologies hasn't been strong to date. Another common secure password solution involves using a token-based system. An example of a token-based system is SecureID, where a user carries a card or a fob on their key ring that electronically displays a six digit number that changes every few minutes. The authentication server knows which user has which token and what digits will be showing on it at any point in time. The user authenticates by entering a username, and then a password which comprises a PIN followed by the digits. This ensures the password is different every time it is used, but doesn't require the user to remember all the new passwords. Scenario One: The customer Web site
The best authentication solution for public Web sites is to use plain usernames and passwords over a strong SSL link. Password quality should be enforced wherever necessary, but this can impact on the user experience if they have to request a password reminder every time they use the site.Scenario Two: Linking remote offices
VPN users and networks don't always authenticate with each other, more commonly they already have a password or encryption certificates in common that are used to encrypt the data.Scenario Three: Road warriors and telecommuters
Dial-in users and VPN clients connecting to an internal network should be using very strong authentication options; ideally this would be one-time-passwords, but a strong password policy will generally suffice.
Authorisation (Back to contents)Once the identity of a user is established using strong authentication methods, the concept of authorisation is used to control their legitimate activities on the network. It should be understood that most misuse of computer systems occurs within an organisation - doesn't everyone want to sneak a peek at the payroll database before their next performance review? Authorisation can be as simple as maintaining good file system permissions to protect sensitive documents, or it can involve firewalling critical systems and requiring users to authenticate with the firewall just to gain a network connection to the service. New products in this area are appearing on the market constantly and there is no one answer for any organisation. Instead a common-sense approach should be used to ensure any one user only has access to what they need to do their jobs throughout a network. This will limit the damage an attacker can do should they figure out that Betty from Marketing has been using her son's date of birth as her password for the last ten years.
Hardening systems (Back to contents)All the firewalls, VPNs and authentication systems in the world can't keep a public system secure if it has holes in it. The most widely reported security flaws are with Web server systems. The reason for this is that almost every organisation has a path through their perimeter to access the Web server, and as they are the most commonly available and attackable systems the most flaws are found in them. Usernames and passwords can't be used to prevent access to a public Web site, so the system must be secure on its own. The same approaches should be used for internal systems as well - the people inside your organisation can be as much of a worry as the faceless attackers of the Internet. The first step to securing a system is to ensure all software patches are loaded and regularly checked. Most well-publicised security incidents such as the Code Red worm use well-known but often ignored security holes and could be avoided if administrators kept all their systems up-to-date. The next step is to harden the system. Hardening means to remove unnecessary services so there are fewer things that could go wrong, and setting user privileges to applications and files at as minimal a level as possible so to minimise potential damage. Unix systems have the useful ability to run applications such as Web servers as unprivileged users in 'jails', which restrict the application to carefully controlled portions of the file system. For Windows, using unique service accounts for each application and granting those accounts minimal access to resources is essential. Options which make life easy for the administrator often also make life easier for the hacker.
Audit and IDS (Back to contents)If due respect has been paid to each of the security principles discussed so far the systems can be considered secure, but only at this point in time. Access to each network resource is tightly controlled and correctly authenticated. The data travelling from server to server or client to server will be encrypted, which will prevent anyone from eavesdropping and recording passwords or manipulating the data along the way. The hosts involved are all hardened and patched so as to provide defence in-depth but security is never foolproof. New vulnerabilities are found all the time and often they are used for months in the wild before being discovered by a security researcher who informs the relevant vendors or user groups instead of utilising the flaw themselves. To maintain security over time it is vital to have systems in place that can alert staff that there has been a break-in, and to track what has been done so the systems can be restored from backups and secured to counter whatever flaw was exposed. This is the realm of data integrity and auditing systems.
Data integrity (Back to contents)There are many products and technologies available to ensure data integrity. A commonly used technology is to use hashing algorithms to take a cryptographic snapshot of the current system state and to compare this with a database of what the same system looked like at a known point in time. Software such as Tripwire fulfils this role, alerting administrators when something suspicious happens such as security configuration files changing overnight. Another simple option is to use read-only media such as CD-ROMs for static content -- a Web site serving files from a CD-ROM can't be defaced. For our remote access scenarios, data integrity solutions should be used to ensure hosts such as the firewalls and VPN servers haven't had unauthorised changes to their configurations or additional software installed.
IDS and system auditing (Back to contents)There are two types of Intrusion Detection Systems - host-based and network-based. Host-based systems are comparable with system auditing methods and are often closely aligned. They keep track of unusual events on systems which could be indicators of attack, and are useful for reconstructing what happened and when if a system is compromised. Many also include reactive capabilities and as such can provide an additional layer of defence against misuse. Network-based systems watch network traffic looking for tell-tale signatures of attack methods and react according to rules defined by administrators.
Summary (Back to contents)Just installing a single layer of security isn't enough to ensure secure remote access to network resources. At the network layer, encryption technologies such as VPNs and SSL or private links via telecommunications providers should be utilised to make it very difficult for anyone to intercept usernames, passwords or sensitive data in transit. Access to all resources should be tightly controlled using firewalls and strong authentication solutions, and all resources should be patched and hardened to protect from malicious authorised users and to provide defence in-depth should any of the other layers fail. This might all sound complicated, but for most small organisations making sure they aren't a victim of attack in each of the scenarios discussed just means using strong passwords, buying a simple router and appropriate client software, setting up logging capabilities and running the latest security patches for their operating systems.