Creating a "back door"

GT-Rob · October 2010

I know this isn't a CCNP topic (might be more of a CCSP really), but I figured I would ask here.

Right now, our environment only has one way in, through the front door/DMZ. A firewall cluster that is the front for our websites, remote access, VPN tunnels, etc. works great, however for support purposes, if the firewall is down, Im screwed. Even if just the LAN side is down, I can't authenticate to our LAN LDAP and still am cut off.

So I have been thinking of creating a "back door" to get to my desktop, where I can access our network, inside of the firewall and switches. Basically try and save me from driving 30mins to work in the middle of the night. I am a little concerned of the security aspect of it though, and wanted to get people's thoughts. Heres what I had planned:

A DSL plugged into a 2800 router which will either A: port forward my connection to RDP to my desktop, or B: I build an SSL or IPSEC tunnel with, and launch RDP from. Obviously B sounds more secure, but might be overkill? I would restrict access to my home IP (static), and the router itself would have access to nothing but my PC (although otherwise is on the corp lan, which is what scares me). The 2800 would have all the security features I am familiar with turned on of course. Perhaps even monitored for access attempts.

Am I missing anything here? Am I making any security guys shake their heads? Is there an alternative I haven't considered? I don't plan to have this rely on LDAP as I need a way in still if its down.

peanutnoggin · October 2010

GT-Rob wrote: »

Am I missing anything here?

It sounds like you're missing management approval!

Although you have good intentions, you definitely need to have management on board with a decision such as this. That way, you guys can put a policy in place to spell out exactly what you need to do. Should someone compromise the network via "your backdoor" you don't have to explain to a judge or lose your job!!!

Now, from the technical aspect, having a backup DSL with access only to your PC via RDP over an IPSEC tunnel is not a bad idea. I would also tell you to be sure your routers network devices have local logins (if they don't already) so you can access them should your LDAP server be unreachable as well. Just my thoughts... I'm sure someone has some different ideas out there.

-Peanut

jason_lunde · October 2010

thats what she said...

Is this for access to network equipment, or servers and everything else? I like to have an aux port with a dial-up modem for backup to networking equipment. Secure the aux port, and you can ssh/telnet around your network from the device you dialed into. If you need access to a pc though, like for RDC, I like the vpn option. Completely firewall that port off, and only allow your tunnel in.

jason_lunde · October 2010

peanutnoggin wrote: »

It sounds like you're missing management approval!

captain critical...sheesh...
j/k

wastedtime · October 2010

The one case you may want to reference is "State of Oregon vs. Randal Schwartz."

GT-Rob · October 2010

We do have a modem pool hanging around that lets us into a term server to jump from, but I don't even have a phone line at home, and these days I am more likely to find internet than a phone line when I am in a jam.

The firewalls hung last week leaving me completely cut off. Luckily I had hands and feet on site for something else that I had reboot one of them, but it was very nervous being blind like that. We have also had AD issues that have cut out our remote access, which is why I want it to use local auth at least to get in.

The access will be to my desktop or some other "jump box" so that I don't open my management domain directly to this edge device.

Oh, and as for management approval, I AM the approval :P I brought it up for budget reasons, and was given the green light regardless of cost really, but I want to keep it sensible.

I guess the question is, what do you use for out-of-band/aux, when phone lines are gone?

SephStorm · October 2010

get it in writing anyway?

mikearama · October 2010

jason_lunde wrote: »

thats what she said...

Hah... I was thinking the same. Back door. Nice.

wastedtime wrote:

The one case you may want to reference is "State of Oregon vs. Randal Schwartz."

Schwartzie was guilty of way more than running a "gate"... he hacked Intel and Reilly passwords. The gate was against company policy... hacking classified passwords was the felony. None the less, he's a bonehead.

GT-Rob wrote:

Oh, and as for management approval, I AM the approval

Well played.

We run a Citrix solution for our users, but with ASA firewalls, creating a back door was a breeze. If the Access Gateway ever goes down, everyone else is toast... I just gotta fire up my AnyConnect client, and boom... doggy style, baby.

Forsaken_GA · October 2010

GT-Rob wrote: »

I guess the question is, what do you use for out-of-band/aux, when phone lines are gone?

My previous employer used a Clear Wi-Max solution for out-of-band management. It was hooked up to a box that had console access to the core routers and was firewalled to accept only connections from inside the company network, or from a select range of remote IP's

GT-Rob · October 2010

That is sort of what I was thinking, and restrict it to my home IP. Im just paranoid I guess since its not passing the Firewall, IPS, etc. I've just got it ingrained that the DMZ should be in between.

And this is not trying to leave myself a way in, this will be completely known and documented. I have to get 4 people above me to sign off on the router/dsl purchase anyway :P

creamy_stew · October 2010

If you run an IPsec VPN which only allows you to RDP to a single computer, I'd say the problem is how secure the computer you're using to connect to the corporate network is the greater issue

Then again, you probably have all sorts of people connecting to the LAN via VPN as it is.

GT-Rob · October 2010

Yeah we already get through on the firewall to pretty well any internal resource (via IPSec softclient and hardware site-to-sites). On a scale of 1 to 10, I would say our network is about a 3 as far as security goes. But Im coming from a global Bank network, to a national Retail chain network (and just the head office, no POS or anything). So there is no one watching over me to make sure I don't poke a hole to big, so thats why I have to be very careful of the things I do, for the companies sake more than my own.

Paul Boz · October 2010

1.) Procure a cable or DSL connection that is on a different service provider than your primary WAN connection(s).

2.) Procure a static IP for your home Internet

3.) Procure a ASA 5505 or similar SOHO VPN gateway for the cable or DSL connection at your office

4.) Create ACL's to restrict access to/from specific remote hosts (your home IP for example).

5.) Create an emergency access console on your internal network and set it up with extremely strict password requirements, lockout policy, and or token access.

6.) Create ACL's to restrict internal access from that VPN to the management console only.

The above control will allow you secondary administrative access into the network to perform emergency procedures. Auditing should be fully enabled and user access should be reviewed on an extremely regular basis. I would recommend setting up some type of alerting in your environment to notify you any time someone (there shouldn't be many allowed to anyway) connects to the emergency VPN. By using an emergency console (fancy word for single point of destination) you create a virtual DMZ anyway. Someone would have to first compromise your backup VPN connection (by coming in from your home IP) THEN somehow break through the authentication on the access terminal. If all someone can do once connected to that VPN is try to log into a single system with tight controls implemented on it you should have an adequate configuration.

Creating a "back door"

Comments