“Secure” Remote Access Submitted To Mr.: Ahmed Abu Mosameh Preparation By: Mohammed N. Abu Shammala For telecommuters and roaming users

“Secure” Remote Access Requirements Authentication (Knock, knock, who’s there?) Access to the laptop Access to your network Physical Security Lost or mislaid laptops Unauthorised Access to a laptop Network Security Network-based attacks/intrusions Information confidentiality Malware Protection Management/Low support cost Ease of Use

Authentication Authentication is needed to: Prevent unauthorised access to the laptop Prevent unauthorised access to your network The Authentication Scheme needs to: Be easy and seamless to the user Use multiple factors to prevent capture and replay of credentials (e.g. key-logging of passwords) Prevent man-in-the-middle attacks Rainbow iKey cryptographic tokens

Physical Security Laptop’s contain your agency’s information Try and keep as little information on the laptop as possible - Don’t use a laptop as a mass file-store Make it difficult to obtain information even with physical access to the laptop – Boot time authentication Media could be removed and read from elsewhere – Disk Encryption Procedures + Citrix + WinMagic + Rainbow Crypto Tokens

Disk Encryption – Implementation Choices Disk vs File Encryption File Encryption Choose a file, decrypt, use, encrypt, secure erase unencrypted file Disk Encryption Encrypts and decrypts all files (including temporary files) “on the fly”. This process is extremely transparent to the end user. Issues for ‘pooled’ resources If laptop L is encrypted with user A’s key then users B,C,D… cannot use the laptop. Use a device access key rather than a user authentication key ‘Master’ Keys If a user loses their key, or is not present can IT Support read the disk? Encrypt the disk encryption key using the user’s key and a key owned by IT Support staff

Network Security Your Agency’s information travels over the Internet. Make sure that nobody can watch it go past; Prevent unauthorised access to your information resources. Packet sniffing – Session encryption e.g. IPSEC or SSL Man-in-the-middle Authenticate both the “Server” and the “client”! Capture-and-replay Network Attack Prevention Protect the client system Disable unneeded services Use a personal firewall to only allow access from applications that should be using the network/internet Agency owned systems versus staff owned (or internet café’) systems Filter traffic from the client to your network – it should only be trying to access expected services! E.g. CodeRed, MSBlaster, SQLSlammer! Cisco VPN Client + Rainbow Crypto Token + ZoneAlarm

Malware Prevention Personal Firewall Use a personal firewall that authenticates which applications connect to the internet or your network – this prevents rogue software from spreading over the network Anti-virus Prevents detected Malicious Software from executing on the laptop Does it update ‘automagically’? System Resources Multiple instances of security software for disk encryption, network encryption, authentication, firewall, anti-virus... Is this a DoS attack in itself? ZoneAlarm + McAfee + WinMagic + Cisco VPN RAM

Management and Support Managing and supporting LAN clients and Remote clients can be very different Physical access to hardware Access to bandwidth for downloading patches Login scripts and domain management tools may be unavailable Thin-client – one update for all users The biggest support headache… Getting roaming connected to the internet

Ease of Use and End-User Awareness A “Secure” Remote Access System needs to be really easy to use so that: End Users use it and not circumvent it! E.g. Choose to use WebMail instead of secure Remote Access connections Make it intuitive Don’t rely on all end users to read the documentation If possible train/demo the system before they leave

Questions