IT Baseline Protection Manual S 4.110 Secure installation of the RAS system
S 4.110 Secure installation of the RAS system
Initiation responsibility: Head of IT Section, IT Security Management Team
Implementation responsibility: Administrators
After the hardware and software necessary for implementation has been purchased as part of the organisational preliminary work, the individual components must be installed and operated. Generally a RAS system can only be securely operated if care has previously been taken over the installation. A pre-requisite to secure installation is the selection of suitable hardware and software for RAS access (quality, interoperability, compliance with existing standards) through the previous decision process (see S 2.186 Selection of a suitable RAS product). This goes to show once again how important it is for the decision process to be thorough and systematic.
The physical components of a RAS system consist of conventional IT systems: generally there are at least one server and several clients, network switching elements, modems or other technical devices. The physical security of these items must be assured as for all other components of a computer network. Hence at the outset the general safeguards for each of these components must be implemented, as described in Chapters 3 to 9.
The following additional points should be considered specifically with reference to installation:
It must not be possible either for users or external third parties to access either the RAS system or any part of it during the installation phase. No connections to the productive LAN or to the telecommunications systems should be active.
The installation must be performed by appropriately skilled personnel.
The installation should follow the procedures specified during planning of the RAS system.
The installation and configuration must be documented. This can take the form of either separate installation documentation or a confirmation that the installation agrees with the planning premises.
If during installation any departures from the planning premises (e.g. different cable arrangement, additional equipment) occur, these must be documented and a note should be entered in the planning documents explaining why the change was made. This documentation is especially important as a means of improving future planning.
The correct functioning of each individual component must be established (e.g. through function testing or self-test).
For every security-relevant setting, a function test of the security mechanisms must be carried out. For example, encryption of communications should be tested using a network analyser.
Once the installation work is complete, the correct functioning of the entire system must be verified (acceptance and approval of installation). Normally this should entail the use of predefined acceptance configurations and simulated operational scenarios. During testing care must be taken to ensure that only the persons authorised to participate in testing can access the RAS system.
Upon completion of installation of a RAS system, the system should have a secure starting configuration which initially allows access only to the authorised administrators (see also S 4.111 Secure configuration of the RAS system). These persons should then convert the RAS system to a secure operating state. Once this is achieved, continuous operations can then commence.
Example
Under Windows NT the installation of RAS servers and clients is very simple and is virtually identical as the Windows NT Remote Access Service contains both client and server functions.
The following applies to a RAS client running under Windows NT:
The server functions of the Remote Access Service must be disabled. This is done by allowing only outgoing calls on all devices which can be used for remote access (e.g. modem, ISDN card, VPN adapter). The relevant dialogue boxes are reached by selecting the following sequence of options: Control Panel, Network, Services, Remote Access Service, Attached Device, Configure.
For the RAS client only the protocols that are permitted for remote access should be enabled. This is done by selecting Control Panel, Network, Services, Remote Access Service, Attached Device, Network.
The characteristics of a RAS connection are specified in Windows NT through Dial-Up Networking. Here the parameters required under the RAS security concept should be set (e.g. "Require data encryption").
The following applies to a RAS server running under Windows NT:
The client functions of the Remote Access Service must be disabled. This is done by allowing only incoming calls on all the devices which can be used for remote access.
For the RAS server only the protocols that are permitted for remote access should be enabled.
The parameters required under the RAS security concept must be set for incoming RAS connections. This is done by selecting Control Panel, Network, Services, Remote Access Service, Attached Device, Network.
Only authorised users should be allowed to dial in. This can be specified under Windows NT through either RAS Manager or User Manager.
Additional controls:
Have all deviations from the planning premises for the RAS system been noted in the planning documentation?
Have the security mechanisms been function tested (e.g. has encryption of communications been tested using a network analyser)?