LINUX SECURITY --- October 31, 2000 Published by ITworld.com, the IT problem-solving network http://www.itworld.com/newsletters -------------------------------------------------------------------------- ------ HIGHLIGHTS * Providing remote access to your users without compromising your systems security -------------------------------------------------------------------------- ------ The Remote Access Nightmare By Rick Johnson Recently the dreaded question of remote access crossed my desk. Every System Administrator will eventually be faced with this dilemma. How do I provide remote access to specific employees without compromising the integrity of our network? Do I open up a hole in the firewall to the Internet or find another route? There are a few possible options for allowing remote users into the internal network. It all depends on the level of access required. If shell access is required, one hardened server on a DMZ with only SSH opened to specific IP addresses might do the job. From there, users may bounce to the internal network. Unfortunately, most remote access situations require more widespread accessibility to the internal services. In addition, like it or not, eventually a Windows user will need to log onto the domain from a remote site. Obviously, this cannot be allowed across the Internet. My first recommendation is to provide a dialup solution if the circumstances are right. One of the best benefits of this situation is the ability to institute a callback plan. With this enabled, the user must call in from a specific phone number. Once they have connected and the authentication has occurred, the connection is dropped and the server then initiates a call to the user's computer. Since the user's account is pre-configured with their callback phone number, the only potential for exploitation exists if the users phone system and account are both compromised. The more common option in use is a Virtual Private Network. With a VPN, access is available from any Internet connection. The most common VPN configurations use a tunnel of either SSH, PPTP or IPSec. PPTP is a Microsoft protocol that is supported under Linux, but is not considered very secure. IPSec offers access control, data integrity, authentication and confidentiality. These services are provided with two traffic security protocols, the Authentication Header (AH) and the Encapsulating Security Payload (ESP), and using cryptographic key management protocols. Once the tunnel is active and authentication has occurred, the connecting PC is assigned an IP address from the internal network, thereby appearing as a local workstation. This convenience does come at a price. Since the remote PC is now an equal on the network, you have to trust the security of that remote network. Luckily with the right setup, it is possible to firewall the remote VPN users to allow for some degree of security. For more information on VPN's under Linux please read the VPN HOWTO (http://www.linuxdoc.org/HOWTO/VPN-HOWTO.html). So, will your remote access enabled network ever be as secure as if it was isolated from the outside world? Quite simply, the answer is no. Once you open any hole, the level of risk grows accordingly. It is all a matter of drawing that invisible line that designates an acceptable risk. About the author(s) ---------------- Rick Johnson: Rick Johnson is currently the Manager of Security Services for FusionStorm, a remote managed services company. When not writing, he heads the development team for PMFirewall, an Ipchains Firewall and Masquerading Configuration Utility for Linux. Rick can be contacted via email at rick@pointman.org or on the web at http://www.pointman.org. -------------------------------------------------------------------------- ------ RESOURCES Curing remote-access security ailments ssh, the secure shell, can create a moderately secure network connection http://www.itworld.com/jsw/linsec_nl/swol-01-1996/swol-01-sysadmin.html SKIP your way to security How does Sun's Simple Key Management for IP provide 3 levels of network security? We show you how to install SKIP and build an encrypted channel between Solaris hosts http://www.itworld.com/jsw/linsec_nl/swol-06-1997/swol-06-skip_p.html File sharing made easy What to consider when connecting NFS and SMB filesystems http://www.itworld.com/jlw/linsec_nl/lw-1999-03/lw-03-thereandback_p.html -------------------------------------------------------------------------- ------
<<attachment: winmail.dat>>