Remote Access Control Overview

 

Trends such as telecommuting, electronic commerce, and the use of Intranets are driving the need for courts to provide their users with remote access to their computer systems.  In addition to the more general access control issues and security needs discussed in the Access Control Systems section, controls specifically targeting remote access security shall be considered. Remote access security must be stronger than general network security in order to protect the integrity of the internal network, while at the same time allowing external access to it. The point where remote access is allowed into the internal network is where a court will be susceptible to hackers and other uninvited guests that can probe and attack their network systems. Since remote access poses special risks, courts must address specific controls related to such access capabilities.

Remote Access Technologies[1]

The risks involved in allowing access to the internal network make it crucial to know exactly who are the remote users, what are their needs, and how to incorporate remote access controls into a security plan. Remote users are no longer just employees dialing in from home computers to check their e-mail. Today’s remote access users are part-time and full-time telecommuters, business partners, and clients that rely upon access to the internal network to accomplish mission-critical court business.

 

There are two methods available for remote access to a court’s internal network:

·        Users dial-in through an analog modem, with access through phone lines, to connect to a modem pool or Remote Access Server (RAS).

·        Users access a digital high-speed modem and/or router with a direct link to an Internet Service Provider (ISP).

Although traditional modems are sufficient for applications such as unsecured e-mail, they are rapidly becoming too slow for users working with larger applications and advanced graphics. Dialing in through an analog modem over the public switched telephone network (PSTN) is being phased out by high-speed and high bandwidth network connection mechanisms, such as the Integrated Services Digital Network (ISDN), cable modems, Asymmetrical Digital Subscriber Lines (ADSL, xDSL), and certain wireless technologies.[2]

 

Virtual Private Network (VPN) technology is capable of sending private data securely through a shared network and can be established between two or more Local Area Networks (LANs), as well as between remote users and a LAN. VPNs provide the basis for extending an Intranet securely across the Internet to form a corporate Wide Area Network (WAN). If the WAN gives access to business partners then it is, by definition, an Extranet.[3]  With Extranets, VPNs utilize the Internet as a medium for transmitting information over and between private networks, and secure data through a process called tunneling.

 

Remote Access Control Standards

Minimum Security Option

 

1.      Provide for a remote access security plan that allows for access to legitimate users, is easy to administer and flexible to user needs, and is largely transparent.  Keep in mind that users will find a way to circumvent security methods that are too difficult.

 

2.      Remote users must be authenticated to ensure that only authorized personnel are allowed access to the court’s network. One of the following remote dial-in access password control capabilities will be necessary in order to establish positive authentication:

·        Utilize a simple password security process, where the dial-in user is prompted for a username and password to connect to the network; or 

·        Even better is the use of a “blind password” set-up to simulate a dead modem that does not respond in any way until the dial-in user has typed in a password.[4]

 

3.      Security issues at the remote site and at the host server are to be considered seriously, since both ends of the dial-in transmission must be secured. Designate a single server to provide a single entry point for remote access. This can be a specified VPN server or a remote access server, depending on the court’s technology and tools available, and the type of implementation structure.

4.      When using telephone lines, provide a central dial-in and dial-out modem pool for remote access. Strictly control outside access from networked desktop systems that connect to the public-switched network. Network-connected desktop systems with modems that make calls to and from the public-switched network represent one of the greatest vulnerabilities to internal networks. An attacker that gains access to, and control of, a network-connected desktop system via an external modem can circumvent many courts’ internal security safeguards. Virtually all laptop computers have modems and there is a growing trend toward using laptops as desktop systems using docking stations.

 

5.      Shorten the standard 16-minute period that many modem-pool controllers use to time-out their dial-in connections after they are unexpectedly disconnected to five (5) minutes or less. During the time-out period, an attacker who gains access to the modem to which a disconnected line was attached will have the same access rights and privileges as the authorized user who lost the connection.  This time-out period will be set to five minutes or less for best security.

 

6.      Finally, provide for security features that are available to be installed on most remote dial-in modems including, but not limited to, the following:[5]

·        Modem programming provides protection from unwanted reprogramming during normal operation; however, modems are to be reset to a standard configuration at the start of each new call and also at the end of each call, so that a new caller cannot take over (“hijack”) a previous caller’s session.

·        Clean Call Termination provides for modems to terminate completely. The system must verify that the server properly hangs up the phone line at the end of each session so that, once again, a new caller cannot hijack a previous caller’s session.

·        Opening Banner[6] provides for a default modem message that all remote users will see when they first connect. Include a legally necessary security-related message in this banner, known as an unfriendly log-on warning (for example: “Warning, this is a secured and monitored computer system and any unauthorized access or attempt to access any information contained within it will be prosecuted to the fullest extent of the law”). Be careful not to divulge any information regarding court hardware or software in the opening banner, since such information is useful to attackers.

 

 

 

Optimum Security Option

 

1.      Remote access security for dial-in will require one of the following controls be provided:

·        Caller ID – the remote access server checks the telephone number of an incoming call against an approved list of phone numbers. If the phone numbers match, the users gain access to the network. This method does not address mobile users.

·        Callback security systems – when a user dials into the network, the answering modem requests caller identification, disconnects the call, verifies the caller’s identification against a directory, and then calls back the authorized modem at the number matching the caller’s identification; thereby denying access to potential hackers. This technique helps ensure that data communication occurs only between authorized devices. Although callback techniques work well for branches and dial-in from a users home, most callback products are not appropriate for mobile or traveling users since these user’s locations often vary daily. Products are now available which accept roving callback numbers, allowing mobile users to call into a remote access server or host computer, enter their user ID and password, and then specify a number where the server or host will call them back. The callback number is then logged, and that information is available later to help track down security breaches.

2.      Segment the RAS from the internal network. It can then act as a firewall where incoming data is routed, decrypted, and filtered to the local area network.[7]  Require users that are to connect from home to have appropriate security precautions installed. Precautions will include a firewall or a security software package designed to recognize an attack and shut down access ports. Special attention must be paid to users connecting via a cable modem, as it provides a constant connection to the Internet. By using a cable modem connection, an intruder can use an employees’ home computer to attack the court’s internal network.

 

3.      Supervise the use of VPNs throughout the network. IT managers or liaisons will change encryption keys and delete outdated or unused keys. 

 

4.      Data transmissions must be properly protected in order to preserve data integrity and confidentiality before, during, and after transmission. Various techniques are available to encrypt the data, to transmit or “tunnel” the data, and then to decrypt the data.  VPNs are one of the best and most secure ways to transmit data across the Internet. Encryption systems used to protect data during transmission also need to be powerful since simple encryption is now subject to penetration by attackers. VPNs use public key encryption to provide security.[8] Provide for one of the following transmission encryption schemes:

·        Packet Encryption encrypts the contents of each packet being sent over the network. Once received, the packets are decrypted one at a time, and then the entire message is re-assembled.

·        Message Encryption, a more secure method, encrypts the entire message at the source, and sends the entire encrypted message in the form of packets. The packets are then re-assembled and decrypted as a whole.

·        Data Encryption Standard (DES) is the security algorithm upon which the VPN architecture is built. Triple DES encryption is today’s recommended version.[9]

Maximum Security Option

 

1.      Integrate multiple solutions to achieve the best remote security possible. The problem of remote access security is multi-faceted and there is not a single solution that is capable of addressing all of the possible threats from internal and external sources.

 

2.      The use of Dynamic Passwords is required.  Dynamic Passwords require the user to carry and use a password generator (“smart card”) along with a Personal Identification Number (PIN) that is known only to the user and can be used to gain access to the network. This method is difficult to defeat, but it does require a third-party procedure, and it can be more expensive (although prices are falling rapidly).

3.      Run an application that dials all of the numbers in a court’s telephone exchange (i.e. “War-dialer” software) to help detect and eliminate unauthorized modems. Another option to detect unauthorized modems is to obtain a listing of all analog phone lines throughout the court.  Then, a comparison of these analog lines found to the internal sites with a legitimate need for them (like fax machines) will provide a fairly accurate assessment of court computers with modems installed.  The relevance and frequency of this practice is to be determined by a court’s risk assessment, but shall be run at least annually.