Computer Technology A site about computer technologies
In order to add an additional layer of security to such connections, we will need to deploy some sort of remote access solution prior to the actual connection to the Terminal Server itself. Options for securing remote access include:
* IPSec, L2TP or PPTP-based VPN connections through Microsoft Windows Server 2003/2008 RRAS, by using Microsoft ISA Server, or by using leading 3rd-party solutions from vendors such as Cisco and Checkpoint
SSL VPN connections by using appliances such as Juniper SSL VPN, Cisco SSL VPN, Check Point Connectra and others, or by using Microsoft Windows Server 2008 SSTP
Microsoft Windows Server 2008 TS Gateway connections The benefits of using VPN-type remote access include the fact that the connection is strongly encrypted, adding extra security encapsulation to each packet. VPN enables the protection against unauthorized access because prior to gaining access to the actual remote management gateway, users are forced to authenticate themselves with their credentials or token, and only then they will be granted access to the gateway. On the other side, in most VPN products, an additional cost is computers might not be fully patched against security vulnerabilities, not have an up-to-date anti-virus product, or not have their personal firewall turned on. This raises many security issues especially when considering the fact that these computers might be using a VPN tunnel type of connection, which in fact is very much like actually connecting them to the corporate network. Furthermore, after successfully connecting to the corporate network, these computers might initiate a type of connection to internal resources that is out of scope for the type of required connection. In order to mitigate these risks there is need to implement a mechanism that will quarantine these computers until they provide proof of being fully patched and up-to-date. These types of quarantine systems can be achieved by using 3rd-party Network Admission Control (NAC) capabilities of VPN appliances such as those provided by Juniper, Check Point or Cisco, or by implementing the built-in Network Access Protection (NAP) found in Microsoft Windows Server 2008.
Data Loss Prevention
In order to control exactly what type of traffic is passed through the VPN connection, there is need to either deploy smart appliances such as those provided by Check Point, Cisco, Juniper or Microsoft (with their IAG product), or to place an additional firewall behind the VPN server that will scan the un-encrypted inbound traffic.
Protecting the Internal Network
An additional issue that is brought up when discussing remote management scenarios is the concern of controlling what type of traffic can be passed through these VPN connections, and what type of remote computers can actually connect to the corporate network.
User Behavior Monitoring
In the scenario outlined above, all remote access connections are indeed secured, and only authorized personnel can connect to the corporate servers.
However, the question of knowing exactly what vendors do once connected remains unanswered. This leaves a gaping hole in the corporate security and compliance: Once vendors connect to the remote management gateway server, in theory they can perform other actions, including opening full Remote Desktop connections to other remote servers. A mechanism is needed that gives IT Managers the full confidence that comes with knowing exactly who connected, what they did while connected, and what applications or system tasks have been used or opened.
Many server-based applications have varying degrees of built-in auditing or logging, including extended diagnostic logging. However, auditing and logging only show cryptic log traces, not actual human actions. Auditing and logging may be of use for debugging an error, but security and regulatory issues create a need for to know exactly what users are doing while logged onto the Terminal Servers. By using the recording and auditing capabilities of ObserveIT, IT Managers receive a clear and concise answer to these questions.
By Megh Raj