Page 887 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 887

include Password Authentication Protocol (PAP), Challenge
               Handshake Authentication Protocol (CHAP), Extensible

               Authentication Protocol (EAP, or its extensions PEAP or LEAP),
               Remote Authentication Dial-In User Service (RADIUS), and Terminal
               Access Controller Access-Control System Plus (TACACS+).

               Remote User Assistance Remote access users may periodically
               require technical assistance. You must have a means established to
               provide this as efficiently as possible. This can include, for example,

               addressing software and hardware issues and user training issues. If
               an organization is unable to provide a reasonable solution for remote
               user technical support, it could result in loss of productivity,
               compromise of the remote system, or an overall breach of
               organizational security.

               If it is difficult or impossible to maintain a similar level of security on a
               remote system as is maintained in the private LAN, remote access

               should be reconsidered in light of the security risks it represents.
               Network Access Control (NAC) can assist with this but may burden
               slower connections with large update and patch transfers.

               The ability to use remote access or establish a remote connection
               should be tightly controlled. You can control and restrict the use of
               remote connectivity by means of filters, rules, or access controls based
               on user identity, workstation identity, protocol, application, content,

               and time of day.

               To restrict remote access to only authorized users, you can use
               callback and caller ID. Callback is a mechanism that disconnects a
               remote user upon initial contact and then immediately attempts to
               reconnect to them using a predefined phone number (in other words,
               the number defined in the user account’s security database). Callback
               does have a user-defined mode. However, this mode is not used for

               security; it is used to reverse toll charges to the company rather than
               charging the remote client. Caller ID verification can be used for the
               same purpose as callback—by potentially verifying the physical
               location (via phone number) of the authorized user.

               It should be a standard element in your security policy that no
               unauthorized modems be present on any system connected to the
   882   883   884   885   886   887   888   889   890   891   892