2 cissp ® Official Study Guide Eighth Edition

Plan Remote Access Security

Download 19,3 Mb.

Pdf ko'rish

bet	502/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 498 499 500 501 502 503 504 505 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Plan Remote Access Security
When outlining your remote access security management strategy, be sure to address the
following issues:
Remote Connectivity Technology
Each type of connection has its own unique security
issues. Fully examine every aspect of your connection options. This can include cellu-
lar/mobile services, modems, Digital Subscriber Line (DSL), Integrated Services Digital
Network (ISDN), wireless networking, satellite, and cable modems.
Transmission Protection
There are several forms of encrypted protocols, encrypted
connection systems, and encrypted network services or applications. Use the appropri-
ate combination of secured services for your remote connectivity needs. This can include
VPNs, SSL, TLS, Secure Shell (SSH), IPsec, and Layer 2 Tunneling Protocol (L2TP).
Authentication Protection
In addition to protecting data traffic, you must ensure that all
logon credentials are properly secured. This requires the use of an authentication protocol
and may mandate the use of a centralized remote access authentication system. This can
include Password Authentication Protocol (PAP), Challenge Handshake Authentication
Protocol (CHAP), Extensible Authentication Protocol (EAP, or its extensions PEAP or
LEAP), Remote Authentication Dial-In User Service (RADIUS), and Terminal Access
Controller Access-Control System Plus (TACACS+).
Remote User Assistance
Remote access users may periodically require technical assis-
tance. You must have a means established to provide this as efficiently as possible. This can

Remote Access Security Management
539
include, for example, addressing software and hardware issues and user training issues. If
an organization is unable to provide a reasonable solution for remote user technical sup-
port, it could result in loss of productivity, compromise of the remote system, or an overall
breach of organizational security.
If it is difficult or impossible to maintain a similar level of security on a remote system as
is maintained in the private LAN, remote access should be reconsidered in light of the secu-
rity risks it represents. Network Access Control (NAC) can assist with this but may burden
slower connections with large update and patch transfers.
The ability to use remote access or establish a remote connection should be tightly
controlled. You can control and restrict the use of remote connectivity by means of filters,
rules, or access controls based on user identity, workstation identity, protocol, application,
content, and time of day.
To restrict remote access to only authorized users, you can use callback and caller ID.
Callback is a mechanism that disconnects a remote user upon initial contact and then
immediately attempts to reconnect to them using a predefined phone number (in other
words, the number defined in the user account’s security database). Callback does have a
user-defined mode. However, this mode is not used for security; it is used to reverse toll
charges to the company rather than charging the remote client. Caller ID verification can
be used for the same purpose as callback—by potentially verifying the physical location
(via phone number) of the authorized user.
It should be a standard element in your security policy that no unauthorized modems be
present on any system connected to the private network. You may need to further specify
this policy by indicating that those with portable systems must either remove their modems
before connecting to the network or boot with a hardware profile that disables the modem’s
device driver.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 498 499 500 501 502 503 504 505 ... 881