CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [258]
You can use preauthentication systems for any form of remote access that connects into a private LAN. These systems include dial-up, broadband, VPN, wireless, satellite, remote control, and remote shell. You need to know what forms of remote access are needed and how to deploy a preauthentication system to provide that additional layer of protection for the rest of your LAN.
Preauthentication systems can sometimes offer connection filtering. Connection filtering allows for restrictions to be placed on remote access links. These can include the type of OS used, the protocols supported, the user accounts involved, the time of day, the logical addressing of the client, the LAN systems the remote client is allowed to communicate with, and even the content of the communication. The use of connection filtering can reduce an otherwise full-network-access remote link to a limited-functionality, single-purpose link. This filtering greatly reduces the potential for exploitation.
Another important aspect of remote access to consider is that even with the best security on the remote access link itself, if the remote client is compromised, it could lead to the compromise of the LAN. Remote clients can be compromised by malware, theft, or physical intrusion of their storage location. In most cases, the locations where remote access clients reside is much less secure than the physical location of the LAN. Remote access clients also typically use the same system for personal activities and Internet access. These are risky behaviors that can lead to security breaches. You should use a remote access client only to connect securely to the LAN. You should not use a remote access client for any other purpose—especially not for personal Internet access.
Dial-Up
Any form of remote access can serve as a means to bypass the network’s security policies and filtering devices, but dial-up links are the most notorious for this. This notoriety is due to their ease of use and their existence on nearly every computer. Modems are rarely used for business purposes in today’s broadband, high-speed-access world. But from time to time, your organization might need to interact with a legacy service that still supports only telephone line modem dial-up connections.
If possible, modems should be barred from your private LAN except on those systems that absolutely require them. If the modem cannot be removed from the computer, then create a hardware profile that disables the modem when the computer is connected to the LAN. You might also consider disabling it through the computer’s CMOS or BIOS.
All unused phone connection ports should be disabled. If a Private Branch Exchange (PBX) system is used, configure it to detect and block all computer communication calls. Regularly inspect every device in the building for improper cabling, especially telephone lines connected to modems that should not even be present anyway.
Impose callback security and caller ID verification whenever possible on inbound calls. Don’t use phone numbers for dial-in modems that are in the same prefix range as your company’s voice numbers as it makes discovery of your dial-in modem lines too easy. A single war dialer could discover them in minutes.
Remote Control/Remote Shell
Remote control is the ability to manipulate a remote computer system without having to be physically present at its keyboard. This allows your local keyboard, monitor, and mouse to be used as the interface I/O devices for the remotely controlled system. This mechanism greatly eases administration because numerous systems can be managed from a single workstation. However, it also generally reduces security. Your ability to control