Secure Remote Access Technical Solution Guide v1.0
______________________________________________________________________________________________________
7
2. Secure Remote Access best practices
Following best practices in designing and deploying a remote access solution lowers cost of
ownership and dramatically lowers the risk of common security incidents, such as unauthorized
access, theft of information, hacking, denial of service and propagation of threats such as worms
and viruses. Nortel solutions fully support these best practices.
2.1 Keep it simple!
Complexity is the enemy of security and should be avoided in a Secure Remote Access design.
Determine which set of applications each group of users needs. This application set will be small
for most users, and typically includes:
Web access to e-mail
Access to a common web portal (News and Frequently Accessed Information)
Phone directory
IP Telephony and multimedia
Web access to voice mail, such as Nortel CallPilot
Employee tools such as expense vouchering/purchasing/timesheets
Key line-of-business applications based on employee role
The number of unique roles or groups of users is also typically small and might not directly map
to the concept of organizational departments. For many deployments, providing access to less
than a dozen key applications maximizes the benefit of remote access while allowing strict
access control and tracking.
2.2 User authentication
The first step in granting access is user authentication: establishing that a remote user has the
appropriate credentials to connect to the network.
Use a network-based external authentication system that is common to your network and
application environment. Users should not have different sets of IDs and passwords for remote
access. A common authentication system simplifies user management and authorization control,
as well as providing a framework for single sign-on or reduced sign-on capability.
When possible, use a two-factor authentication system that implements a one-time-password
(OTP) scheme. These systems are compatible with existing authentication systems and prevent
unauthorized access based on password guessing or theft. Two-factor authentication schemes
are a key requirement when allowing access from public devices, such as shared PCs and
Internet kiosks. You can also restrict remote access to less sensitive applications if users do not
present two-factor-based credentials.
When two-factor authentication is not used, prevent password guessing by requiring passwords
that are at least eight characters long and use a mix of letters, numbers, and punctuation. Set
these passwords to expire at regular intervals, and prohibit reuse of the past five passwords.
Employ a preauthentication scan of the client system to detect crimeware or malware, such as
keyloggers, to prevent theft of access credentials.
Employ a mechanism for Password Guess Lockout to disable an account upon successive failed
logon attempts. You can do this through configuration of your network-based authentication
(92 Seiten)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Kommentare zu diesen Handbüchern