Manage Learn to apply best practices and optimize your operations.

Secure remote access points and configure connections to avoid a hack

This installment in our series focuses on poorly secured remote access points that can bypass firewalls and intrusion detection systems and give hackers the key to the candy store.

Hackers love poorly configured remote access points, and why shouldn't they? Many times they represent an open...

door into a network without having to fuss with firewalls and intrusion detection/prevention systems (IDS/IPS) at the Internet border. Considering the threat that these misconfigured devices pose, all organizations should secure remote access points and configure remote connections to prevent a hack. The fact is that most networks have remote access points, and most of those access points don't employ adequate security. Remote access points most often come in the form of dialup modem banks and VPN concentrators, and it doesn't take much to discover the phone number or IP address.

Most remote access points require only a static user ID and password to log on to the network. If your remote access point doesn't require strong authentication, you should probably count on the fact that somewhere out there, maybe an employee or vendor, has setup a remote connection to your network with a saved user ID and password. This means your network is available to anyone who opens that connection, including your employee's neighbor whose computer was used to check email a month ago, and that vendor's employee who quit last week and took all his clients' remote access passwords with him.

How to secure remote access and configure remote connections
To remedy this problem, it is best to implement some type of strong authentication, requiring a user ID and a single-use password or biometric. There are a number of vendors that sell remote access keychain tokens, which generate a new single-use passcode every few seconds. Additionally, your suppliers and vendors could be required to call your operations department to obtain a passcode for remote access, thus adding another layer of security when dealing with outsiders. By implementing a strong authentication system, saved passwords for remote connections will no longer represent an information security risk.

Additionally, most remote access points don't inspect the remote computer for viruses or hacking software, and they usually don't watch the network traffic coming from such computers. If a user with a virus-infected PC or a hacker were to remotely log on to your network with such software, the network could be on the receiving end of a server compromise or a virus outbreak. To help prevent a remote connection hack, it is best to have an IDS or IPS sitting inline between your remote access point and your internal network. Such a system should be capable of catching network-based attacks from hackers or hybrid viruses. Some systems will even prevent users from connecting to your network if their antivirus software is not up to date. It is also best to limit the number of ports allowed access into your internal network.

By giving some attention to the authentication process and the traffic coming from remote users, you will greatly reduce the risk of your remote access points being a source of unwelcome company.

About the author
Vernon Haberstetzer, president of security seminar and consulting company, has seven years of in-the-trenches security experience in healthcare and retail environments.



  Introduction: Hacker attack tactics
  How to stop hacker theft
  Hacker system fingerprinting, probing
  Using network intrusion detection tools
    Authentication system security weaknesses
  Improve your access request process
  Social engineering hacker attack tactics
  Secure remote access points
  Securing your Web sever
  Wireless security basics
  How to tell if you've been hacked


This was last published in February 2005

Dig Deeper on Web authentication and access control

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.