Record Secure Remote Access SSL VPN Gateway Sessions
In the following article, I will demonstrate how to Record Secure Remote Access SSL VPN Gateway Sessions, using Terminal Services/ in conjunction with ObserveIT. In this deployment, all secure remote access SSL VPN sessions are routed through one or more central remote access gateways, with secondary remote desktop sessions serving as the method to access internal Windows or UNIX servers and other network devices. All sessions through the Secure Remote Access SSL VPN Gateway are fully audited and recorded. This recorded session allows Auditors and IT managers to have a full visual audit trail of all secure remote accesses SSL VPN connections; identify the source of each secured remote access connection; and view a step-by-step replay of the actions taken and applications accessed on these machines.
This whitepaper covers the following:
- Setting up a Windows Terminal Gateway Server
- Secure communication to the Gateway using SSL VPN Gateway
- Audit, Alert and Replay all Recorded Sessions performed on the Gateways
I would also like to use the opportunity to tell you a bit about ObserveIT – A company which I have recently began working for (read more about my new job at my “My new job – VP Technologies for ObserveIT – Enterprise Scale Window Server Session Recording” article).
ObserveIT is a software solution that is designed from the ground up to be deployed in multi-server enterprise environments and provides visibility into all user activity such as Microsoft Terminal Services, Citrix (ICA) – including published applications, Remote Desktop (RDP), PC-Anywhere, VNC and NetOP.
For more information on ObserveIT, please see: Secure Remote Access SSL VPN Recording by ObserveIT
The Need for Centralized Remote Access
In today’s complex network and IT environments, more and more people need access to corporate servers, applications, databases and management tools. While trying to minimize human intervention with these critical services, IT managers need to consider how to allow the remote access and management of these services: Who to allow access; How to secure and audit access; How to record all actions that are performed on these servers.
The continuous need to control budgets by decreasing operational costs and maintenance fees has led many large and medium corporations to using external consultants and outsourcing services while minimizing internal IT departments.
Establishing Remote Connections
In order to mitigate this risk, a leading approach to enabling remote connections is to create a secure remote access deployment, in which all remote connections go through one or more terminal or citrix gateway servers. All vendors and remote administrators will initiate an remote desktop RDP/ICA Session to these servers, where they will be authenticated and, if authorized, granted access to either the entire desktop, or to a subset of published applications that are to be used for management purposes.
The first component of such a solution is the actual remote access mechanism. Here, we have a few options to consider. The decision on what remote access solution to chose is closely related to security concerns, corporate policy, budget and number of concurrent connections.
Using regular RDP connections from the external world through your corporate Firewall is probably the easiest option to deploy. However, it is also the most unsecure method when compared to the other options. RDP packets travel across the Internet as regular packets, and unless the built-in encryption capabilities of Terminal Server are also employed, this will not provide adequate security for the connection. Furthermore, unless using some sort of remote access control mechanism (such as a Firewall that has authentication capabilities), the only barrier that will prevent a malicious user from entering the network is the Terminal Server Windows Authentication prompt.
Securing the Remote Access Sessions
In order to add an additional layer of security to such connections, we will need to deploy some sort of remote access solution prior to the actual connection to the Terminal Server itself. Options for securing remote access include:
- IPSec, L2TP or PPTP-based VPN connections through Microsoft Windows Server 2003/2008 RRAS, by using Microsoft ISA Server, or by using leading 3rd-party solutions from vendors such as Cisco and Checkpoint
- SSL VPN connections by using appliances such as Juniper SSL VPN, Cisco SSL VPN, Check Point Connectra and others, or by using Microsoft Windows Server 2008 SSTP
- Microsoft Windows Server 2008 TS Gateway connections
The benefits of using VPN-type remote access include the fact that the connection is strongly encrypted, adding extra security encapsulation to each packet. VPN enables the protection against unauthorized access because prior to gaining access to the actual remote management gateway, users are forced to authenticate themselves with their credentials or token, and only then they will be granted access to the gateway. On the other side, in most VPN products, an additional cost is incurred because of the need to deploy VPN servers and extra authentication systems.
Using SSL VPN adds the ability to use SSL-based encryption, which easily passes through most firewalls without the need to open specific ports. SSL VPN makes it easier for remote workers to connect because it usually does not involve any additional software installation on the client side, and is usually initiated from an easy-to-use web browser. This makes such connections ideal for usage on public computers such as the ones found in hotel lobbies and conference centers.
It is worth noting that in most scenarios, SSL VPN is preferred for remote access to those applications that are browser-based (i.e., have a web-based user interface), while IPSec VPN will be used principally for site-to-site communications (rather than individual client remote access).
Using the new SSTP capabilities of Microsoft Windows Server 2008 can help to further reduce costs associated with using 3rd-party solutions.
Protecting the Internal Network
An additional issue that is brought up when discussing remote management scenarios is the concern of controlling what type of traffic can be passed through these VPN connections, and what type of remote computers can actually connect to the corporate network. Often, these un-managed computers might not be fully patched against security vulnerabilities, not have an up-to-date anti-virus product, or not have their personal firewall turned on. This raises many security issues especially when considering the fact that these computers might be using a VPN tunnel type of connection, which in fact is very much like actually connecting them to the corporate network. Furthermore, after successfully connecting to the corporate network, these computers might initiate a type of connection to internal resources that is out of scope for the type of required connection. In order to mitigate these risks there is need to implement a mechanism that will quarantine these computers until they provide proof of being fully patched and up-to-date. These types of quarantine systems can be achieved by using 3rd-party Network Admission Control (NAC) capabilities of VPN appliances such as those provided by Juniper, Check Point or Cisco, or by implementing the built-in Network Access Protection (NAP) found in Microsoft Windows Server 2008.
In order to control exactly what type of traffic is passed through the VPN connection, there is need to either deploy smart appliances such as those provided by Check Point, Cisco, Juniper or Microsoft (with their IAG product), or to place an additional firewall behind the VPN server that will scan the un-encrypted inbound traffic.
Using Microsoft TS Gateway
In addition, using the new capabilities of Microsoft Windows Server 2008 TS Gateway provides further protection of RDP traffic by encapsulating it into SSL packets – much like SSL VPN, but without the need to deploy special VPN servers.
The benefit of using the TS Gateway capabilities of Microsoft Windows Server 2008 is that remote users will only be granted access to the internal servers based upon a strict policy that can be enforced on the TS Gateway, and when combined with the NAP capabilities of the system, will only allow connection of computers that fully meet the security requirements set by the administrator. This scenario employs a number of components. These include the TS Gateway server, a firewall, one or more Domain Controllers, a NAP server and a Network Policy Server (NPS is Microsoft’s implementation of a RADIUS server). The TS Gateway authenticates the client by collecting the user’s credentials and checking them against the TS Gateway Remote Access Policy. It then authenticates against the Domain Controller and performs a security validation as required by the NAP server and its policies. Only when all checks are fully successful, it passes the RDP traffic inwards, towards the remote management gateway server.
Monitoring User Activity
In the scenario outlined above, all remote access connections are indeed secured, and only authorized personnel can connect to the corporate servers.
However, the question of knowing exactly what vendors do once connected remains unanswered. This leaves a gaping hole in the corporate security and compliance: Once vendors connect to the remote management gateway server, in theory they can perform other actions, including opening full Remote Desktop connections to other remote servers. A mechanism is needed that gives IT Managers the full confidence that comes with knowing exactly who connected, what they did while connected, and what applications or system tasks have been used or opened.
Many server-based applications have varying degrees of built-in auditing or logging, including extended diagnostic logging. However, auditing and logging only show cryptic log traces, not actual human actions. Auditing and logging may be of use for debugging an error, but security and regulatory issues create a need for to know exactly what users are doing while logged onto the Terminal Servers. By using the recording and auditing capabilities of ObserveIT, IT Managers receive a clear and concise answer to these questions.
Built specifically for enterprise-wide deployments, ObserveIT gives full control and insight into the actions done by external vendors and specialists that were hired to perform a specific task, as well as by local IT personnel and power users. ObserveIT records all human activities on monitored servers, both with exact visual recording as well as with detailed metadata. Visual recording allows replaying of every user session and understanding of what exactly was performed on the monitored servers, who did it, and what applications where accessed.
In the above deployment scenario, ObserveIT is deployed on each remote management Terminal Server. Built-in server-based policies are configured to trigger recording of all relevant activity performed by external vendors. ObserveIT configuration is also specified to only record the management applications that are published on the remote management Terminal Server.
Real Time Monitoring and Integration with Management Tools
By capturing metadata in addition to visual screenshots, ObserveIT provides an abundance of information about what is seen on the screen, the user performing the action, the remote computer’s name and IP, date, time, application executable name, windows title and more. All this information is stored alongside the screenshots, allowing flexible searching capabilities and enterprise-scale management, allowing rules-based searching without the need to replay screen-by-screen activity.
Another feature of ObserveIT is its capability to also create textual log files for monitoring purposes. These files are stored on the server’s hard disk, and can be parsed by 3rd-party tools such as Microsoft System Center Operation Manager 2007, generating events or alerts based upon information written in them.
ObserveIT’s Identification Services are integrated with the Active Directory database. This service forces users to identify themselves before gaining access to a server desktop or published application. After completing the Windows logon process, the users will be prompted with the secondary ObserveIT logon window, where they will be forced to enter their own personal username and password. This allows us to distinguish specific users, even when logging in using a ‘generic’ “Administrator” account.
Security and Regulatory issues force many IT Managers to seek a solution for vendors and external administrators access their networks remotely. By using a centralized remote management gateway approach, we achieve a more secure implementation for such remote access needs, and by integrating these solutions with ObserveIT, the recording of all human actions and management tasks is easy to collect and monitor. ObserveIT’s advanced indexing capabilities, combined with video replay of screen activity, allows the IT Manager to keep a finger on the pulse of remote access activity, in accordance with security and regulatory requirements.
Benefits of this solution include:
- Accountability of all activities performed by a Service Organization
- Processes that link each system access to a identifiable individual user
- Reduced cost involved in generating Compliance Reports: Less effort, with faster turnaround time
- Unequivocal proof of user activity, guaranteeing authentication and non-repudiation