With the increasing popularity of tele-commuting, the need for remote system management and inter-office network connectivity. The demand for remote access is something that can not be ignored.Remote access is one of the most difficult security problems to solve when designing and implementing a good security plan. The classical problem being how does one allow the "good guys" in while keeping he "bad guys" out.
Traditionally access systems have used a static ID and password pairs over non-encrypted communication streams. Unfortunately static ID / password pairs are the weakest and most common authentication method and the use of a clear text communications medium only makes the problems worst.
On todays hostile Internet, password interception, session "hijacking" and host spoofing are common place.
Any security plan must take such risks into account. Fortunately there are solutions to these threats. The most common of which is the use of traditional dialup up modem access.
Programs that automatically record ID / password-pairs are available for free on the Internet. Modem access is good for protection session hijacking and interception access since the data path does not involve the Internet. But maintaining a secure dialup can be just as taxing and difficult as setting up secure Internet access. Passwords are still susceptible attacks and theft and dialup systems are commonly miss-configured. Other disadvantages of modem access is cost. Special dedicated hardware such as terminal server are necessary for maintaining dialup pools there is also the monthly cost of a dedicated bank of phone lines for the modems. Also the number of users will be limited toby the number of lines available. Some users will have to pay long-distance charges is they do not live in he local area.
One time password systems offer a good defence against password attacks for both modem and Internet. Freeware systems such as s/key and products like SecureID provide an authentication system that utilizes a unique password for each login attempt thus rendering password theft useless.
Network access is commonly a more favorable remote access solution because it is cost effective and convenient for employee to use. But the risks of inbound access include those of modem access as well as others such as session hijacking and data/mail interception. For direct inbound Internet access there are many solutions to the other potential security risks such as session "hijacking" and data/email interception.
One-time passwords and firewalls do not protect against connection hijacking. Hijacking allows commands can be transparently added to remote terminal sessions. E.g. banking sessions The necessary programs can be bought off the shelf and a competent programmer could write them in a matter of days.
The best defence against these attacks is encryption.
Products such as SSH from data fellows (free on the Unix platform and commercially sold for Mac and Windows). and Kerberos from MIT both provide for encrypted communications as well as public key based access authentication.
By encrypting the login data stream it becomes impossible for attackers to monitor the communications as well as hijack the data stream. Other advantages of the use of encryption is the ability of the hosts authenticate with the use of public keys in addition to the passwords, thus further increasing the security.
Systems can be configured to only allow inbound access from known sites and ignore login attempts from unknown Internet sites.
While we are on the subject, simular techniques should be applied to Intranet communications and all out bound connectivity. Since the risks of hostile attack do not just exist just on the inbound connection but internally as well.
Secure out bound access is also importment, since if a site is being attacked or monitored a attacker will be likely to monitoring these channels also in hopes of obtaining information that may be of use.