Insecure Remote Access Protocol Remediation Project

ITS Information Assurance has begun work on Insecure Remote Access Protocol (IRAP) Remediation. Though Remote Access Protocols provide convenience to users and service administrators who rely on off-site connectivity to campus resources, these same protocols open the university up to an attack that can cause critical software to be discovered or end-user credentials to be compromised.  

Insecure Remote Access Protocols (IRAP) have one or more of the following traits or contain unacceptable risk:

  • Do not require Duo, use local accounts or no authentication
  • Expose U-M or third parties to attack
  • Do not appropriately use centralized logging
  • Do not implement appropriate brute-force attack mitigation
  • Are not updated quickly for security vulnerabilities
  • Not intended or designed for use on the open internet

IA is working with the U-M security community and IT leadership on an incremental approach to overall remediation and will include feedback from Unit IT. Insecure Remote Access Protocol Remediation includes restricting certain protocols that are not widely used by blocking at the border. For a one-page overview of this project, refer to the Insecure Remote Access Protocol At-A-Glance

Insecure Remote Access Protocol Remediation Project Milestones

Ongoing

Conduct external scans:

  • Vulnerability
  • Availability (ZMAP)
  • Shadowserver
     

Analyze IRAP results and group IRAP into categories by level of exposure and remediation treatment.
Winter 2022

  • Present plan and seek approval from CISO and VPIT/CIO  to move forward

  • Present plan to ITS Leadership

  • Update plan per feedback and schedule communications
Spring 2022
  • Create plan for blocking and back-out plan for recovery
  • Present plans to the Change Advisory Board
  • Update plan per feedback
  • Publish project website and At A Glance
July 2022
  • Present plan to STAC, Unit Leadership, Unit IT and the security Community
  • Update plan per feedback 
  • Awareness article in Safe Computing Newsletter and News@ITS
  • Communicate network traffic analysis with ITS - provide dates for review and feedback.
  • Update plan per feedback
August 2022
  • Communicate network traffic analysis with Unit IT and Security Community - provide dates for review and feedback.
  • Update plan per feedback
Fall 2022
  • Awareness article in Michigan IT Newsletter
  • Continue communication activities 
  • Conduct blocking activities -  based on unit engagement and feedback this may be extended
Fall 2022 - Winter 2022
  • Assess experience with initial mitigation activities, adjust processes and procedures as needed, and begin development of IRAP phase two proposal.