IT Baseline Protection Manual S 4.112 Secure operation of the RAS system
S 4.112 Secure operation of the RAS system
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator
For the secure operation of a RAS system it is essential that the hardware and software components of the system have been securely installed and configured. Safeguards S 4.110 Secure installation of the RAS system and S 4.111 Secure configuration of the RAS system must therefore have been performed before the RAS system goes live. In addition, all the organisational processes must have been defined and implemented (e.g. reporting channels and responsibilities). It should also be noted that the desired level of system security can only be assured if the physical security of the hardware components which make up the RAS system is also assured (see also S 4.110 Secure installation of the RAS system).
The security of a RAS system can be roughly broken down into three areas:
the security of the RAS server,
the security of the RAS client and
the security of data transmission.
Whereas the desired level of security of the RAS server can be controlled through implementation of local security guidelines, the RAS client is typically not under the complete control of the IT personnel who are responsible for the LAN. The security of data transmission media is generally completely out of their control. For this reason, protection of communications between client and server must be secured by additional means.
In the environment of the RAS server the following recommendations for secure operation should be considered:
RAS access should be continuously monitored using logging and management tools.
The information collected in the course of monitoring should be regularly reviewed by a trained administrator. This person should if possible be supported with a log file analysis software tool. The data protection regulations must be considered (see also S 2.110 Data privacy guidelines for logging procedures).
If any security incidents are detected, the measures previously specified must be implemented immediately. The identified security incidents should be documented in an incident report (see also module 3.8 Handling of security incidents on this point).
In order that a controlled user authentication procedure (e.g. Remote Access Service under Windows NT, RADIUS, TACACS, TACACS+, SECURE-ID) is possible for RAS access, the consistency of the authentication data must be assured. This can be effected either through central administration of the data (using an authentication server) or else through periodic synchronisation.
User authentication must be performed via the chosen mechanism every time that a connection is established. In particular use of the CLIP mechanism (transmission of call numbers) on its own is not sufficient to ensure reliable authentication.
Protection of communications using one of the methods permitted in the RAS security concept must be enforced for every connection in order to ensure that the transmitted data is protected.
The additional security mechanisms (use of call number transmission, callback to a preconfigured phone number for non-mobile RAS clients or for RAS clients connected over a mobile phone) provided by the access technology should be used.
The RAS system should be audited at regular intervals. The roles of Administrator and Internal Auditor must not be assigned to the same person.
A mobile IT system can be connected to a LAN over GSM (see also S 5.81 Secure transmission over mobile phone). When RAS is used over a mobile phone network, it should be noted that the CLIP mechanism (transmission of call numbers) is generally only suitable as an additional authentication feature as the mobile phone identified over the call number can easily fall into unauthorised hands.
As RAS clients are generally operated in environments that are not under full control, special mechanisms, procedures and safeguards must be employed to ensure protection of the client. In particular, mobile RAS clients are exposed to a special danger here in that their physical design makes them especially easy to attack (e.g. theft, vandalism). Once a RAS client is compromised, there is a danger that the security of the LAN could also be impaired as a result.
For the secure operation of RAS clients, the following aspects must therefore be considered:
The basic security of the IT system must be assured (see also modules 5.3 Laptop PCs, 7.2 Modems, 8.6 Mobile phones and 9.3 Telecommuting).
As mobile RAS clients are exposed to greater risks than stationary clients, they need to be protected through additional safeguards. One such safeguard is to encrypt the hard disk in order to ensure that in the event of the device going missing it is not possible for any data to be read or for unauthorised RAS connections to be established.
Especially where RAS clients are linked using Internet connections, it is essential to have anti-virus software installed on them (see also module 3.6 Computer virus protection concept).
Consideration should be given to installing PC firewalls on the RAS clients so that they are protected against unauthorised access from the Internet by third parties. Like conventional firewalls (see module 7.3 Firewalls), PC firewalls filter the packets of network communication protocols. However, the filtering rules can generally be dynamically generated by the user. For every access for which no rule currently exists, a selection of possible responses is offered (e.g. allow, reject, conditional processing), enabling the user to define a new rule. However, as it is often difficult for the user to distinguish between permitted and unauthorised accesses, the ruleset should be pre-installed by an Administrator.
RAS clients too should be included in the system management as far as is possible. Firstly this permits monitoring of the clients within the framework of maintaining ongoing operations. And secondly it enables software updates (e.g. virus databases, applications programs) to be imported over a controlled route. Remote computers, however, place higher requirements on system management as they are not permanently linked to the network, so that the computers must regularly be examined for (non-permitted) configuration changes. Here, depending on the management product, the "Discovery" function can be used to ascertain the current status of the computer. It should be noted that capturing this information places a load on the RAS client and the data has to be transmitted over the RAS connection. If the RAS connection has a low bandwidth, as is the case for example on a mobile phone, this can result in response times which are unacceptable to users.
If TCP/IP is used as the protocol, consideration should be given to the possibility of using fixed IP addresses for RAS clients rather than assigning addresses dynamically. This procedure does carry high administrative penalties (e.g. the necessity to maintain the assignment tables), but it does allow unique network addresses to be assigned to individual computers. The disadvantage of dynamic assignment of network addresses is that a record must be made of which RAS client was given a certain network address when. Otherwise it is generally not possible to establish which RAS client executed a particular action.
The communications link between RAS client and RAS server is generally established over third-party networks. The network components used here are generally not under the control of the operator of the LAN with which the connection is to be established. It must also be assumed that the data will not only be transmitted over the telecommunications network of a provider but that the networks will also be used by partners of the telecommunications provider. This applies especially where a LAN is accessed from abroad. To satisfy the protection requirements of the data thus transmitted, security measures must be taken which, for example, assure the confidentiality of data. The following therefore applies to data transmission:
It is imperative for secure operations that all data transmitted is encrypted.
Signature mechanisms should be employed to safeguard the authenticity and integrity of the data.
A number of security mechanisms can be used for RAS connections in order to satisfy these data protection requirements. These include the following:
The communication can be encrypted at a low protocol level (so-called tunnelling - see S 5.76 Use of suitable tunnel protocols for RAS communication). This requires selection of a suitable procedure. Conventional RAS systems offer such methods as standard, though in different number and form.
SSL can also be used for encryption if it is not possible for particular reasons to use encryption at a low protocol level. This applies especially to access on Web servers or e-mail servers via Web browsers, which support SSL-protected communication as standard. In this connection see also S 5.66 Use of SSL.
As well as software protection of communications, the use of network switching elements such as routers and modems which encrypt data should also be considered. These are especially advisable for stationary use and where several computers are to be connected, as the encryption process is transparent and no extra load is placed on clients and server. However, it should be noted that the devices must be carefully configured and maintained.
Where e-mails are to be exchanged over insecure channels it may be appropriate to use e-mail encryption (see also S 4.34 Using encryption, checksums or digital signatures).
Security with remote access over a RAS connection can only be assured if all the components of the RAS system are correctly and consistently configured. However, it should be noted that, depending on the access procedure, a large proportion of the components used are not under the direct control of the local RAS administration. Therefore RAS access to a LAN must be monitored especially carefully and thoroughly.
Example
As Windows NT comes with RAS support as standard, the Remote Access Service of Windows NT will be used as an example. The functionality offered and the available security mechanisms are, however, generally only suitable for a small number of RAS users and for data which has a low protection requirement. Where there are large numbers of users and the protection requirement is high, additional RAS products should be considered as well.
The following applies to RAS clients running under Windows NT:
For RAS clients, the option of saving user names and passwords so as to allow automatic connections should be disabled. This requires that the "Save password" option in the Dial-Up Networking dialogue is disabled. If the password has been saved by mistake, it can be deleted again by clicking the "Unsave password" pushbutton on the "Security" tab of the properties dialogue.
Automatic establishment of a dial-up connection should only occur after confirmation by the user. This is ensured by selecting the "Always prompt before auto-dialing" option on the "Settings" tab of "User preferences" in Dial-Up Networking. However, it is best that auto-dialling should be completely disabled. This is ensured by disabling the option "Enable auto-dial by location" for all locations on the "Dialing" tab of "User preferences" in Dial-Up Networking.
Care should be taken to ensure that no incoming connections are allowed. For the "Port Usage" setting under Control Panel, Network, Services, Remote Access Service, Attached Device, Configure the option "Dial out only" should be enabled.
To ensure that communications are protected (using MPPE encryption), in the "Security" tab of Dial-Up Networking, the options "Accept only Microsoft encrypted authentication" and "Require data encryption" should be enabled. Care must be taken to ensure that the RAS server is correspondingly configured.
Assignment of a fixed IP address to each RAS client should be considered. This makes it easier to trace activities performed over the RAS connection. The IP address can be entered in the TCP/IP properties of Dial-Up Networking under Phonebook, Server, TCP/IP Settings in the field "Specify an IP address".
The following applies to RAS servers running under Windows NT:
RAS dial-in should only be permitted for authorised users. For all other users, the option "Grant dialin permission to user" must be disabled. This can be performed either through the User Manager or the RAS Manager.
The option of callback by the RAS server should only be enabled for those users for whom this is explicitly allowed. If possible, a fixed callback number should be used.
In order that RAS clients can request a fixed IP address, the option "Allow remote clients to request a predetermined IP address" under Control panel, Network, Services, Remote Access Service, Attached Device, Network, TCP/IP settings must be enabled.
If use is to be made of MPPE encryption, then the relevant option must be enabled. This is achieved by selecting the following sequence of menu options: Control Panel, Network, Services, Remote Access Service, Attached Device, Network, Encryption settings.
It is possible to specify for a RAS server under Windows NT whether RAS clients should only access the resources of the RAS server or whether they should be able to access the network to which the RAS server is connected as well. Depending on the intended purpose (e.g. export of local resources, RAS access server for a network), the appropriate access restrictions should be set. This is performed by selecting the option "Allow remote TCP/IP clients to access" under Control Panel, Network, Services, Remote Access Server, Attached Device, Network, TCP/IP settings.
Additional controls:
Are all security breaches identified documented?
Is user authentication performed for every connection established using the specified mechanism?
Is protection of communications enforced for every connection through one of the procedures permitted in the RAS security concept?
Can mobile RAS clients be protected through additional safeguards (e.g. encryption of hard disks)?