There’s a Zen-like quandary at the heart of the remote-access security dilemma. How can you open a door to provide telecommuters and traveling employees access to your network, but not the door to attacks from malicious intruders? The challenge is to provide the remote-access services your users and enterprise demand without compromising the security of your system as a whole. Easier said than done.

This dilemma may be of special interest to the millions of users of Symantec’s pcAnywhere—and the thousands of system administrators serving them. Using pcAnywhere, you can remotely control a suitably equipped computer from home or on the road. In many cases, this may be the only reasonable and economical way for a help-desk technician, for example, to fix problems on another machine without physically visiting the site.

The local client machine may access that host computer by modem, network or the Internet. But here lies the rub: The intended host machine may be part of the enterprise network. Consequently, permitting access to network resources from a remote machine raises horrifying possibilities for misuse. Of course, pcAnywhere provides several sophisticated security features to safeguard remote access. But are they enough? How do they work with Windows NT’s own security? And what’s coming in the new version 9?

A Secure Link?

For the sake of discussion, your network is presumably already secure enough that pcAnywhere access via the network is permissible. In that case, you only need to consider the security aspects of modem and Internet access.

One network administrator I spoke to details a plausible security breach scenario: Compromising a remote computer could allow access to a host machine behind an enterprise firewall. The attacker could then pierce the firewall using the remote computer. The attacker could use programs like Back Orifice or NetBus to compromise the remote machine. To do this, however, it would be necessary to install the server portion of the program on the remote machine. Alternatively, one could imitate the remote machine without actually using it. This would give the attacker the pcAnywhere information necessary to remotely access the enterprise machine.

Another attack approach is a blind scan for modems using a demon dialer. When an attacker gets a hit, it could be a pcAnywhere host machine with minimum security waiting for outside access. One way to circumvent modem problems is to disallow any access behind the firewall. That certainly will defeat this method of attack, but it raises the question of how to allow secure remote access.

There are several strategies for dealing with modem-mediated access. One is to employ caller ID information, and disallow any calls from non-permitted phone numbers. This solution is outside of pcAnywhere’s capability, and would require third-party hardware. It would also severely restrict the use of remote access, since only calls from certain telephone numbers (known in advance) would be able to access the host machine. A more forgiving strategy is to use pcAnywhere’s own callback facility to predefined phone numbers. And finally, it’s not that onerous to forbid modem access at all. After all, any legitimate user who has a modem can also use the Internet for access.

Internet Issues

Access via the Internet presents its own problems. You allow pcAnywhere access through your firewall by properly configuring certain ports. These are the ports that pcAnywhere normally accesses and listens to (the specific port numbers depend on which version of pcAnywhere you’re using). Naturally, these known ports are the targets of attackers attempting to gain access to the system behind the firewall.

As one consultant notes, this presents both an advantage and a disadvantage. The disadvantage, of course, is that anyone can find out what those ports are and start throwing their tricks at them. (pcAnywhere does offer a "cloaking" option to prevent outsiders from seeing an Internet host.) The advantage is that you know precisely what the attackers are aiming at, and so you can determine what you need to monitor and protect. (Note: you can use the Registry Editor to modify the ports to older versions.)

For example, one denial-of-service attack targets a specific port. By bombarding this port with large amounts of data—which pcAnywhere is patiently sifting through to see if someone has pressed Enter—an attacker may be able to hang lower speed machines running some versions of NT. A new version of Symantec’s aw32tcp.dll file seems to plug that hole, however.

There is one feature of pcAnywhere that keeps security folks awake at night. It has to do with how the client negotiates with the host machine. The client sends a UDP packet to the host’s entire subnet. Naturally, if the system is logging these kinds of events, this can look like a system-wide assault. The important distinction is that there is no attempted connection to anything else on the subnet. You can correct this in the registry on the client by disabling the UDP negotiation. On the server side, you look for TCP packet types.

As with modem access, you can limit Internet access to known addresses. This would require the user to have a static—not a dynamic—IP address, which might be tricky. Naturally, this also can impede legitimate access from mobile users. However, once you set up Internet access from a known static address, your user should have no difficulty. In addition, security is improved tremendously, since an attacker must access the host machine from that same static address.

Protective Tools

One favorite attack, an experienced network manager observes, is to attempt to hack passwords. For this reason, passwords alone cannot be considered adequate security. Although it’s possible to turn off password encryption and send passwords in the clear, this is foolish. The default is to use pcAnywhere’s own proprietary encryption. But some admins question pcAnywhere’s proprietary encryption, and rely instead on 40-bit or 128-bit public-/private-key and symmetric encryption options.

Some system managers note that when pcAnywhere displays asterisks locally as the user types a password, there is software that can determine the actual characters typed underneath the asterisks. Symantec offers a special utility (PASS_FIX) that stops programs that have the ability to decipher passwords over the Internet.

Encryption is a fundamental aspect of pcAnywhere’s security. In addition to password encryption, pcAnywhere uses the Crypto API for low-level encryption services (which requires using Windows NT 4.0/Service pack 3). These services support secure initiation of a session, remote control, file transfer and chat.

One consultant ponders how to best position pcAnywhere’s security encryption in relationship to an NT server’s native security: instead of, on top of, or alongside of? Determining which option provides the best security was not easy, he says. Ultimately, he decided to use both. For instance, pcAnywhere performs its own login and authentication process, then prompts the client with the server’s login process. The rationale is that, with such an arrangement, he doesn’t have to know which security is better. Not altering either the local network or the Symantec security, he has simply added a level. It’s a win-win security solution.

Other experienced managers opt not to run pcAnywhere through the firewall at all. Instead, they establish a VPN from the remote machine to the firewall. This eliminates the holes in the firewall, and presents a formidable challenge to would-be attackers. pcAnywhere supports both public- and private-key encryption. (Host and remote systems must each have a certificate authority providing public keys to the cryptographic service provider.)
 

Securing Windows

Many administrators use Windows NT’s own capabilities to tighten pcAnywhere’s security even further. For example, you should know who the remote users are. You can restrict these users only to rights they absolutely must have. By not allowing blanket access, you prevent widespread misuse of their accounts by attackers. You should also take advantage of the NT file system’s (NTFS’s) capability to encrypt sensitive files or folders. That way, even if an attacker gains access to a system and some files, he or she may not gain anything.

You should also employ the highest level of crypto that Windows NT offers. Do not, for example, use 40-bit encryption if 128-bit is available. Public/private key encryption is only as powerful as the number of bits you permit for the key. (This level of encryption establishes the authentication of the user. From there on, a symmetric key system handles bulk transfers for better performance.)

A manager of a large corporation with many remote users points out that other security options in pcAnywhere seem unsophisticated, but they are able to close tantalizing loopholes. For example, you should always configure pcAnywhere to blank the host screen, because you never know who might be sitting at that host. You can eliminate prompts also. This means the remote user must know what is expected at each step of the process—but then so must any would-be attacker. You can also configure NT disconnect options, including "Lock the Workstation" and "Logoff User After Disconnection."

An Ear for Security

Symantec has been listening to the security concerns of its users. Version 8 already contains strong authentication of users, allows Windows NT authentication, provides sophisticated callback techniques and supports strong encryption.

pcAnywhere version 9, released at press time, goes even further to address security concerns, according to Charles Laforge, Symantec’s senior product manager for pcAnywhere. The authentication features have been broadened to encompass Windows 9x, for example. Version 9 uses the network for central logging of pcAnywhere events in a single location. This allows administrators to monitor all pcAnywhere use and look for patterns. You can also access the event log of any pcAnywhere machine on the network, for centralized administration. New SNMP messaging capabilities notify administrators instantly of conditions, including host launching without proper security or unauthorized logons.

The Check Point VPN client component is also available with pcAnywhere. This permits establishing secure VPN connections with a compatible enterprise firewall, rather than trying to finesse the firewall to reach a host machine. The pcAnywhere/VPN connection can proceed in either of two ways. The user can set up the VPN first, then launch a pcAnywhere session within it. Alternatively, the user can attempt a pcAnywhere connection to a host behind the firewall. The firewall will request authorization, and the user can then run the Check Point client.

It is becoming increasingly important for system administrators to accommodate the needs of telecommuters and mobile users by offering remote-access solutions. At the same time, these same administrators must maintain the security of the system as a whole. While attackers will continue to test this security by trying to exploit remote access, products such as pcAnywhere continue to offer the highest security possible while allowing reasonable access to authentic remote users.

Ed DeJesus (dejesus@compuserve. com) is a contributing writer for Information Security.

Extraido do site: http://www.infosecuritymag.com/ - jul/99