What is the primary vulnerability associated with many methods of remote access?

Protocol Issues

We might find a number of issues in the protocols in use by any given database. We can look at the network protocols used to communicate with the database, some of which will need a set of credentials in order to use and some of which will not. In either case, there is often a steady stream of vulnerabilities for most any major database product and version we might care to examine. Such vulnerabilities often involve some of the more common software development issues, such as the buffer overflows we discussed at the beginning of this chapter.

When we are dealing with known protocol issues, the absolute best defense is to ensure that we are using the most current software version and patches for the database software in question, as we discussed in Chapter 9. Defending against presently unknown network protocol issues often revolves around limiting access to our databases, either in the sense of actually limiting access to who is able to connect to the database over the network, using some of the methods we discussed in Chapter 8, or, in the case of authenticated protocol problems, by limiting the privileges and accounts we make available for the database itself, following the principle of least privilege.

We may also have issues in the authentication protocols used by our database, depending on the specific software and version we have in use. In general, the older and more out-of-date our software becomes, the more likely it is that we are using an authentication protocol that is not robust. Many older applications will use authentication protocols we know to have been broken at some point, or to have obvious architectural flaws, such as sending login credentials over the network in plaintext (refer to Chapter 5), as Telnet does. Again, the best defense here is to ensure that we are on current versions of the software we are using.

Unauthenticated Access

When we give a user or process the opportunity to interact with our database without supplying a set of credentials, we create the possibility for security issues. Such issues may be related to simple queries to the database through a Web interface, in which we might accidentally expose information contained in the database; or we might expose information on the database itself, such as a version number, giving an attacker additional material with which to compromise our application.

We might also experience a wide variety of issues related to the secure software development practices we discussed at the beginning of the chapter. If the user or process is forced to send us a set of credentials to begin a transaction, we can monitor, or place limits on, what the user or process is allowed to do, based on those credentials. If we allow access to part of our application or tool set without requiring these credentials, we may lose visibility and control over what actions are taking place.

Arbitrary Code Execution

We can find a number of areas for security flaws in the languages we use to talk to databases. Generally, these are concentrated on SQL, as it is the most common database language in use. In the default SQL language, a number of built-in elements are possible security risks, some of which we can control access to and some of which we cannot.

In these language elements, we may find a number of issues related to bugs in the software we are using, or issues spawned by not using secure coding practices, that might allow us to execute arbitrary code within the application. For example, a flaw allowing us to conduct a buffer overflow, as we discussed earlier in this chapter, might enable us to insert attack code into the memory space used by the database or the operating system, and compromise either or both of them.

Our best defenses against such attacks are twofold. From the consumer side, we should stay current on the version and patch levels for our software. From the vendor side, we should mandate secure coding practices, in all cases, in order to eliminate the vulnerabilities in the first place, as well as conducting internal reviews to ensure that such practices are actually being followed.

Privilege Escalation

Our last category of major database security issues is that of privilege escalation. In essence, privilege escalation is a category of attack in which we make use of any of a number of methods to increase the level of access above what we are authorized to have, or have managed to gain on the system or application through attack. Generally speaking, privilege escalation is aimed at gaining administrative access to the software in order to carry out other attacks without needing to worry about not having the access required.

As we mentioned earlier in the chapter, SQL injection is a very common attack against databases that are accessible through a Web interface and is largely an issue of not filtering or validating inputs properly. SQL injection can be used to gain information from the database in an unauthorized manner, modify data contained in the database, and perform many other similar activities. SQL injection can also be used to gain or escalate privileges in the database.

One of the more common SQL injection examples is to send the string ' or '1'='1 as the input in a username field for an application. If the application has not filtered the input properly, this may cause it to automatically record that we have entered a legitimate username, which we have clearly not done, allowing us to potentially escalate the level of privilege to which we have access.

Additional Resources

For those interested in more information regarding SQL injection and database security in general, two books available from Syngress are Securing SQL Server by Denny Cherry (ISBN: 9781597496254) and SQL Injection Attacks and Defense by Justin Clarke (ISBN: 9781597494243). Both are great resources from very knowledgeable folks.

An additional area of concern for privilege escalation is from an operating system perspective. Database applications are processes running on the operating system, using the credentials and privileges of an operating system user, just like a Web browser or any other application we might want to run. If we are not careful to protect our operating systems and the user accounts that run on them, as we talked about in Chapters 8 and 9Chapter 8Chapter 9, any database security measures we might put in place may be for naught. If an attacker gains access to the account under which the database software is running, he or she will likely have privileges to do anything he or she might care to do, including deleting the database itself, changing passwords for any of the database users, changing the settings for the way the database functions, manipulating data, and so on.

Our best defenses against operating system issues such as these are the set of hardening and mitigation steps we discussed in Chapter 9. If we can keep attackers from compromising our system in the first place, we can largely avoid this particular concern.

Database security

As we discussed when we went over Web security issues, the vast majority of Web sites and applications in use today make use of databases in order to store the information they display and process. In some cases, such applications may hold very sensitive data, such as tax returns, medical data, or legal records; or they may contain only the contents of a discussion forum on knitting. In either case, the data such applications hold is important to the owners of the application and they would be inconvenienced, at the very least, if it were damaged or manipulated in an unauthorized manner.

A number of issues can cause trouble in ensuring the security of our databases. The canonical list includes the following [8]:

Unauthenticated flaws in network protocols

Authenticated flaws in network protocols

Flaws in authentication protocols

Unauthenticated access to functionality

Arbitrary code execution in intrinsic SQL elements

Arbitrary code execution in securable SQL elements

Privilege escalation via SQL injection

Local privilege escalation issues

Although this may seem like a horribly complex set of issues for us to worry about, we can break them down into four major categories, as shown in Figure 12.2.

Remote Access Policy

Remote access policies are an ordered set of rules that define how connections are either authorized or rejected. For each rule, there are one or more conditions, a set of profile settings, and a remote access permission setting. If a connection is authorized, the remote access policy profile specifies a set of connection restrictions. The dial-in properties of the user account also provide a set of restrictions. Where applicable, user account connection restrictions override the remote access policy profile connection restrictions.

For servers running the RRAS that are configured for the Windows authentication provider, remote access policies are administered from RRAS and apply only to the connections of the RRAS server. Centralized management of remote access policies is also used when you have remote access servers that are running RRAS. Remote access policies validate a number of connection settings before authorizing the connection, including the following:

Remote access permission

Group membership

Type of connection

Time of day

Authentication methods

Advanced conditions such as access server identity, access client phone number, or Media Access Control (MAC) address

Whether user account dial-in properties are ignored

Whether unauthenticated access is allowed

After the connection is authorized, remote access policies can also be used to specify connection restrictions, including the following:

Idle timeout time

Maximum session time

Encryption strength

IP packet filters

Advanced restrictions:

IP address for PPP connections

Static routes

Additionally, you can vary connection restrictions based on the following settings:

Group membership

Type of connection

Time of day

Authentication methods

Identity of the access server

Access client phone number or MAC address

Whether unauthenticated access is allowed

For example, you can have policies that specify different maximum session times for different types of connections or groups. Additionally, you can also specify restricted access for business partners or unauthenticated connections. All of this can be configured using the RRAS panel on the client computer, as shown in Figure 6.5. This is accessible as follows:

Open Server Manager and expand the Roles tab.

Expand the Network Policy and Access Service tab, as seen in Figure 6.5

Expand the Routing and Remote Access panel and right click for Properties

This will allow you to set up configurations for your remote access policies.

Configuring Remote Access Policies

A traditional LAN is usually located within the physical confines of a building. The systems within the bounds of the LAN are administered by an individual or group of individuals and usually a policy is in place to guide the administration and configuration. When users connect from outside the confines of the LAN, often the system the client connects from is not administered by the corporate administrator or administrators. This can present configuration problems as well as security problems. Remote access policies help administrators apply a consistent policy to non-LAN machines, the machines that are often not directly administered within the confines of the corporate LAN. Through the use of remote access policies, administrators can limit the access rights and privileges of remote users and computers by validating connections and can specify connection restrictions. Connection settings that can be validated by standard remote access policy settings include the following:

Authentication methods

Group membership

Remote access permission

Time of day

Type of connection

Advanced remote access policy validation settings include the following:

Access server identity

Access client phone number or MAC address

Whether user account dial-in properties are ignored

Whether unauthenticated access is allowed

Authentication methods include the following:

PEAP

EAP

MS-CHAP

MS-CHAP version 2

CHAP

PAP

Unauthenticated access

Note

This is not an all inclusive list; there are many other condition attributes that can be set on a remote access policy, such as protocol type, service type, tunnel type (for VPN connections), client IP address, and vendor of the RADIUS proxy (IAS).

Authentication method refers to the authentication type being used by the client (EAP, CHAP, MS-CHAP, etc.).

Group membership is configured through Active Directory Users and Computers. Groups significantly reduce the necessary amount of administration by grouping users according to similar job functions, access rights and requirements, and other common similarities between users. Group membership policy restrictions can be used to allow corporate users to gain network access based on one set of criteria, whereas users from a specific vendor or partner might have a different set of remote access restrictions or rules.

Time of day restrictions ensure that users can log in only during certain times. This can be used to keep users disconnected during certain maintenance operations or to keep remote users out of the network after normal business hours.

Type of connection validation sets different remote access policies based on the method the user uses to connect. For example, VPN users can have one policy, whereas analog dial-up users are governed by a different policy.

Access server identity validation ensures that users connecting to a specific access server have a specific policy applied to them. This can be used to ensure that a user is connecting through proper channels. If someone were to attempt to break into the network through a nonauthorized connection, this restriction will prevent such access.

Access client phone number validation ensures the user is connecting from an authorized location or computer. Using the client’s calling phone number (which is specified as the Calling Station ID) as validation relies upon a certain amount of physical security as well as the password or certificate-based electronic security. Someone would theoretically have to break into the calling location and use that phone to connect based on this validation.

Once a remote access policy has authorized a connection, it can also set connection restrictions (called constraints) based on the following:

Encryption strength

Idle timeout

IP packet filters

Maximum session time

Also, remote access policies provide advanced connection restrictions based on the following:

IP address for PPP connections

Static routes

Note

Again, the dial-in constraints listed are not the only ones you can set. You can also specify that access is allowed only via specific media (FDDI, wireless, Token Ring, Ethernet, DSL, cable, etc.).

Encryption strength typically ranges from 40-bit to 168-bit. Encryption property settings for Windows Server 2003 include no encryption, Basic encryption (40-bit MPPE or 56-bit DES), Strong encryption (56-bit MPPE or 56-bit DES), and Strongest encryption (128-bit MPPE or 168-bit 3DES). Idle timeout is used to secure the network by disconnecting users after a specific amount of idle time has passed. IP packet filters restrict connections based on the services being requested. For example, Telnet access may be granted to a dial-in user by configuring an IP packet filter to allow traffic to TCP port 23 at a particular address. Maximum session time ensures security by disconnecting a user after a specified amount of time regardless of the current session status (idle or active). Specific IP addresses may be distributed through PPP connections to restrict access to portions of the network. This provides another method for securing network access through remote access policy. Static routes also set network access restrictions by routing or not routing specific traffic based on destination network address.

Finally, global remote access policies may be varied according to the following:

Access client phone number or MAC address

Authentication methods

Group membership

Identity of the access server

Time of day

Type of connection

Whether unauthenticated access is allowed

Windows Server 2003 remote access servers provide remote access policy through the Routing and Remote Access Service on stand-alone machines. The RRAS policy applies to connections through that specific RRAS server in that case. If you are using IAS or RADIUS on your network, remote access policies are configured through the Internet Authentication Service or RADIUS server.

To configure a remote access policy for your RRAS server:

First, configure the user accounts to use remote access policy for dial-in access.

Click Start | Programs | Administrative Tools | Active Directory Users and Computers.

The user accounts should have the Remote Access Permission (Dial-in or VPN) option set to Control access through Remote Access Policy.

Now, open the Routing and Remote Access management console to configure the policy.

Click Start | Programs | Administrative Tools | Routing and Remote Access.

If necessary, double-click Routing and Remote Access and the server name.

In the left pane, right-click Remote Access Policies, and then click New Remote Access Policy.

Select the appropriate policy settings as discussed earlier.

Delete the default policies.

Planning Your VPN Server Deployment

The first and most important step should be the planning phase. There are a number of considerations for this phase:

You need to determine the number of VPN client connections that you need to support.

You need to determine the availability and logical location of a DHCP server. If you are not using a DHCP server on your network, or if it will exist on a different subnet from the VPN server, you will have to take this into account as you configure the VPN server.

You need to determine where users will be authenticated and which users will have remote dial-in access available to them.

You need to determine what operating systems will be used by VPN clients.

Our client operating systems will dictate many of your decisions about VPN tunneling protocols and authentication protocols. Older client operating systems may require the L2TP/IPSec client software that is available for download from Microsoft in order to support L2TP/IPSec, and some older operating systems (most notably, Windows 95) cannot use L2TP/IPSec. Also, the presence or absence of a certificate infrastructure will dictate the protocols used. Your basic network infrastructure and the type of connection that is available to the Internet will determine the type of VPN connection to implement. Persistent connections usually will be used over a more modern broadband network or one that is connected to the Internet via a dedicated leased line. Time-based and network traffic-based dial-up connections may be used in cases where connectivity costs are based on use.

After you have determined which authentication protocols and VPN protocols to use, along with the details of connection persistence, you must determine the restrictions you want to put in place for the users. There are a couple of options available when it comes to dial-in permissions. One option is to grant dial-in permission on a per user basis. This is done via the Dial-in tab on the Properties sheet for the user’s account. Another, more common option, is to grant dial-in permission to groups through Remote Access Policies.

Remote Access Policies provide greater control of VPN user access by comparing inbound connection attempts to a set of predefined rules. If the connection attempt matches a particular rule, the connection is either accepted or rejected based on the Remote Access Policy’s configuration settings. Remote Access Policies first compare the connection to different criteria such as remote access permission, group membership, type of connection, time of day, authentication methods, and several advanced conditions (access server identity, access client phone number or MAC address, whether user account dial-in properties are ignored, whether unauthenticated access is allowed) before authorizing the connection. After a connection has been authorized, connection restrictions can be specified to control various aspects of the session such as idle timeout time, maximum session time, encryption strength, IP packet filters, and advanced restrictions like IP address for PPP connections and static routes. Several other connection restriction settings also exist within the Remote Access Policy configuration options.

New & Noteworthy…

In the next section, we will discuss one of the most important keys to proper VPN configuration: client address assignment.

What are the three major components of the SSH protocol?

Which protocol enables the secure transfer of data from a remote PC to a server by creating a VPN across at TCP IP network?

When referring to the three steps in the establishment of proper privileges What does AAA stand for?

What term describes the use of more than one authentication mechanism at the same time?