1 / 10

“ Secure ” Remote Access

“ Secure ” Remote Access. For telecommuters and roaming users. Submitted To Mr.: Ahmed Abu Mosameh Preparation By: Mohammed N. Abu Shammala. “ Secure ” Remote Access Requirements. Authentication (Knock, knock, who’s there?) Access to the laptop Access to your network Physical Security

lora
Download Presentation

“ Secure ” Remote Access

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “Secure” Remote Access For telecommuters and roaming users Submitted To Mr.: Ahmed Abu Mosameh Preparation By: Mohammed N. Abu Shammala

  2. “Secure” Remote Access Requirements • Authentication (Knock, knock, who’s there?) • Access to the laptop • Access to your network • Physical Security • Lost or mislaid laptops • Unauthorised Access to a laptop • Network Security • Network-based attacks/intrusions • Information confidentiality • Malware Protection • Management/Low support cost • Ease of Use

  3. Authentication • Authentication is needed to: • Prevent unauthorised access to the laptop • Prevent unauthorised access to your network • The Authentication Scheme needs to: • Be easy and seamless to the user • Use multiple factors to prevent capture and replay of credentials (e.g. key-logging of passwords) • Prevent man-in-the-middle attacks • Rainbow iKey cryptographic tokens

  4. Physical Security • Laptop’s contain your agency’s information • Try and keep as little information on the laptop as possible - Don’t use a laptop as a mass file-store • Make it difficult to obtain information even with physical access to the laptop – Boot time authentication • Media could be removed and read from elsewhere – Disk Encryption • Procedures + Citrix + WinMagic + Rainbow Crypto Tokens

  5. Disk Encryption – Implementation Choices • Disk vs File Encryption • File Encryption • Choose a file, decrypt, use, encrypt, secure erase unencrypted file • Disk Encryption • Encrypts and decrypts all files (including temporary files) “on the fly”. This process is extremely transparent to the end user. • Issues for ‘pooled’ resources • If laptop L is encrypted with user A’s key then users B,C,D… cannot use the laptop. • Use a device access key rather than a user authentication key • ‘Master’ Keys • If a user loses their key, or is not present can IT Support read the disk? • Encrypt the disk encryption key using the user’s key and a key owned by IT Support staff

  6. Network Security • Your Agency’s information travels over the Internet. • Make sure that nobody can watch it go past; Prevent unauthorised access to your information resources. • Packet sniffing – Session encryption e.g. IPSEC or SSL • Man-in-the-middle • Authenticate both the “Server” and the “client”! • Capture-and-replay Network Attack Prevention • Protect the client system • Disable unneeded services • Use a personal firewall to only allow access from applications that should be using the network/internet • Agency owned systems versus staff owned (or internet café’) systems • Filter traffic from the client to your network – it should only be trying to access expected services! • E.g. CodeRed, MSBlaster, SQLSlammer! • Cisco VPN Client + Rainbow Crypto Token + ZoneAlarm

  7. Malware Prevention • Personal Firewall • Use a personal firewall that authenticates which applications connect to the internet or your network – this prevents rogue software from spreading over the network • Anti-virus • Prevents detected Malicious Software from executing on the laptop • Does it update ‘automagically’? • System Resources • Multiple instances of security software for disk encryption, network encryption, authentication, firewall, anti-virus... Is this a DoS attack in itself? • ZoneAlarm + McAfee + WinMagic + Cisco VPN + .. + RAM

  8. Management and Support • Managing and supporting LAN clients and Remote clients can be very different • Physical access to hardware • Access to bandwidth for downloading patches • Login scripts and domain management tools may be unavailable • Thin-client – one update for all users • The biggest support headache… • Getting roaming connected to the internet

  9. Ease of Use and End-User Awareness • A “Secure” Remote Access System needs to be really easy to use so that: • End Users use it and not circumvent it! • E.g. Choose to use WebMail instead of secure Remote Access connections • Make it intuitive • Don’t rely on all end users to read the documentation • If possible train/demo the system before they leave

  10. Questions

More Related