Abstract

Remote access is a means of accessing resources outside one’s immediate physical location. This has made employee mobility more effective and productive for most organizations. Remote access can be achieved via various channels of remote communication, the most common being Virtual Private Networks (VPNs). The demand for remote access is on the rise, especially during the Covid-19 pandemic, and will continue to increase as most organizations are re-structuring to make telecommuting a permanent part of their mode of operation. Employee mobility, while presenting organizations with some advantages, comes with the associated risk of exposing corporate cyber assets to attackers. The remote user and the remote connectivity technology present some vulnerabilities which can be exploited by any threat agent to violate the confidentiality, integrity and availability (CIA) dimensions of these cyber assets. So, how are users and remote devices authenticated? To what extent is the established connection secured? With employee mobility on the rise, it is necessary to analyze the user authentication role since the mobile employee is not under the monitoring radar of the organization, and the environment from which the mobile employee connects may be vulnerable. In this study, an experiment was setup to ascertain the user authentication roles. The experiment showed the process of 2FA in user authentication and it proved to be an effective means of improving user authentication during remote access. This was depicted via the use of what the user has (mobile phone/soft-token) as a second factor in addition to what the user knows, i.e. password. This authentication method overcomes the security weaknesses inherent in single-factor user authentication via the use of password only. However, the results also showed that though 2FA user authentication ensures security, the remote devices could exhibit further vulnerabilities and pose serious risks to the organization. Thus, a varied implementation was recommended to further enhance the security of remote access communication with regards to the remote user authentication.

Keywords

Remote Access, Communications Security, User Authentication, 2FA, Virtual Private Network (VPN), Telecommuting, Threats, Vulnerabilities

Share and Cite:

1. Introduction

Many businesses today are utilizing the Internet and its technologies as vital business tools than ever before [1]. The benefits of IT as a tool for business cannot be overemphasized. Almost every organization leverages some aspects of IT in their daily operations. Some opportunities businesses utilized include employee mobility via remote access technologies, improved production via enterprise resource planning technologies, competitive advantage via user-friendly and customer-focused products among others.

Remote access is basically the ability to grant access to an authorized entity from distant locations for the purposes of computing and networking. Various types of remote access are available, such as virtual private network (VPN), desktop sharing or privilege access management (PAM).

Globalization has made employee mobility or telecommuting a necessary part of most organizations, and therefore most companies have adopted mechanisms to allow staff effectively access corporate resources while away from the work premise. While employee mobility enhances productivity, it comes with a myriad of cyber risks that could be exploited for successful attacks. Negligence on the part of the remote user could result in catastrophic consequences for any organization [1]. It is therefore necessary to enhance the security of IT infrastructure as well as user authentication methods to mitigate possible vulnerabilities inherent in user authentication. Verizon [2] reported password leaks as a major contributor to data breaches relating to remote access and connectivity. Most users tend to use the same password across several accounts due to human challenges in recalling and/or use different passwords. A single compromised password could afford the attacker access to several other accounts or resources accessible to the user.

Many research works have proposed password replacement schemes to curb security concerns with user authentication. With two-factor authentication (2FA), stolen password attacks could be prevented since the attacker must validate a second factor before gaining access to the user’s account. In recent times, huge IT organizations such as Google, Microsoft, Facebook among others, have implemented two-factor authentication mechanism in their services. 2FA enhances single factor authentication and provides a layer of security by requesting the user to be authenticated twice before access to requested resources is granted. 2FA relies on existing password authentication (something the user knows), in addition to something the user has such as hardware token or something the user is such as fingerprint pattern. While 2FA does not promise total security, when implemented properly, it ensures that attacks are made difficult for the attacker. For example, remote impersonation attacks can easily be overcome by 2FA such that should a user’s password be stolen or guessed, the attacker would need to have access to the second factor such as the hardware token, the soft-token generated on the user’s phone, etc. before access can be granted. 2FA could be implemented in many forms such as one-time password (OTP), Accept/Reject Buttons, QR Code Scanning, hardware tokens such as Ron Rivest, Adi Shamir and Leonard Adleman (RSA) SecurID, etc.

This study assumes that 2FA is usable if properly implemented with users properly trained to be aware of cyber security implications [3].

The succeeding sections review literature relevant to the study, the methodological approach adopted for the study, the findings of the study presented to show packet capture information that will be relevant to a malicious actor and finally, conclusions and recommendations offered.

2. Literature Review

According to the U.S Code, information security is ensuring that information and information systems are safeguarded with the aim of providing confidentiality, integrity and availability [4]. Information security is to ensure that information and information systems do not get into wrong hands to be manipulated or used for wrong or harmful purposes. There is dearth of literature on the use of IT as a tool to curb human weaknesses in information security. Most literature focus on user training to increase security awareness. A 2018 UK-based cyber report indicated that most large corporate institutions prioritize cyber security as compared to smaller organizations, and therefore provide cyber awareness training for staff [5]. However, in Africa, training is not commensurate to cyber-attacks [6]. Most organizations do not provide training, while others wait until an attack happens or in most cases provide training which has very little information security content. These, coupled with other factors, contribute to the ever-increasing successes in cyber-attacks since threat agents are working round the clock with sophisticated tools at their disposal. One could not agree less with [7] that it is about time organizations realize that while training is important, it is imperative to complement it with technical mechanisms to minimize the user weaknesses in the cyber security chain.

2.1. Remote Access Connection

Remote access refers to reaching data or resources which is outside one’s immediate location. Remote access in the corporate sense could either be in the form of telecommuting or workers accessing corporate resources from outside the corporate network or in the form of technical support firms accessing a user’s machine from a remote location for technical assistance [8]. Previously, remote access connection was established via traditional dial-up technologies. Dial-up technology was expensive due to either an organization procuring a leased dedicated circuit from public switched telephone network (PSTN) or by privately installing wired circuits [9]. Currently virtual private network (VPN) technologies have replaced traditional dial-up methods. Irrespective of the means used to establish remote access, some technologies need to be in place to implement the access connection and to establish communication. Some of these technologies include the protocols required to establish connection between a client and remote server, as well as protocols to secure the transmission of data between the endpoints in the connection. Additionally, there must be in place an access method and control mechanism to facilitate communication between the client and remote server as well as ensure only legitimate users have access to resources remotely.

· Remote Desktop is a type of remote access method that enables a user to reach and control another computer from a remote location as though the remote computer is local. The remote user can see, take control of, and interact with the remote computer. Remote desktop access requires the installation of supported software on both local and remote computers for a successful connection and communication. Remote desktop is usually used by technical staff to aid users remotely on technical or other user support needs. It is also employed by system and network administrators to control, administer and support systems and users on the network [8].

· Virtual Private Network (VPN) is an extension of a local area network by establishing a tunnel between two endpoints via technologies such as Secure Socket Layer (SSL), Open VPN, etc. VPN enables a remote user to be part of a corporate network and access corporate resources. Most VPN implementations make use of Layer 2 Tunneling Protocol (L2TP) which allows service providers to enable remote dialup VPN access for customers. To protect data in transit over the public Internet, data is encrypted and encapsulated via IP Security (IPSec) technology. This ensures that, data in transit via the tunnel cannot be eavesdropped on or intercepted by man-in-the-middle attacks [10]. Due to these security measures provided in the implementation of VPN connections, organizations have a level of security reliance on VPN to improve productivity since workers can access resources from any location outside the work premise.

· VPN connectivity could be implemented in two variations which are client-to-site and/or site-to-site connections. Client-to-site connections involve corporate network and a remote user, whereas site-to-site involves two (2) or more corporate networks.

· Other methods include Wide Area Network (WAN), integrated services digital network (ISDN) or digital subscriber line (xDSL) [11].

2.2. User Authentication

2.2.1. User Authentication Factors

An authentication factor is a credential that is required whenever a user needs to validate their identity to access a system. There are basically three broad categories of factors commonly deployed in user authentication, each of which is described below [12]:

· Knowledge-Based Factors

Knowledge-based factors refer to something the user knows. Examples of such factors include password, personal identification number (PIN), etc. knowledge-based factors are mostly used in single-factor authentication where the user is required to provide a valid username and corresponding password to access a system.

· Possession-Based Factors

Possession-based factors refer to something the users have in their possession. Examples of such factors include hardware token device, a smart phone, security USB drive, etc.

· Inherence Factors

Inherence factors are “something the users are made of” and are metrics intrinsically owned by authorized users or entities. They typically manifest as biometric-based factors, which include fingerprints, facial, retina or voice patterns, etc.

2.2.2. User Authentication Types

Described below are some common authentication types available, according to [13].

· Password Authentication

Password authentication is the most common type of user authentication [14]. It is also referred to as a single factor authentication (SFA). It requires the user to input a secret that is known to them. This secret could be a password, a PIN or a pattern. Lamport [15] was the first to introduce password authentication. Research shows that this type of authentication is less secure and has been prone to several cyber-attacks such as password guessing, brute force attacks, phishing among others.

· Two-Factor Authentication (2FA)

Two-factor authentication is a type of authentication that complements single-factor authentication to provide an additional layer of security. This is achieved by means of requesting the user to type in a code from a software or hardware token after entering a valid username and password. 2FA was designed to resolve some known vulnerabilities with SFA [16]. While this type of authentication does not offer hundred percent security, it is better and safer than single-factor authentication. 2FA was first proposed by [17] and has gone through many evolutions towards an enhanced authentication mechanism. Some variations of 2FA include smart cards, hardware security tokens, soft-based tokens among others.

· Biometric Authentication

The United States Department of Homeland Security defines Biometrics as unique physical properties that can be used for automatic recognition [18]. Biometric authentication relies on user physiological characteristics for authentication purposes. Some physical characteristics include iris colour, fingerprint pattern, facial recognition among others. This authentication methods seeks to improve upon 2FA and overcome some security challenges present in 2FA. Biometric authentication was first introduced by [19], who proposed the first three-factor authentication method based on biometrics. Three-factor authentication improves upon SFA by assuring physical presence of the user.

2.3. User Authentication Role in Remote Access Connection

Remote access to corporate resources via VPN requires a remote client to initiate the connection. The remote client is the computer user who could be at home, in a coffee shop, at a friend’s workplace or at a public Internet café. Irrespective of location, the remote connection requires the user to first have Internet connectivity, and then to authenticate via the remote access client application installed and configured on their machine, to access corporate resources. While single factor authentication is considered insecure, VPN inherently does not foster strong user authentication mechanism [20]. Additionally, users can misplace their authentication credentials, share with friends and family, inadvertently yield credentials to threat agents via social engineering attacks, fall prey to shoulder surfing, or compromise the computing machine to be used as a command and control unit to infest their corporate network due to negligence on the source of Internet connectivity used remotely. These actions or inactions by the user could result in a threat agent gaining unauthorized access to corporate resources which could have ripple adverse implications on the organization. The use of additional authentication factors for remote access, such as one-time-password, in addition to single factor authentication could alert the user to take necessary action against any connection that they or anyone they have shared credentials with have not initiated. Where computer authentication is implemented, this could further make it harder to threat agents to gain access and thereby mitigate inherent risks.

3. Experimental Methodology

3.1. Experimental Design

Design of experiment is basically a design of activities geared towards describing and explaining an observed concept of information or difference in conditions, typically within set limits, and that are occasioned to prove the concept or otherwise. In this study, the design experiment consisted of 3 key phases, as follows:

· Identification phase:

In this phase, the remote user logs on to the VPN client with a valid username. The VPN client communicates with the firewall for authentication.

· Authentication phase

The firewall is configured with Remote Authentication Dial-In User Service (RADIUS) server which points to the IP address of Microsoft Active Directory (AD). Microsoft Active Directory is the centralized user database that contains every information required to successfully authenticate the user [21]. During the authentication phase, user inputs logon credentials, the hash value is passed to the AD via firewall RADIUS for the AD to confirm if the credentials are valid by matching it to the AD’s hashed value of stored user credentials. If successful, the VPN client prompts user for token. The firewall communicates with the user via email for initial setup of token. Subsequent tokens are generated on the authentication app. After successful validation of token, a secure connection is established between the remote user and the corporate network.

· Secure Tunnel Establishment

In this phase, the network is monitored for IPSec tunnel establishment negotiation protocols. Communication protocols being used in the VPN tunnel establishment process are also monitored to analyze any possible attacks that could be initiated against the protocols.

3.2. Experimental Setup

· Remote User

The remote user is a staff with a valid username and password. The username is for identification and the password is for authentication. For 2FA, the user email ID is also registered in the firewall with 2FA option enabled for remote connectivity (Table 1).

· Remote Client

The remote client is the corporate laptop assigned to staff for corporate work. The remote client has a VPN client installed and configured for remote access. Table 2 depicts the specifications for both the remote client and the VPN client.

· Authentication Server

The authentication server contains details about registered users and laptops. Microsoft Active Directory (AD) is used for this experiment. HP ProLiant 380 Gen9 server was used running Windows Server 2012 Standard R2.

3.3. Network Traffic Monitoring Tool

· Wireshark

Wireshark is a free downloadable software which is compatible with windows operating systems. It was used to capture packets of data as they traverse the communication link between the remote user the corporate network.

· FortiGate 100E (Firewall)

The firewall records logs on user and network activity. These logs were also monitored and analyzed for network traffic.

3.4. Experimental Process

In Figure 1, the authentication process flow is described. In the first phase, the user supplied valid username and password which were authenticated from Microsoft AD via RADIUS configured on the firewall. This is depicted as XAUTH (extended authentication) in the firewall interface. Upon successful XAUTH, the second phase is initiated where the user is prompted by the VPN client to provide a soft-token generated on the mobile authentication App. Upon successful token validation, the remote connection is successfully established. The user can then access corporate resources such as files servers, print services among others.

Below is a description of the flow of activities as depicted in the figure:

1) Remote user opens FortiClient and enters username and password;

2) The username and password are transported over the Internet to the Firewall;

3) The Firewall confirms the username and password validity (Single Factor Authentication) from the Microsoft Active Directory via RADIUS authentication;

4) A successful Single Factor Authentication is communicated by the Active Directory to the Firewall;

5A) Successful Single Factor Authentication is communicated to the Remote Client via the FortiClient and requested to provide a second factor (i.e. the soft-generated token) for authentication;

5B) The soft-generated token is displayed on the Mobile FortiToken and the user enters it in the FortiClient’s Token field;

6) The token inputted by the user is validated by the Firewall (i.e. second factor authentication);

7) A successful two factor authentication is communicated between the firewall and the FortiClient; and

8) A secure IPSec tunnel is established between the firewall and the remote client, providing the remote user secure access to the corporate network and resources.

4. Findings and Data Analysis

4.1. Findings

Presented below in the ensuing sections are the findings of the experiment.

Figure 2 depicts the remote client information detailing the IP addresses used in the sessions. It displays both source and destination IP addresses associated with the query and the connection parameters.

Figure 3 depicts the network address translation (NAT) traversal techniques used in Internet Key Exchange (IKE) negotiations, in accordance with IETF RFC 3947. Basically, NAT traversal is a networking technique use in establishing and maintaining IP-based connections across the NAT-based gateways establishing the VPN connections. Technically, the gateways exchange keys to establish the secure VPN communications channel between them. As a prelude, they authenticate each other and negotiate a way to encrypt subsequent communications for establishing the session [22].

As indicated earlier, Figure 3 dealt with the negotiation aimed at establishing the VPN connection. Then, in Figure 4 appropriate encryption and integrity check are performed on all ISAKMP messages between the entities. Further the IKEv1 negotiation is initiated to establish how the entities will use security services to communicate securely, utilizing IPSec security associations (SAs).

4.2. Data Analysis

The research utilized descriptive data analysis with data obtained from the experiment conducted. The experiment provided data such as the factors used in user authentication, the factors used in remote access communications as well as the impact these factors have on remote access security. Some of the factors include use of password as an authentication factor, remote host details such as IP addresses, authentication protocols among others.

Attack Vectors on Remote User Authentication

· Remote User Details

² Passwords

Passwords were hashed and were therefore not visible in Wireshark [23]. However, recent research from Ruhr-University showed a vulnerability with IPSec VPN. An aspect of the VPN connection under review was password-based login. From their experiment, weak passwords could easily be compromised and make it possible to attack Internet Key Exchange (IKE) protocols [23]. There are several studies that indicate the risks associated with weak passwords. Some system administrators, though expected to know better, use weak passwords or set up systems with default passwords which could have dire consequences if exploited [14] [24].

· Remote Host Details

² IP Address:

Wireshark captured the remote user’s laptop IP address as well as the IP address of the corporate endpoint on which the VPN terminates (FortiGate Firewall, in this experiment). While public knowledge of an organization’s IP address does not pose much threat to any organization, human errors could provide a means for malicious actors to exploit network devices which have public IP address configured. For example, if the firewall used in this experiment has the factory default password unchanged, a malicious actor sniffing the network and getting to know the public IP address of the firewall could try to hack into the corporate network. This malicious agent could initiate a router hacking, denial of service attack or DNS spoofing [25].

· Authentication Protocols

There are several authentication protocols used in IPSec VPN. Two main ones are:

² Authentication Header (AH) protocol

AH protocol is defined in RFC 2402. It provides data integrity by validating the source of the IP packets and protects against replay attacks [26].

² ESP

ESP protocol is defined in RFC 2406. ESP provides encryption. Confidentiality, integrity and protects against replay attacks [26].

VPN authentication methods are in public domain and are therefore known to the public. However, it is important to implement VPN with protocols that are current and provide optimum security.

· Tunnel Negotiation Protocols

² Internet Key Exchange (IKE)

Prior to remote connection establishment, the remote peer (remote client) and corporate peer (firewall) negotiate on pre-configured parameters to ascertain the validity of each other. This is via Internet Key Exchange (IKE) protocol. There are two (2) versions of IKE, which are IKEv1 and IKEv2. IKEv1 is obsolete and has been succeeded by IKEv2, however, most VPN implementations continue to use IKEv1. IKEv1 and IKEv2 have been showed to be vulnerable to deliberate error codes that allow threat agents to launch a man-in-the-middle attacks against IPSec VPN [27].

Phases involved in IKE negotiations are:

· IPSec Phase 1

IPSec phase 1 negotiation could either be main mode or aggressive mode. In main mode exchange, the remote client and corporate peer authenticate each other in multiple rounds with encrypted information while in aggressive mode, parameters are exchanged in a single message with unencrypted authentication information. Authentication parameters could be a pre-shared key or a digital certificate. For this experiment, pre-shared key was used, with aggressive mode.

· IPSec Phase 2

IPSec phase 2 negotiation uses quick mode for the parameters exchange. Exchange in phase 2 is encrypted.

5. Conclusions

This research work was able to demonstrate that 2FA enhances security of the user authentication role in remote access communications. This was depicted via the mobile token which proved that an attacker will need to acquire both single factor as well as the user’s phone, for a successful attack. A proper implementation of 2FA will serve as a first line mechanism of strengthening the user authentication role and thus improve remote access security. While not a total security mechanism, it is a first-hand means to frustrate an attacker’s efforts.

The increasing rate at which technology is advancing has led to many changes in the way corporate institutions operate. Remote working has become part of many organizations as well as the introduction of various mobile devices to the corporate network. However, organizations face a myriad of security issues associated with the freedom IT provides or its ubiquitous nature. While it is convenient for users to work from any location and from any device, it may not be the safest of choices for an organization’s cyber assets. There is therefore the need to implement and enforce end user remote authentication policies and solution, complemented with result-driven training and awareness programs to safeguard corporate resources. The user is consistently the greatest risk factor to an organization’s information security and must therefore be given optimum attention to mitigate consequences of user authentication vulnerabilities. Businesses need to enhance the kind of training and cyber awareness provided to end users, however, training alone will not be enough to mitigate cyber threats [7]. Businesses need to conduct regular security assessments, monitor network traffic for any malicious activities and adopt improved authentication mechanisms to mitigate loopholes in user authentication security. While Cisco recommends 2FA as a solution to security in remote user access, [28] [29] believe that the only solution to authentication vulnerabilities is to adopt biometric authentication. This is because, biometric authentication offers sure proof of genuine user being present. However, from this study, biometric authentication only cannot suffice in remote connection security. The remote device must also be authenticated even if the genuine user is present. Thus, the proposed future works recommended device authentication as a second factor in addition to soft-token 2FA. The next section discussed proposed modifications that could be considered in similar work.

6. Recommendation

Based on the findings from the experiment, the study recommends the adoption of true 2FA solution. This study considers a true 2FA solution to be one that authenticates both user and device before remote access is granted. In this kind of 2FA, the user is authenticated with username and password as single factor, and then authenticated via digital certificate of the connecting laptop in addition to soft-token generated on authentication app. The digital certificate is deployed to the connecting client via Simple Certificate Enrolment Protocol (SCEP). Complementing soft-token with laptop authentication ensures a high degree of validity of the remote user since it will be rare for a hacker to obtain both user laptop and phone to successfully masquerade as a genuine user.

Conflicts of Interest

The authors declare no conflicts of interest.

References