S 5.122 Secure connection of laptops to local networks

Initiation responsibility: IT Security Officer, Administrator

Implementation responsibility: User, Administrator

Since they are mobile IT devices, laptops have a higher potential for risk than stationary IT systems that are only operated in a controlled environment. For this reason, it is important to specify which rules need to be followed when connecting laptops to LANs in order to prevent the secure operation of the LAN and other IT systems linked to it from being impaired, for example due to malware.

If a laptop is to be connected to the government agency's or company's network after being used externally, a thorough scan should be performed using up-to-date virus signatures to ensure that the laptop is not infected.

If laptops are connected directly to the internet when used in a mobile manner, it is essential to protect them against attacks from the internet using a restrictively configured personnel firewall. Virus protection alone is not enough to ward off all attacks expected. Likewise, it is absolutely necessary to keep the software on the laptops up to date and to install the necessary security patches promptly. It is useful to check if the personal firewall, other security programs, and security patches on the laptop are up to date first before accessing the productive network. It is recommended to perform these checks automatically using corresponding tools so that access to the internal network can be denied if security deficiencies are detected.

The internet application programs installed on the laptop, and especially the browser and email clients, should be operated with secure settings (see S 5.45 Secure use of browsers and S 5.57 Secure configuration of the groupware/mail clients). The users should not be allowed to change the default settings of options using administrative mechanisms. In addition, tools could be used to restrict the functionality of the browser so that it is executed in a sandbox-like environment.

Certificates/MAC addresses

It must be ensured that only certain laptops are able to log in to the LAN. Before a laptop is granted access to a LAN, the laptop must successfully authenticate itself to an authentication server.

Device certificates or MAC addresses, for example, can be used to check which devices are basically authorised to access the network. It must be noted in this context, though, that MAC addresses can be forged and therefore should not be used as the sole authentication criterion.

Access restrictions

It must be ensured that a given VPN user is only able to access the services provided on the servers in the LAN that the user needs to perform his or her task. This could be ensured using user-based authentication at the application level and the control of the traffic with the help of packet filters, for example (packet filters alone are inadequate due to the ease with which IP addresses can be forged).

VPN

Accesses from a laptop to the internal network over an external network should only be permitted using secure VPN. If the organisation allows official emails to be retrieved over the internet using a web mail solution, it must be ensured that the emails are only transmitted in encrypted form from the server to the laptop (e.g. using SSL). However, it is not only necessary in this case to secure the transport channel, but also to specifically secure the end system itself. It is possible to compromise a laptop when standard protocols such as HTTP or SMTP are used to access the internet while simultaneously using the VPN. For this reason, laptops should be secured in such a way that it is impossible to open any other connections while there is a VPN connection open to the internal network (split tunnelling). It must be guaranteed in this case that all outgoing data packets of the client pass through the tunnel and that only data packets coming from the tunnel are accepted.

It is also necessary to ensure in this context that no other networks can be accessed while the VPN-secured laptop has access to the internal network. In particular, the WLAN and Bluetooth functionality must be disabled on the laptop while accessing the VPN. Additional information on transmission security can be found in S 5.76 Use of suitable tunnel protocols for VPN communication.

A mobile IT system can easily fall into the wrong hands. For this reason, the connection to the internal network (the tunnel connection established) should not be established automatically, but only after the user has been authenticated. Additional recommendations of the BSI on the secure implementation and operation of VPNs can be found on the website www.bsi.bund.de under the heading "Internet Security".

DHCP

The dynamic host configuration protocol (DHCP), when used in IP-based networks, automatically assigns temporary IP addresses as well as routing and DNS server information to the connected clients so that the laptop does not need to be configured for internet access by the user any more.

If DHCP is enabled, an IT system is automatically assigned a valid IP address in the local network, and the IT system can then access all shared folders and drives. To prevent this, DHCP should be disabled on the laptop whenever it is not needed (although the IP addresses will need to be assigned manually in this case). In addition, the MAC address of the client should be checked when assigning it an IP address to determine if the client should be allowed access to the network.

Internet accesses

It must be specified whether or not laptops will be allowed direct access to the internet. The critical point in this case is that it is possible to bypass the organisation's own security gateways and security mechanisms, which then has the potential to lead to security problems. There are several different possible solutions, and the appropriate solution must be selected based on the security requirements and application environment:

• Ban on direct access to the internet: This solution naturally has the advantage that it is the easiest to implement. However, it is also the most restrictive solution and is therefore difficult to enforce.
• Use of different user IDs: In this case, two different user IDs are used at the operating system level: one for general business use and one for internet access. The internet user ID should only be assigned minimal rights.
• Use of different partitions/operating system installations: This solution uses different partitions that are as separate as possible, for example through the use of different operating and file systems. The greater the degree of separation, the higher the hurdles an organisation will have to overcome to prevent malware from the internet or elsewhere from having an impact on the productive environment.
• Virtual machines: In this case, the internet can only be accessed directly using an operating system running on a virtual machine (such as User Mode Linux, UML). Due to the use of a virtual machine, the browser used is separated to a greater extent from the actual host operating system than would be the case without the use of a virtual machine. However, when using this solution there is a residual risk that malware (developed in JavaScript, for example) could be copied back and forth between the host operating system and the virtual operating system simply by copying and pasting. The host operating system could be in an insecure state in this case the next time a user dials in to the VPN.
• Use of boot CDs: In this case, a write-protected medium such as a CD-ROM is used to create an internet-capable operating environment for the use of the internet, although the feasibility of this solution is limited because it may be necessary to enter the required IP information manually. The Knoppix CD, which contains a collection of GNU/Linux software that can be run from the CD (see www.knoppix.org) may be used for this purpose, for example.
• Internet access only over VPN (over the intranet and the organisation's security gateway into the internet): The advantage of this solution is that it is possible to filter out hazardous content.

Authentication for VPN usage

The authenticity of the user should be ensured using strong authentication procedures before establishing a VPN connection.

Strong authentication procedures include, for example, one-time passwords and challenge/response procedures.

Logging

The use of the server services should be documented by logging all accesses to the server. It should also be possible in this case to determine if a laptop accessed the services from inside the company or government agency or from the outside.

Temporary data

It should be ensured that all authentication information stored temporarily and used to establish a VPN is automatically deleted at the end of the VPN session. This applies to VPN connections terminated intentionally as well as to unintentionally terminated VPN connections. In addition, care should be taken when using browser-based SSL VPNs, for example, to ensure that all temporary storage is disabled so that authentication information will not be stored temporarily in the first place, which makes it easier for an attacker to re-open the VPN connection.

Review questions:

• Has the secure connection of laptops to LANs been regulated?
• Are all laptops effectively protected against malicious code and attacks from third party networks?
• Are the operating system and software installed on the laptops always up-to-date?
• Has the secure access of laptops to the internet been regulated?
• Has it been ensured that only authorised laptops are able to log in to the LAN?
• Are all laptop accesses from outside the internal network secured using a VPN?