Solved

Need to block software company tech support back door

Posted on 2011-02-13
26
469 Views
Last Modified: 2012-05-11
Hello,
We have an issue with a client's software company.  They purchased a large piece of software that they run their entire business through.  It is accessible both internally and externally.  It runs on a dedicated server (2008 Standard Server and SQL), and the internal application for the office uses a .net application.  It uses IIS for the public facing portals.  Their patients connect to it to view personal account information through a web portal, and the doctors can connect to it remotely to see their schedule, business metrics, etc.

The problem is we have discovered that the software company has built in a back door to their software.  They have a super user account, which my clients admin account cannot disable or even see.  After the software company admitted they had this back door, which they say is only for support purposes, they say there is no way they can disable themselves from having access to it.  My client is not only concerned about their sensitive patient data, but there have even been issues with that software companys techs logging in a changing things, causing problems.

The client has asked for some way they can block the software company, and only allow their patients and doctors to access the system remotely.  They already have a Sonicwall router.

Therefore, I ask you for solutions that would allow the client to block the software company.  I would imagine a firewall could be configured to block all outside access, except for specifc IP addresses, which could work for doctors, but the patients would come from any number of dynamic IP addresses, so I'm not sure if someone has a solution there.  Or how about a double authentication system; where people from the outside have to have permission at the router level, then if authenticated, they could access the IIS side of the program?  Or any other ideas you might have....

Thanks for all your help in advance!
0
Comment
Question by:johnhiro007
  • 12
  • 6
  • 2
  • +4
26 Comments
 
LVL 20

Expert Comment

by:edster9999
Comment Utility
The firewall does not block people by login. It just doesn't work like that.
It would be far better to tell the company that you DEMAND an update with this login disabled.
If they say no then let them know for security reasons you will be letting the other medical teams that use this software know (which maybe you should do anyway)
0
 

Author Comment

by:johnhiro007
Comment Utility
edster9999:

They have demanded, and the software company says that there is nothing they will do.  The client has too much invested to just go to another software package at this point.  Therefore that brought us to the conclusion that we need to implement full control access.  Even if the software company said their access is disabled, there is NO way we can even verify that as being true.  (And at this point, I have no reason to trust their statements or ability to properly implement standard security)...
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
It would help if they need to access a certain page to access the software. You could set a .htaccess file in the folder to block all incoming access attempts.

Don't rely on a fixed IP, if they want they could manage the software also from a dynamic IP. If you run yourself a DNS server you could invalidate their company firewall names. Any outgoing transmission requiring a DNS resolution would go to 127.0.0.1 then.

In should we need more details how the superuser access the software to give additional hints.

Just stay away from double-authentication for the clients. As said, this is not fool-proof and your helpdesk will not be amused...

Tolomir
0
 
LVL 20

Expert Comment

by:edster9999
Comment Utility
Go public. Release details to other people who use this software
0
 

Author Comment

by:johnhiro007
Comment Utility
Because the the scope of the software companies' backdoor is unknown, we wanted to get our protection and control in place before going public and getting very nasty... we don't want them creating another back door, retaliating somehow, etc.

Regarding their backdoor access; the problem is we don't know the full scope.  We do know that they can login to the doctor portal with their superuser account, just using Internet Explorer only.  The .net application that the internal users have on their computers can also be installed on any outside workstation/laptop too; since the software on both sides is configured to get to the server the same way: softwarename.xxxxxxxxx.com which internally resolves to the server and externally resolves to the same server.  Therefore, the software company can use the .net application at their office and connect to the clients system.

Tolomir: why stay away from double authentication.  I understand the hassle, but if that is the only viable solution, then it should be discussed, right?
0
 
LVL 8

Expert Comment

by:moonie42
Comment Utility
Your best option is to push the software vendor first, and hard.

If you can't get any satisfaction from the software vendor on your own, you may want to look into the HIPAA regs, and contact a lawyer specializing in HIPAA or even DHHS directly.  Inform the software vendor that you're doing this, and that may be enough to spur them into action.

I'd also start checking the log files carefully for login activity.  If you note any "unauthorized" access, you can contact local police and FBI.  I believe that under current regulations, any unauthorized system access is labeled as a criminal act.  Let the software vendor know about this in writing (official notice), and that your client will pursue legal action against them for unauthorized access.

Due to the sensitive nature of medical records and scheduling, I would definitely recommend implementing dual form factor logins.  
0
 
LVL 5

Expert Comment

by:alreadyinuse
Comment Utility
I agree with the above, but if this is running in IIS do you see any bindings with non standard ports being used? If connecting using http but they might be using non standard ports for remote administration. Also on the local server you can use the local firewall to lockdown all ports but required ports. This would help narrow down how they can remotely access the application.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
Comment Utility
If they are using the same portal/client application that the Dr.s and patients use, I can see how this is a very difficult situation to control.
You could use a web proxy authentication firewall/appliance to double-authenticate all inbound connections to the web server. You control the first line of authentication, then they can't even get to the web page to log in unless they use a username/password that you have provided to them, and you now have a log of all access using that username.
Yes, it is a hassle for the patients and Dr's, and I guarantee that you will get screams of protest mainly from the Dr's that use the portal. No matter how good they are at remembering thousands of medical terms and other information, they are genetically unable to remember more than one password at a time...and they have more clout than any regulatory body or good security practices... been there, done that, got the T-shirt....
0
 

Author Comment

by:johnhiro007
Comment Utility
moonie42: Thanks for the suggestion.  However, like I previously mentioned, there is no way to verify the backdoor is closed, or that a new one was not created, so it does not make sense to push them as they can simply say: Its fixed.

alreadyinuse: How do I check other ports being used?  I can tell you that we only have http and https ports configured in the sonicwall to be forwarded into the clients server.  So it seems as if that would be the only way they can get in?

Irmoore: They currently have a sonicwall tz-180, can this do the double authentication you are describing?  If not, can you suggest a decent SMB device that would do what is needed?

Thanks!
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 200 total points
Comment Utility
I don't know about the Sonicwall, but have used Cisco ASA to do very similar projects.
Setup SSL Clientless VPN on the ASA, users get presented a welcome page with another username/login box.
Once they login, they are presented with their bookmark list, basically hyperlinks to the service. You can control which hperlinks any end user can see, and the hyperlinks can be http, https, rdp, ssh, vnc, fips, etc.. so you can create yourself a link to rdp to the server, and nobody else will even see the link when they sign in. All sign-ins can be controlled by the server (windows?) / Active Directory, and therefore create an audit trail.
0
 

Author Comment

by:johnhiro007
Comment Utility
Irmoore: Thank you for your information.  I'll have to research viable hardware routers for SSL VPN.

Everyone else: does anyone have any other possible suggestions/alternatives, or known experience w/ the Sonicwalls?

Thanks!
0
 

Author Comment

by:johnhiro007
Comment Utility
I do not think the question should be deleted.  A solution looks to be an SSL VPN, but I was waiting for someone to speak up that has specific experience with the Sonicwall's or other solutions all together.  Is there a way to get another round of people re-evaulating the original question?  If not, I guess I should just accept an answer about the SSL VPN and close the question?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 33

Assisted Solution

by:digitap
digitap earned 300 total points
Comment Utility
your particular sonicwall, tz180, will allow global vpn client access, but it doesn't have ssl-vpn capabilities. to enable the global vpn functionality of your sonicwall, you need to first determine how many GVC licenses you have. you can determine this by going to the system > status page. from the same page, obtain the type of OS, standard or enhanced and report back with that information.

regarding the back door, it sounds as if you have the sonicwall allowing HTTP/HTTPS traffic WAN > LAN and really doesn't have anything to do with the security of the application itself. i've seen EMR apps with "reach out and touch" access tools that allow remote support to access the server without needing to open any ports on the firewall WAN > LAN.

certainly, disabling the WAN > LAN access for HTTP(S) and requiring a VPN to access the system would certainly prevent access without you knowing about it.

let me know about the enhanced/standard OS question.
0
 

Author Comment

by:johnhiro007
Comment Utility
digitap:
GVC says: Licensed - 1 license (0 in use)
OS: SonicOS Standard.

Regarding some solution to address the 'reach out and touch' type access; is there a method to track/log outgoing connections, then determine what they use, and lock that down?  In other words, have them log into the server remotely how they normally do, then somehow monitor that activity, which would tell us the outoing connection info, ip address, etc, then use that info to create a rule in the firewall to block it going forward?
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 300 total points
Comment Utility
ok...you've got the default license. you'd need to purchase more GVC licenses, but that shouldn't be a problem. just call sonicwall or contact a sonicwall vendor. the standard OS means you don't have much to work with. the enhanced OS will give you more control over traffic going in and out not to mention more diagnostic information. you can still lock down the traffic, so don't think that i'm telling you what you have isn't protecting your network.

as indicated already, your sonicwall doesn't have much builtin function in this regard. what you can do is enable the syslog function under the Log menu. obtain a syslogger application (there a bunch of free ones out there) and send the syslog information to the syslogger. what you'll see then is all of the traffic going across the sonicwall. at that point, it's a matter of analyzing the data.

i really doubt that they've incorporated this method. it really sounds as if they've set things up to use the web interface and forcing them to use a vpn is a good security move. i'm surprised you allow ANY external connectivity without a vpn.

hope that helps! let me know if you have any other questions.
0
 

Author Comment

by:johnhiro007
Comment Utility
This question now has activity, it does not need to be deleted.
0
 

Author Comment

by:johnhiro007
Comment Utility
Digitap:
1) Regarding GVC:  Those licenses are about $40 each, so giving them out to everyone, including patients would be expensive... Is this what you were suggesting though?

2) Regarding reporting/conrtol: Would a TZ100 be better than the TZ180 for what is needed?

2) Regarding external access: The software was installed remotely by the software company, and part of its functionality is for any joe schmo patient to access the system, so I'm not sure a VPN for everyone is viable...

Thanks!
0
 

Author Comment

by:johnhiro007
Comment Utility
Sorry, on my last post, the second number 2 should be a 3.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
1. yes, that would be expensive.

2. the tz100 would be enhanced OS and would give you better control.

3. a vpn may not be the best option here. so, to clarify, is this an EMR solution? how many server components are we talking about? for instance, one web server and one database server?

the reason for the questions are, i'm thinking about best practice. if you deploy a web server, then you deploy it in a DMZ, then all other servers go on your LAN. if the web server needs access to internal servers (i.e., SQL), then you open ports ONLY for SQL and ONLY to that server. then, if the support logs onto the web server, they don't have access to your entire network just because they have access to the web server.

either way, you could still put all their servers into a DMZ. get good backups. if they get in, then you can control their access to your other servers and devices.
0
 

Author Comment

by:johnhiro007
Comment Utility
2) Does getting an SSL VPN make sense in this case (and are licensed by concurrent users, rather than by the number of user accounts?)

3) Its not really a total EMR solution, more of a place patients can verify schedules, account balances, and Dr's can see their schedule.  They have two servers; 1st is SBS 08/Domain Controller, that we have full control over.  2nd is this server that only has their software.  The staff access it internally, and of course the external access is what we have been talking about.  Its an 2008 standard server w/ SQL.  It uses IIS.


0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
2. how many users are you anticipating? the TZ100 only allows 10 concurrent users.

3. ok...good, you can draw a distinct line between your two servers. i'd put their server in a DMZ. doesn't necessarily need to be a DMZ in a traditional sense where the server has a public IP address. rather, you'd put it on a different subnet and zone so you can set firewall access rules between your two networks. you'd have to determine what ports would need to be opened. since the SQL database is on the IIS, you may only need to allow 443/80 access from your LAN.
0
 

Author Comment

by:johnhiro007
Comment Utility
2) More than 10, so is that where an SSL VPN like the SSL VPN 200 comes in?

3) Regarding the separating of the two servers as you are describing; here is additional details which may need to be considered.   This 2nd server, logs in using a domain account to the primary server.  The 2nd server is also able to communicate with exchange on a low level; as it can add appointments to users outlook calendars and can send out email alerts through the first server.  So I'm concerned about cutting that communication channel off... But from what I'm understanding you are saying, if the two servers can be put on different  subnets, the router can then have differnet rules for each one (in other words, the router/firewall cannot have rules per specific IP?)
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
2. yes. you'll want an ssl-vpn appliance to handle that traffic. also, with the ssl-vpn, you can setup bookmarks. when the client connects to the ssl-vpn, you can have it launch the website automatically.

3. i don't think that's possible within the zone. when hosts are on the same subnet, they don't have to go through the sonicwall as they are aware of other hosts on the same subnet. typically, hosts don't talk to the gateway (sonicwall) unless they are unable to resolve the route to a host.

it sounds like the relationship between the two servers is enough that control would be highly complicated...in that knowing which ports to open is almost prohibitive. controlling at the point of entry (ssl-vpn) is really the only method you have for control.
0
 

Author Comment

by:johnhiro007
Comment Utility
2) The SSL-200 seems to be old now, is it still relavent/current or what would be the best/easiest SSL VPN?

2b) Does each user have to have a $40 license even with the SSL-VPNs?  If so, is there ways to license by concurrent users rather than named users?

Thanks!
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 300 total points
Comment Utility
it's still relevant. there are newer models and updating firmware does update the netextender client. i have not seen any communication coming from sonicwall that they are not going to be supporting that product with updates. so, i think it's still relevant.

i don't believe so. we have an ssl-vpn appliance and have multiple docs accessing the network via one login. our original intent wasn't to try and get around the system. it was simply how we ended up implementing it. in the end, we do not have more users accessing the system than we have licenses.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now