CTIO Road Warriors: Providing Secure Remote Access

CTIO Road Warriors: Providing Secure Remote Access

James Babcock Hughes CISSP, GCIA, GSEC
Updated August 8, 2008

Introduction

CTIO folks who attend conferences, visit other observatories, or travel to meet with scientific collaborators or vendors still need to access CTIO's information infrastructure from a possibly unsafe environment. Even those who don't travel that frequently still wish to log in from home or other places to read their email, work on an important project or just check that things are OK.

The security risk to CTIO due to outside users is that their computer, laptop or even PDA, besides being lost or stolen along with its valuable data (like passwords), could also become a vector through which viruses and other malware can breach CTIO's defenses, either from home, during the trip or later when mobile devices are reattached to the CTIO network.

This document looks into the security issues mostly specific to CTIO's traveling users with a great deal of overlap with remote home users: the topics are access methods, hardening techniques, suggestions, and some specific solutions which CISS uses to address these issues. At risk of spoiling the punchline, you should make sure your computer is properly protected, and in particular have CISS check out your traveling laptop and make sure it is up to snuff!

Motivation
An interesting 2004 article on www.slashdot.com states that a brand new computer running Microsoft software attached to the internet from an unprotected network (just attached -- worms for example don't need email to infect a computer) without firewall or anti-virus is infected within 20 minutes on average (!). A few years earlier, this average was 40 minutes, and today you will typically be able to see the first probes from malware within 5 minutes of attaching a computer to a network for the first time.

Fairly recently, a CTIO Windows computer without any users was inadvertently left running outside the firewall. Four hours later, the entire CTIO commodity connection to the Internet was completely saturated with traffic -- emanating from the now infected machine!

In order to shelter users from the internet jungle and the wild woolly web, and to guarantee the confidentiality, integrity and availability of a user's data and applications, best industry practice requires the architecture of a computer infrastructure to provide defense-in-depth against hackers and their software.

Defense-in-depth means that security is layered: protection is afforded by a Firewall, by a network Intrusion Detection System, by a host based Intrusion Detection System, by encrypted data transfers, by non-trivial passwords, by virus and spyware scanning software, etc. If one layer fails, the evil hacker must still break through more layers before actually taking over a machine or stealing confidential information like your credit card number. The hacker may have an exploit that breaks through one layer, but then must analyze the defenses and find another exploit to break through the next layer, and so on.

Even if the hacker happens to have exploits for ALL the layers, applying them all takes time, hopefully enough time to detect the hacker and shut him down (which is what an Intrusion Detection System does), or enough time to make the hack moot (the targeted user disconnects and moves on),or enough time to frustrate the hacker so he/she will just give up and seek less defended victims.

Unfortunately, remote users, particularly mobile ones, simply will not have the same defenses at their disposal as the main institutional network. For CTIO and most organizations, traveling users are simply more vulnerable while they are traveling.

That which is desired is to cover CTIO's remote and mobile users with as effective a layered defense as possible which still adequately protects them and the organization against security incidents.

Access to CTIO

Services by CTIO for remote users includes public access provided to everyone with an internet connection (in other words, access to the CTIO public ftp site to extract files, access to CTIO's external WWW site, and sending email), along with vectored access exclusive to CTIO staff and visitors such as remote login to the internal CTIO network via SSHv2 or transferring email from CTIO's email server via IMAP.

Secure, encrypted remote logins can be provided using SSH Secure Shell. SSH packages usually come with a secure FTP based on the same SSL libraries. At CTIO we generally use freeware versions of SSH such as puTTy for Microsoft based systems. See the CTIO WWW security pages.

Remote IMAP connection to our email server ctiosy.ctio.noao.edu is possible through VPN or the older but quickly obsolescing setmail authorization granting utility.

The industry 'best practice' for allowing remote access to an organization is the one also preferred at CTIO: network access via VPN. While not a security panacea, VPN offers the best combination of transparency, flexibility and protection for the organization and the remote user.

Virtual Private Networks

VPN, Virtual Private Network connections, are a simple and safe means to remotely connect up to the CTIO network. They can provide authentication (protection against spoofing and session hijacking), and confidentiality (protection against stolen information), between the remote user's machine and CTIO: via VPN a remote computer actually becomes a virtual part of the organization network and its traffic "appears" to be emitting from within CTIO. As a result, a laptop connected to CTIO's internal network will function almost identically to one connected via VPN from far away: most applications will work transparently in the VPN environment.

A nice side benefit for computers connecting to CTIO via VPN is that they inherit many of the resources available to other CTIO computers, for example access to intranets open to CTIO, IP number based subscription services, journals, etc.

However, since the remote machine is still connected up from the outside internet even while VPN'ed into CTIO, if taken over by malware it can be used as a trojan horse used to bypass CTIO's normal defenses. Even worse, since much of the VPN traffic is encrypted via IPsec, security appliances such as IDS are unable to scan remote machine traffic for malware.

Fortunately, VPN these days is handled by firewall devices, such as CTIO's CISCO PIX, that impose the same or tighter security requirements on a VPN client as they do to other internal organization computers. In addition, we require both a VPN group password and a valid username and password before our RADIUS authentication server will allow the VPN connection to establish.

All this helps, but does not prevent a machine that has been taken over by malware from causing problems via VPN.

The upshot is that the remote computer or laptop needs to have its own perimeter defenses in place, such as personal IDS or firewalls, anti-virus and anti-spyware software installed. A CISCO VPN client is typically required for running VPN into CTIO and making best use of the IPsec encryption options - for Linux, the open source vpnc software is even better. Check with CISS to make sure the proper VPN client is installed on your laptop.

Remote Hardening Procedures

Ideally, all computers, permanent or mobile which are ever connected to the CTIO network are already configured to be as secure as possible. This means having the latest security patches and locking out un-needed service servers such as WWW (particularly Microsoft IIS!), telnet, FTP, etc. However, the intrinsic security of the average machine in the CTIO network is still not sufficient if that machine were magically (or otherwise) transported outside the safety perimeter of the CTIO computer network.

Traveling devices are worse off even than the public CTIO servers that live outside the firewall in what is known as the "DMZ", which must operate in an security environment similar to those of remote user's computers. These DMZ servers, although exposed to the entire Internet, are hardened more than the typical CTIO computer, and a firewall still protects them from many types of probes and attacks. Moreover, the CTIO network based Intrusion Detection System is scanning ALL incoming and outgoing packets before these even reach the firewall or DMZ. Even home computers may be safer, since cable modems or switches often have a rudimentary firewall, and some Internet Service Providers often run at least some firewall protection.

Applying the following extra steps will go a long way in restoring some of the protection not available to traveling computers while on the road, and need to be applied to home computers as well:

Note that some of the packages refered to below are available from our anonymous FTP server ftp.ctio.noao.edu, under pub/software, but there is no firm guarantee that the latest version is there. For the latest, and for software that is licensed, you will have to ask CISS explicitly.

Also note that Linux or MacOS systems are typically immune to many, but by no means all, of the dangers referred to below: only some of the references would apply...

Configure Access Software - The user needs to make sure SSH version 2 is on the mobile or home machine, and has the latest CISCO VPN client software. See the CTIO Network Security Guidelines WWW pages for more information.
Virus Scanning and Spyware Protection - If you run Microsoft products you risk being infected by a virus which these days most likely means that a computer will be taken over by a remote administration trojan, which in a nutshell means a computer can be used to whatever end a hacker wants, typically as a zombie to send more viruses, SPAM email or to attack some other site (like CTIO!).
The user needs to make sure an up-to-date anti-virus, such as CTIO's centrally administered McAfee, is installed. When a machine becomes connected to a network, the system downloads the latest up-to-date signatures, automatically, once or twice a day. Earlier versions required the laptop or machine to be physically present on the CTIO network but newer versions will update themselves while on the road.
Whatever anti-virus you have, make sure you have the latest signatures. Also note that anti-virus software that doesn't have up-to-date signatures is nearly useless: the danger is in the newest viruses, typically there are only a half dozen viruses (out of thousands) that are actually making the rounds and are truly dangerous at any given time...
Another type of malware which plagues computers these days is Spyware, whose characteristics often closely mimic the worse worms and viruses: this software exploits the same flaws as virii, also hides from detection software, also installs daemons on your computer you did not ask for. This software typically *could* do anything a virus does, though typically not used for SPAM or denial of service attacks.
At CTIO we recommend Microsoft users run AdAware, and also Spybot as two very effective tools (in free versions) to remove Spyware. You should make sure your versions of these are up-to-date.
Personal Intrusion Detection System - The Microsoft user need to make sure an up-to-date version of personal firewall/IDS such as ZoneAlarm (which is what we use at CTIO) has been installed and configured, alternatively Black ICE Defender. The personal IDS is very important for the mobile user as this software must substitute for the organization's firewall and IDS systems. It will warn the user when there is an attack and hopefully shutdown the attacker's attempts to connect. The personal IDS should be configured at the highest security setting to provide maximum protection.
If the laptop runs a form of UNIX such as Linux or MacOS, the ipchains or better variants such as iptables or ipfilters firewall package can substitute for a personal IDS. This is the most important defense on a Linux system and can help keep hackers from breaking in by shutting down services and ports that are not actively used.
Install Physical Security Hardware - The user could consider buying hardware locks for securing a laptop or computer to a fixed object. These will clearly not stop a determined thief but may slow them down long enough to prevent a theft.

Out in the Cruel World

This section is germane mostly to remote users travelling with laptops, but may be of interest to home users as well.

The healthiest concept for the traveling road warrior is - extreme paranoia. Common sense is the most useful defense. Clearly, don't do things like type in a password to your account here at CTIO, or your American Express card number into a random computer screen of some random airport "cybercafe" - the computer could easily be running special key capture software, or even a hardware (!) device like the KeyKatcher or similar which gathers what you type *before* it is ever encrypted. Running one's own laptop using a wireless connection is only a bit safer, but wireless security is shaky at best and whatever you type in *may* be easily sniffed by someone. Hopefully what was in the packet is already encrypted (which is what VPN brings to the security table) or not of value.

The traveling user needs to keep the following risks in mind while on the road:

Loss or theft of the laptop/PDA. - Notebooks are highly prized by thieves and will disappear in a New York minute from an airport xray scanner, from a hotel room or from a conference terminal room. Ideally one would never let it out of ones sight, and always carry it as hand luggage, never checked as baggage. In a particularly unsafe environment, one might even consider locking it up in the hotel safe at night.
The Risk of Prying Eyes - Someone may be watching over the traveler's shoulder, (shoulder surfing), or even capturing video of the user from a hidden camera, recording each and every keystroke. A sophisticated variant of this technique is often used with dramatic results with bank ATM machines! The user should look around a bit and take extra care when typing in passwords or other sensitive data in any public place.
The Risk of Being Sniffed - Someone may be capturing all the user's network packets, over a conference LAN, over a hotel cable hub, over wireless, or anywhere between a user's laptop and the home institution. If anything the user has typed is in cleartext, then the hacker can see it and may use it to mount a more serious exploit. The user needs to make sure the personal firewall or IDS system is engaged and make sure that all access to the home organization is via secure encrypted applications or channels like VPN and SSH.
The Risk of Being Hacked - After probing a user's remote computer for open ports or unprotected file shares, malware may succeed and infect the machine. The initial setup of the computer should be patched and have ports closed off, and the user must help by not running software that might defeat these protections (e.g.- Napster, ICQ, mIRC), or visiting questionable sites which might trigger scripts that exploit vulnerabilities in Microsoft's Internet Explorer for example. The user should not leave the device unattended at all, if possible: someone could install a remote administration trojan from a USB pen drive in less than the time it takes to come back from the restroom.
The Risk of Downtime - The traveler should not hesitate in getting in touch with CISS support should he or she run into a problem, whether hardware malfunction or a security incident. This may give us a heads up that an attack on the CTIO network is imminent. By tracking the event, it may be possible to solve the problem remotely and help the traveler get back on track.
The Risk of not Detecting an Exploit - While the traveler is on the road, CTIO will monitor security log files with particular care to verify that accesses from the traveler are legitimate, and are as agreed to. If it appears the traveler is trying to probe the system in unexpected ways, it is quite possible that someone else is spoofing his machine or has taken it over. Someone from CTIO may need to call the traveler to check out these incidents.

Conclusion

The guidelines presented here for road warriors are just a mixture of security common sense, practical advice for travelers, and the application of technologies which did not exist at all a few years ago (personal IDS software first appeared in 1999). Many of the points discussed apply equally well to other situations: users working from home, turnkey computers provided as part of a larger system, or even visitors hooking their laptops up to CTIO's network. Each of these situations provides a way for hackers to get into our network.

These guidelines will clearly change over time and the nature of the security threats change along with computer technology. Again, please keep security in mind whenever you use a computer remotely to get back into the CTIO network, and check with CISS so we can make sure your laptop has all of the latest patches, personal IDS, anti-virus and encrypted applications so you can at least rest a little easier when you are on the road...