Looking at computer security breaches that have occurred over the years, there are a couple of details that stand out. First, that a lot of breaches occur because of social engineering and the failure of the human element. The second element that stands out is the failure of security controls when accessing networking devices, servers, desktops, or databases remotely– whether that access is through a website, application, or a direct connection by a person.
There are steps we can take to make these remote connections more secure and less likely to result in a security breach. One of the causes of this type of breach is forgetting to change default usernames and passwords, using weak usernames and passwords, and using insecure communication protocols. Let’s take a look at some of the common ways to secure these types of connections:
- Change all default usernames/passwords
- Use only secure protocols like:
- Make sure insecure protocols are not configured and disabled like:
- Restrict access to limited IP ranges if possible
- Put access to these resources behind VPN connections if possible
- If VPN is not available or impractical, use port forwarding with custom port numbers
- Change from the common protocol ports to custom ports
These common methods are just the first step to make sure your personal and/or businesses information is secure and should only be used if the data being protected by them is not critical. To make these connections more secure you must go further. The following methods allow for more secure connections, more control over access, and even better logging capabilities to figure out what happened if there is an incident.
The first method in securing remote connections involves going further with SSH, Secure Socket Shell. Beyond just using SSH as a connection method, it can be used to control access, and even in some cases to authenticate systems. When configuring connections to servers, network devices, and even Microsoft RDP, you can use SSH Key pairs. The public key goes on the system you want to be able to access and the private key on the system you will be using to access the resource or system. This allows access without having to use usernames or passwords, and makes brute forcing the systems harder since you need the private key to authenticate to the system.
Going one step further, you can add passphrases to the key pairs so that if the key pair is compromised, it’s not an immediate breach since the passphrase would have to be figured out as well. This acts as a form of two factor authentication. SSH keys can be used to authenticate allowed systems and allowed users, and the keys can be restricted so that each key configured is only allowed access from certain IP addresses. Keep in mind, however, that SSH keys carry risks. For instance, a key could be compromised and used to access a system or resource, there’s normally no set time that these keys become invalid after, the keys need to be removed from systems manually, and there is no way to verify if the keys were generated from a legitimate source.
Another method in securing remote connections involves the use of certificates. Certificates, also called PKI, can be used to authenticate systems and users. Like SSH keys, they are implemented by using public and private keys. The main difference is that certificates are issued by a certificate authority, and that authority needs to be trusted in order for the system to trust the certificate. Certificates also carry more information that can be used to determine their validity. For example, they can be revoked and placed on a CRL (certificate revocation list) if they are lost by a user, a system is compromised, or an employee has left the company. Most certificates expire after a set amount of time, so unlike SSH keys, even if they are not removed from the system correctly, they will become useless after a set amount of time.
The downfalls with using certificates includes the complexity of setting up the certificates, managing the certificates, ensuring all devices using the certificates get up-to-date CRLs, and establishing procedures to make sure compromised or expired certificates are placed on the CRLs and removed.
The Benefits of Securing RAC
A benefit with employing either of these methods is that, when used with secure communication protocol, all information passed between the resources and systems is encrypted, and the private keys are never passed over the network or internet. This is more secure than usernames or passwords that, even when encrypted, get passed over the network or internet when used for authentication to remote systems. These measures reduce the chances that a man-in-the-middle attack would be successful in grabbing enough information to compromise a system.
Another advantage in using these kinds of methods is that they limit the effectiveness of brute force attacks. Most SSH key pairs and certificates use a minimum of a 2048 bit key. If we look at the numbers for breaking this size of a key on the world’s fastest super computer, which has a processing power of 33.86 petaflops, or 33.86 X 250 calculations per sec and compare this to breaking an 8-character complex password on a high-end computer that anyone could put together, we come up with the following time frames:
- 2048 Bit Key
- 22048/33.86 x 250 = 8.47E599 sec. or over one billion years
- 8 Character Complex Password
- 894/2926.9MH/s = 26 days, 5 hours or less depending on the system
The reality is that passwords are becoming very ineffective at protecting systems and information. When users do use longer and more complex passwords, they often write them down, defeating the purpose of using a secure password. On the other hand, the certificates or keys give great protection to the systems or information and take the human factor out of having to create or remember passwords. Using keys or certificates when combined with secure communication protocols, logging and least privileged access standards, we come up with significant improvements of securing systems and information.
I will leave you with these final thoughts. Whether protecting remote access to your personal home computer or an enterprise network, these best practices to secure RAC communications can significantly reduce your chances of having a security incident. Some of the more advanced methods of SSH keys or certificates may require specialized knowledge, in which case it may be wise to work with a security partner to help design and implement these applications. Then, a Managed Security Services Provider (MSSP) could be engaged to allow for continual monitoring of these systems and incident handling.
Till next time, be safe and secure.