Remote Hacking via KVM

Privacy has got to be the security buzzword of 2007. All out war has been declared by the subversives to use any means necessary to capture everyone’s personal details.

Privacy is so paramount that even the non-profit making security organisation known as FIRST (www.first.org) has dedicated this year’s conference to the protection of Privacy of the corporate and the individual.

The hacker has an arsenal of weapons the more well-known being phishing emails, phishing web-sites, spyware, trojans, keystroke loggers, rootkits and network sniffers.

On the other-side, the corporate security officer has an armoury of defence systems including firewalls, authentication systems, malware detectors, sophisticated event log analysers, intrusion protection systems, patch management systems.

Each of these components is being used to protect the company from the outside threat.

Most Corporate Defences Are Pointing In The Wrong Direction

It is bizarre. It really is. Each year, I go to various security exhibitions and conferences, the quotes from all the vendors and all the analysts are that 60%-80% of attacks come internally - ie from the company’s own users.

At a guess 80% of a corporate security budget is spent on protection against the outside threat whilst a mere 20% is spent on internal protection.

Indeed so great is the inside threat that the analyst company, Bloor have just published a white paper detailing some of the problems of the insider threat outlining such inside threats that needs to be dealt with such as PDAs, USB devices (eg keys, digital cameras, MP3 players) all brought in by company employees can be used quickly and easily to remove private data.

However not much attention is given to the privacy and protection of servers - why? Because the servers are normally locked away with only a KVM (Key Video Mouse) switch to access them and so are believed to be safe.

A few months ago, I was given the task of producing a security audit for a set of servers with a strict deadline. As I was out of the country on a conference, I was temporarily given remote access whilst I was abroad. Now the interesting thing was that I was not given remote access to the servers but to the KVM switch and through the KVM device then had access to the set of servers that I was authorised to access and this is where the story begins.

Super Switch Technology – Do You Have It?

Sad to say but up until then all the remote work I’ve been involved in has used a direct connection to a (RAS) remote access server and then an indirect connection to other servers within the company via the RAS server. This was the first time, I had been given remote access to a KVM. The technology has been about for quite awhile and there are many vendors that supply this type of remote access.

The benefits are immediately obvious.

Having remote access to the KVM switch meant the following:-

  1. No additional remote access software was installed on the servers.
  2. A layered authentication system.
  3. Remote Diagnosis without the Network(Out of Band)

Remote Browser Access to a KVM Switch

Let’s expand on each of these.No Remote Access Software Required

This is phenomenal for a number of reasons.

1. Many servers have either a terminal server access or remote access software installed on them in order for administrators to manage them. However with more and more awareness of the inside threat and rogue administrators, this means that whenever an administrator leaves the company, each of these servers are at risk.

So if these servers are not part of an Active Directory or Linux Kerberos environment then I will need to remove the leaving administrator’s account from each of these servers. For get just one and a back door has been left open.

Using one or more of these latest KVM switches means less authentication to manage. In other words if I have a KVM managing 64 servers, then I only have to resolve the one account access on the KVM rather than managing the account on 64 servers.

2. In a mixed heterogeneous environment consisting of Microsoft Windows, Linux and Solaris systems, I would need to understand and manage different types of remote access software and techniques to use this software. Using my whizzy KVM switch, I don’t need this at all. In addition, how difficult is a menu that just points to different servers to use?

Anyone who’s ever managed any set of servers is normally in fear of….the latest O/S patches and updates. Why?

Well from past experience if they are not thoroughly tested these patches can actually cause damage to the server or other installed components…such as remote access software.

Additionally they need to be controlled and managed to ensure revision levels are maintained.

A Layered Authentication System

Essentially a layer authentication system means that before you can get to a resource you need to go through multiple checks, or layers, on your identity and access rights.

If any of these fail, then you instantly have no access to the next layer and a log is made of your attempt.

Depending on your configuration, a notification event can be sent to let an administrator or security consultant know about this failure.

This is analogous to a working in a highly confidential area at a military base.

First you need to get past the security guard, then you need to get past the door to that section and finally you need access to the confidential area.

Modern KVM switches can replicate this to a variety of levels. In other words, you first need to be authenticated to the switch, then you need to be authenticated to the server that you wish to access.

In fact some modern KVM switches contain a database of servers you have access to and all attempts to access servers not in your remit are not shown to you therefore you do not even get to the logon box of that server.

Not a feature that is available in the dumb KVM switches!

KVM Switched On Security

Remote Diagnosis Without the Network

One key element was that I was not reliant on the remote access software or network card or how heavily utilised the server CPU was in order to access the server.

A KVM gives you direct physical access to the server – even though I was accessing the KVM remotely via a web-browser.

In other words, I could still manage, diagnose and access the servers even if their network cards had gone down or the servers were overloaded and I could also access these servers whether they I required access to their native operating system or their BIOS.

Not only that but many intelligent KVM switches today can make use of virtual disk technology to rebuild a server. What does this mean?

Well essentially it means that whilst you are holidaying in the Bahamas, you could access a server that needs rebuilding and use an image on your laptop (even though you are in the Bahamas) to setup and install or apply patches to the operating system for a server.

As you are connected via a KVM switch it would seem to the server like you had physically put an installation CD directly into the server.

The Dark Side of Intelligent KVM

So there I was marvelling at how technology had advanced so much when it suddenly dawned on me that I could actually compromise many systems using an intelligent KVM.

Just think, all I needed was a web browser. And these days I can access the web just from my mobile phone.

So if a rogue administrator had been fired and someone had forgotten to change the access codes on the switch before they left then every single connected to that switch could be compromised from a privacy and a denial of service attack.

Just think a hacker could remotely wipe out a production server using the virtual disk technology to rebuild the server or even install Trojan virus programs.

In addition, if you could take out a KVM switch that was managing 64 servers, then you have effectively caused a denial of service attack on direct access to each of these servers which will only become apparent when there are problems identified on the business servers i.e when you need it most!

Securing Intelligent KVM

I guess it’s pretty obvious then that if you are going to take advantage of the many benefits of modern KVM switches, you will need to think through a strategy to prevent their abuse and so protect the privacy of the intellectual capital stored on the servers.

1. Get a spare KVM switch.
Manage your risk! This is a must in case your existing switch becomes faulty or is either deliberately or accidentally damaged – otherwise access to your servers will be difficult.

By holding golden spares the fix time is reduced.

Many KVMs actually come with some redundancy built in eg of power supplies, network cards etc and these would be a better investment if they are managing multiple servers.

2. Regularly Change the KVM Admin Password
A top priority is to change the KVM administrative access immediately any administrator leaves. The latest KVM systems allow direct links into your operating system databases (such as Microsoft’s Windows Active directory) or a Radius database so any changes are automatically reflected in your KVM access rights.

3. Control Remote Switch Access
The latest KVM systems allow for many ways to restrict access to the systems: linking into external databases for authorisation, restricting the IP ranges that can access the systems in other words, access control lists (ACLs) that allow access only from a particular IP address which is acting as a bastion host for access, to name a few methods.

The key is to invest some time in enabling the latest security tools provided to get the full benefit from the systems.

Summary

The KVM switch has come a long way from the “dumb” manual switching days and offers tremendous power, flexibility and productivity gains.

However due to the immense power now in the switch it is important that a security strategy is thought through to protect your investment in your KVM and the servers managed by the KVM switch.

A careful consideration on your corporate policy on both your ‘In Band and ‘Out of Band ‘ access strategies is essential to allow the correct provision of the most secure and productive server management tools.

The screenshots shown are from Raritan’s latest KVM switch the Dominion KX II model. For more information about this connect to: www.raritan.co.uk

Ben Chai is the content director for ITProPortal.com and a director for www.incomingthought.com who specialise in security white papers and security education.