IT Baseline Protection Manual - The Information Warfare Site

Threats Catalogue Deliberate Acts Remarks
____________________________________________________________________ .........................................
T 3.41 Improper use of remote access services
Unless users receive appropriate training it is possible, as with every other IT
system, for security problems to develop as a result of users’ (usually
unintentional) mistaken actions while using RAS or in the environment in
which RAS is used (e.g. violation of IT security guidelines or incorrect
configuration).
Moreover, stationary and mobile IT systems on which RAS client software is
installed are often used not just to access a LAN. In particular, if the RAS
connection is established over the Internet, then often Web and e-mail services
are used over these IT systems. In many cases external networks are accessed,
for example, when employees working in the field log on to customer
networks using mobile RAS clients. This can result in exposure to the threats
described below.
- As a minimum, establishment of connections which have not been
approved causes unnecessary loading of the system, as an authorisation
check has to be performed in every case. In this way, system resources are
tied up unnecessarily. When this is combined with incorrect configuration
settings, the result may that an attempt at unauthorised access succeeds.
- Amongst other possibilities, RAS clients can be used for Internet access.
One potential danger here is that unless special precautions (e.g. secure
configuration or PC firewall) are taken, it may be possible to access the
client computer from the Internet. This means that the computer is exposed
to potential attacks. Thus, for example, an aggressor could disable data
encryption or change other RAS configuration data so that secure RAS
communication is no longer possible. Similar problems (viruses, Trojan
horses) can arise where software has been downloaded from the Internet
and stored on the RAS client.
- If a RAS client is connected to an external LAN (e.g. customer network or
private home network), often there will be interfaces from that LAN to
other networks, e.g. the Internet or local subnets. Depending on the
security requirements covering LAN administration, uncontrolled access to
the RAS client may be possible (see also T 5.39 Infiltrating computer
systems via communication cards).
Examples
- During a business trip an employee logs on to the corporate network
over the Internet. Before the connection is established with the RAS
system, he loads an executable file from a Web server. In addition to its
"official" functionality, the file also contains a malicious section of code
which attempts to influence the security mechanisms in the RAS
configuration (e.g. disabling of encryption) and to access data in the
corporate network where an existing RAS connection has been previously
discovered.
- An employee working out in the field connects his laptop to the network of
a customer. In order to be able to exchange data with the customer, he
makes some local directories shared so that they can be accessed from the
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Unapproved RAS
connections established
Use of the RAS client on
the Internet
Connection of the RAS
client to an external
network