Securing Access To Network Devices

Executive Summary

This white paper attempts to identify the issues involved in delivering secure remote access to network devices, the first basic step of infrastructure security, and to discuss the solutions that Data Track Technology offers for resolving them.

Introduction

An integral part of the discussion of securing access to network devices is to identify how the steps of authentication, authorization, and auditing relate to information security, in general, and to secure remote access, specifically. To that end, a definition of the terms used in this white paper is shown below:

Authentication is the control over who is allowed to gain access to a network, usually through a login/password process. Once users are authenticated and have gained access to a network, they may still need to use additional authentication mechanisms for access to specific services.

Authorization is the ability to limit network services-and therefore capabilities-available to different users and/or groups of users. This is usually achieved by the application of a user profile based on unique username/password combinations, helping to limit the exposure of the network to attacks from both internal and external sources.

Auditing/Accounting collects and logs user activities on the network. The information collected can then be used for internal billing purposes, and as source material for security investigations.

Issue: Administering Network Devices at Remote Locations

Administrative access to data and voice network infrastructure devices such as routers, firewalls, PBXs, etc. usually takes place either remotely over a wide area network, including the PSTN, remotely over a local area network, or locally with a serial cable from a computer to the console port of the device. A remote location within a business will have data and voice network devices located on the premise, but the IT staff charged with maintaining these network devices is often located elsewhere. Access methods are needed to administer and configure these remote network devices, but the methods must be secured from hackers on the outside and, potentially, from malicious persons on the inside.

Example: Remote Branch Office

A typical example of network devices at a remote location would be a branch sales office that has router that connects the office to the corporate WAN for data communications and a small PBX for telecommunications. There is no IT staff at this site. When there is a performance problem with the router, a system administrator also at the regional headquarters uses the telnet program to connect to the router across the WAN to read system logs, and then to possibly reconfigure a route table within the device. When a new user needs to be added to the PBX, a telecom manager at the regional headquarters uses a Windows software program from the PBX manufacturer to connect to the PBX across the WAN (in-band access) and add a user to the system.

Figure 1 - Remote branch office with data and voice equipment.

If the wide area network connection to this site is not functioning due to a failure of the router or the transport between the router and the WAN backbone, in-band access is not available for either data communications or telecommunications administration. In this case, a system administrator can connect to a modem on the router via a telephone line (out-of-band access), would login directly to the router, and then would use the command line interface on the router to debug the wide area network interface. The telecom manager would connect to the service modem on the PBX via a telephone line (out-of-band access), would login directly to the PBX, and then use a command line tool on the PBX to add a user to the system. If there are no service modems on the PBX or the router, a technician or support engineer has to be dispatched to the site to perform on-site troubleshooting.

Security Shortcomings

In this example scenario with in-band access over the WAN and out-of-band access via individual modems on each device, there are several serious security disasters waiting to happen.

In-band Access

From within the WAN, there may be many sections of the corporate intranet that have routes to remote corporate locations. Unless route-based vulnerability assessments have been performed, there can be little assurance that users on the WAN, other than authorized system administrators, are blocked from reaching remote devices. And since the data and voice network devices may well have telnet, tftp, ftp, and even http servers running to offer access to system administrators, these devices are vulnerable to attack from insiders through the administrative access points available across the WAN. (See the discussion below on administering network devices on the LAN for a more detailed discussion of insider attack issues.)

Out-of-band Access

Some of the data and voice network devices to be managed remotely may have relatively weak access methods. In addition, adding only a simple modem to be the service access point for a network device magnifies the opportunity for the device to be compromised. Hackers using war dialer mechanisms will eventually find the modem and will attack the login prompt of the managed device.

Issue: Administering Network Devices on the LAN

Methods of access to data and voice network devices located where IT staff reside also need to be secured from the same threats. As opposed to the case of remote locations, malicious persons on the inside of a business are most often the largest threats. A host of studies from well-known sources including the FBI, SANS Institute, and the Office for Critical Infrastructure Assurance at the White House have shown that sophisticated insiders pose the greatest security threat to corporate networks. Disgruntled staff and those attempting to masquerade as administrators are at the top of the insider threat list.

Example: Regional Headquarters

An example of network devices on a large local area network would be a regional headquarters facility that has a direct connection to the Internet and a series of routers and firewalls for data communications, and has a large PBX for telecommunications. There are many IT staff members at this site. When there is a performance problem with the router, a local system administrator uses the telnet program to connect to the router across the LAN to read system logs, and then to possibly reconfigure a route table within the device. When a new user needs to be added to the PBX, a local telecom manager uses a Windows software program from the PBX manufacturer to connect to the PBX across the LAN (in-band access) and add a user to the system.

Figure 2 - Regional headquarters with data and voice equipment.

If the local area network at this site is not functioning, in-band access is not available for either data communications or telecommunications administration. In this case, IT staff members would directly access the consoles of data and voice network devices to remedy the situation. It would be unusual to have modems connected to the network devices at a site where there is a sizable IT staff.

Security Shortcomings

In this example, the greatest vulnerability is not via out-of-band access but rather in-band access since there will be few situations where modems will be present as a standard operating procedure on network devices when there is dedicated IT staff at the location. In our example regional headquarters, administrative access to network devices is via the corporate network and not via a separate administrative VLAN or a separate physical network.

At the regional headquarters, there will be users on the corporate network attempting to gain unauthorized access to network resources. It may be a former IT staff member who has maintained back door access to the network. It may be a visitor to a company site sitting down at a logged-in PC. It may be a current employee who has some time on his or her hands and thinks they have hacking skills, or it may be a short-term contractor. It may be a bored vendor's representative handling a service event. Or it could even be a hacker that has actually penetrated the network and is looking for the "soft, chewy center" now that he is past the hardened borders.

In-band Access

In a typical corporate network, critical network infrastructure devices such as routers, servers, firewalls, LAN switches, and PBXs are relatively unprotected from compromise from within. The former IT employee may still have an active password to a web server, and in just a few minutes on the network, he adds a back door for future mischief. The visitor or current employee may decide to download one of the many hacker tools available on the Internet and propagate a flood of packets to the open telnet port on the nearest router. The vendor's representative adding a software upgrade to a PBX may decide to try and telnet around the network seeing which devices he can gain access to. The hacker that has successfully penetrated the network perimeter is roaming about trying to find, compromise, and reconfigure any internal servers found running insecure services such as tftp.

Data Track's Secure Remote Access

Data Track's solution delivers a consistent, secure system to connect IT administrators to data and voice network devices across local and wide area networks. It uses proven methods of authentication, authorization, and auditing/accounting. The result is that access to critical data and voice network infrastructure is secured from external and internal threats.

Beyond the secure connectivity functions, there are a number of services within Data Track's Remote Access solution to monitor network devices. One of these services keeps track of the connection status of each monitored device. Another records the activity of system administrators on each monitored device. A logging service provides a data collection facility for monitored devices either through a serial port or via TCP. And an alerting service offers a message delivery facility to an upstream network management system.

Methodology

A key element of Data Track's Secure Remote Access solution is that rather than connecting directly into a network device, a system administrator connects to a security appliance called a Tracker. It is a reliable and robust platform-based on the Linux operating system-and is well suited for critical applications. The operating system, the configuration parameters, and the Tracker applications are stored in flash memory, making them resilient to power failures. Any of the configuration parameters can be set remotely, and a system upgrade can be uploaded using TCP/IP network, local serial, or dial-up connections.

Up to 10 data and voice network devices can be connected to a single Tracker security appliance either via a serial connection to the console port of the network device, via a TCP/IP Ethernet network, or both. When the connection is via a Tracker serial port, the unit's full auditing capabilities are available, including logging the commands that an administrative user enters at the console of the managed device. Using the Tracker as the administrative access point to the console port of the network device, any administrative access to that device via a TCP/IP network can be disabled, further increasing the reliability of the network device from a failure due to being attacked.

Security within Tracker

When a system administrator wants to administer a network device, the first step is to set up a VPN tunnel to the Tracker security appliance, if the connection is over a TCP/IP network, or to set up a CHAP- authenticated PPP session to the Tracker, if the connection is over a dial-up network. The next step is to logon to the Tracker via a password protected terminal session. Once the logon is successful, the firewall in the Tracker ensures that system administrators only have access to authorized equipment and/or applications.

Figure 3 - Logical diagram of Tracker's internal firewall in a secure remote access installation

When the Tracker is fitted with multiple Ethernet ports, its internal routing tables are used to restrict the traffic flow between these interfaces, creating a secure routing environment. In addition to the security of the logon process and the firewall rules, the administrator of the Tracker also configures the logon methods allowed per user, and enables the level of access required per user.

When managing network devices via a Tracker using a TCP/IP network, the highest security level would have a Tracker Ethernet interface and the administrative Ethernet interfaces of the network devices on a VLAN or at least a sub-net separated from the rest of the local area network. This would allow for internal network segmentation methodologies to be used to severely limit the number of users that have access to the administrative interfaces of network devices.

System Applications

The Tracker provides a series of system applications to support secure remote access and to serve as building blocks for other solutions. These include:

• VPN server to provide secure in-band sessions across a LAN or WAN.
• Telnet server to support logons over TCP/IP.
• Firewall to isolate system administrators from network segments where there are no network devices authorized.
• Auditing service to show user activity on each device.
• Monitoring service to provide a basic connection status of managed devices.
• Alerting service to provide a message delivery facility to a network management system.
• Logging service to provide a data collection facility for devices connected either directly to a serial port or via a TCP socket.
• SNMP capture service to receive traps from managed devices, process the content of the trap, and redirect the processed data to non-SNMP management applications.

In-band and Side-band Access to Network Devices

For in-band access across a LAN, an administrator connects one Ethernet port on the Tracker to the corporate network. For more protection, an admin VLAN or even a separate admin LAN would be in use, and another Ethernet port on the Tracker would be connected to it. (Using a VLAN or a separate LAN for administrative purposes is more accurately called side-band access.)

For in-band or side-band access across a WAN, the Tracker would be connected to an Ethernet network and it would have a TCP/IP route available to traverse the WAN to connect to the devices to be administered. A system administrator looking to connect via in-band or side-band access to a network device managed by a Tracker will telnet to the IP address of the Tracker's Ethernet interface on the corporate network, and then select the authorized device to administer.

Out-of-band Access to Network Devices

For out-of-band access, a telephone line is connected to the Tracker's integral modem. The Tracker can be configured to restrict answering to a set of originating numbers. A system administrator looking to connect via out-of-band access to a network device managed by a Tracker must call from a phone line whose number is authorized by the Tracker. A CHAP-authenticated PPP session will start up; the user will logon; and then the user will select the authorized device to administer.

Figure 4 - Remote branch office with data and voice equipment secured by a Tracker.

Providing access to data and voice networking equipment at remote sites requires a very high level of security, particularly where out-of-band access is involved. When out-of-band access is necessary, restricted answering of the modem is implemented on the Tracker security appliance. Logon is via either a password protected terminal session (VT100), a CHAP-authenticated PPP network session, or both. In the case of in-band or side-band access to equipment at remote sites, the IT administrator would connect over a TCP/IP network consisting of a WAN and several LANs using a VPN tunnel and the telnet program. The workstation used to connect to the Tracker at the remote site would need to have a route to the Tracker in its local route table and in route tables along the path to the LAN at the remote site.

Solution: Administering Network Devices on the LAN

Figure 5 - Trackers as the access points to data and voice network devices on a LAN.

Providing secure access to data and voice networking equipment on a LAN is via VPN tunnel and a password protected terminal session (VT100) over a TCP/IP network to the Tracker security appliance. As previously described regarding in-band or side-band access to remote locations, the workstation used to connect to a Tracker within the local network would need to have a route to the Tracker in its local route table and in route tables along the path to the subnet hosting the Tracker. When it comes to out-of-band access to a site with an IT staff, the expectation is that out-of-band access would be a rarely used option.

Appendix A: Alternative Solutions

Data Track's Secure Remote Access versus alternatives

	Tracker	Terminal server	LAN modem
Access Methods
Modem	Y	Y	Y
Restricted answering	Y	Y
VPN server	Y
telnet server	Y	Y
Security
Firewall	Y
Audit trail	Y
Comfort alarm	Y
Network Management
Alerting service	Y
Logging service	Y
Monitoring service	Y
SNMP agent	Y	Y
SNMP capture / redirect	Y
Other
Digital I/O ports	Y
Application scripting	Y
Menu-driven interface	Y	Y
Remote configuration	Y	Y
Remote upgrade	Y
19" rack mount	Y	Y
UPS options	Y