Sun Sep 14 19:45:53 PDT 2014

Zones: Remote access: How is access to internal zones from distant locations (including wireless) facilitated?


Options:

Option 1: Provide equivalent protection in every way for distant systems and environments and use authenticated encrypted tunnels to connect them.
Option 2: Use controlled configurations for distant environments and provide access through terminal servers.
Option 3: Use remote dial-in access with telephones and modems from controlled environments for distant access.
Option 4: Use remote dedicated connectivity from controlled environments for distant access.
Option 5: Use temporary {encrypted} remote access connections to {terminal servers, microzones} {with controlled configurations, surveillance, recording, limited actions} for remote {diagnosis, maintenance, supervised activities} for limited time frames.
Option 6: Don't allow distant access to internal zones.

Basis:

Provide equivalent protection in every way for distant systems and environments and use authenticated encrypted tunnels to connect them.
In most cases, a remote location with equivalent protection in every way should be allowed to connect through adequately secured infrastructure, assuming this doesn't exceed risk aggregation thresholds or violate regulatory, contractual, or other similar mandates.

Use controlled configurations for distant environments and provide access through terminal servers.
Controlled configurations provide a modicum of protection for remote, particularly mobile, systems. By augmenting this with locally controlled terminal services heavily managed internal mechanisms can provide assurance as well as extensive detection and auditing capabilities and provide reasonably access and reasonable protection for many cases.

Use remote dial-in access with telephones and modems from controlled environments for distant access.
Remote dial-in access from controlled environments provides a low-speed and, often independent, method of communicating. To the extent that this is different or harder to simultaneously attack, it brings benefits in mitigation of common mode failure risks as well as elsewhere.

Use remote dedicated connectivity from controlled environments for distant access.
Remote dedicated connectivity, typically in the form of leased lines that have cryptographic coverage provided by the vendor, provides high speed, partially independent, and harder to interfere with connectivity between locations.

Use temporary {encrypted} remote access connections to {terminal servers, microzones} {with controlled configurations, surveillance, recording, limited actions} for remote {diagnosis, maintenance, supervised activities} for limited time frames.
Temporary remote connections are typically controlled by {user access / port / line / device / VPN with VM} {disablement / disconnect / power down / shutdown} during non-use periods and {enablement / connection / power up / startup} only during use periods. Cryptographic protection is commonly used along with normal access controls or microzone controls to prevent interception and/or alteration of control and data en-route. Connections may be direct to devices or through microzones or terminal servers that then perform the operations from there using controlled configurations. Remote diagnosis and maintenance may be surveilled and recorded and actions may be restricted, for example to be read-only for audit records or to lock out changes without additional authorization. Similarly, supervised activities may take place in microzones under direct supervision of the operator of the VM in use for the microzone. Supervision in this context implies continuous presence and attention by the micozone operator, and represents a form of shared simultaneous use. As such, supervision required proper user behavior by the supervisor.

Don't allow distant access to internal zones.
For some high risk situations, it is simply to risky to allow external locations to connect into internal network areas.

A cautionary note The structure of the decisions here should take into account that remote access may be from parties of different trust characteristics. For example, for high risk situations, providing equivalent protection in every way implies that the same trust levels for personnel at the remote location apply as at the local location. But as soon as this restriction is removed, there is a potentially far larger population with different trust characteristics to deal with.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved