Remote Access Options

remote accessSooner or later, odds are good that you will either want or need the ability to work remotely. Providing remote access must be undertaken very cautiously, because as soon as you allow an employee to connect to the corporate network, you have to some degree extended your network boundary to their workstation. This means your network’s security is now only as good as the security of the remote user’s system or network. In some cases, this borders on no security at all. This is why remote access must only be granted after careful consideration and planning. While the different types of remote access have different levels of security risk, all types of remote access have some common planning and configuration steps.

Remote Access: VPNs

The first step is to determine what type of remote access is appropriate. A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This generally provides the greatest level of functionality, but also poses the greatest risk. If the remote system is compromised, an attacker is effectively inside your corporate network. While there are steps you can take to mitigate these risks, they may be time-intensive and effort-intensive. To plan, configure and properly secure a VPN solution is the most involved choice of the various remote access solutions you could provide.

Remote Access: Remote Desktop Software

Another option is to provide remote desktop functionality. This would allow a remote user to see and use the desktop of a system at work. A remote desktop acts as if the user is at work, while a VPN acts as if the user’s computer is at work. This type of solution is slightly easier to implement, because you can typically isolate the traffic that needs to be permitted through the firewall to a single TCP port. Many of the same risks exist, however, in that if an attacker manages to gain access to an internal desktop remotely, it is usually easy for them to move information out of the network or otherwise cause mischief. Another key consideration with this type of solution is that you need to have a computer at home and a computer at work. With the VPN option, youonly need to use one system, so if the user has a laptop, it can be used while they work remotely. There are several options for remote desktop functionality: LogMeIn (which is no longer free), TeamViewer (free for home users), and Symantec’s PcAnywhere, to name but a few.


Remote Access: Remote Shell

The last and least functional option is that of a remote shell. Because most users do not operate extensively (or even at all) in a console environment, this type of remote access is generally most suitable for network administration personnel. While it may be impossible for typical users to operate their systems without a GUI, many network tasks and most firewall administration tasks can be permormed with only terminal access. Because the widely-used Telnet protocol sends all data unencrypted, any sensitive tasks should only be performed using a secured protocol such as secure shell (SSH), or Telnet over a Secure Internet Protocol (IPsec) tunnel.

External Links:

VPN at Wikipedia

sudo: An Introduction

sudo

Invoking sudo at the command line in CentOS.

Superuser Do (sudo) is an open source security tool that allows an administrator to give specific users or groups the ability to run certain commands as root or as another user. Its name is a concatenation of “su” (substitute user) and “do”. Sudo is available for download from http://www.sudo.ws/sudo/download.html, but it is included with most Linux distributions. The program can also log commands and arguments entered by specified system users.

Unlike the su command, users typically supply their own password to sudo rather than the root password. The developers of sudo state the basic philosophy of the program is to give as few privileges as possible but still allow people to get their work done. After authentication, and if the /usr/local/etc/sudoers (or /etc/sudoers) configuration file permits the user access, then the system will invoke the requested command. The sudoers configuration file enables a huge amount of configurability, including, but not limited to: enabling root commands only from the invoking terminal, not requiring a password for certain commands; requiring a password per user or group; requiring re-entry of a password every time or never requiring a password at all for a particular command line. It can also be configured to permit passing arguments or multiple comments, and even supports commands with regular expressions.


Sudo was originally written by Robert Coggeshall and Cliff Spencer “around 1980” at the Department of Computer Science at SUNY/Buffalo. The current license is under active development and is maintained by OpenBSD developer Todd C. Miller distributed under a BSD-style license. Sudo’s website is http://www.sudo.ws/.

sudo Features

Here are some of the features of sudo:

  • Command logging: Commands and argument can be logged. Commands entered can be traced to the user. Ideal for system auditing.
  • Centralized logging of multiple systems: sudo can be used with the system log daemon (syslog) to log all commands to a central host.
  • Command restrictions: Each user or group of users can be limited to what commands they are allowed to enter on the system.
  • Ticketing system: The ticketing system sets a time limit by creating a ticket when a user logs on to sudo. The ticket is valid for a configurable amount of time. The default is five minutes.
  • Centralized administration of multiple systems: The sudo configurations are written to the /etc/sudoers files. The file can be used on multiple systems and allows administration from a central host. The file is designed to allow user privileges on a host-by-host basis.


Because sudo logs all commands run as root, many administrators use it instead of using the root shell. This allows them to log their own commands for troubleshooting and additional security. The ticketing system is also ideal because if the root user walks away from the system while still logged in, another user cannot then access the system simply because they have physical access to the keyboard. After the ticket expires, users must then log on to the system again. A shorter time is recommended, such as the default five minutes. The ticketing system also allows user to remove their ticket file.

To install and run sudo from the source distribution, you must have a system running Unix. Almost all versions of Unix support the sudo source distribution, including almost all flavors of POSIX, BSD, and SYSV. Sudo is known to run on: Auspex, SunOS, Solaris, ISC, RISCos, SCO, HP-UX, Ultrix, IRIX, NEXTSTEP, DEC Unix, AIX, ConvesxOS, BSD/OS, OpenBSD, Linux, UnixWare, Pyramid, ATT, SINIX, ReliantUNIX, NCR, Unicos, DG/UX, Dynix/ptx, DC-Osx, HI-UX/MPP, SVR4, NonStop-UX and MacOSX Server.

External Links:

sudo at Wikipedia

The official sudo homepage

© 2013 David Zientara. All rights reserved. Privacy Policy