Remote Access and Security Protocols

Remote Access Services (RAS)

Remote Access graph
Almost every company offers some type of remote access to accommodate employees working from home, business partners, or external technical support. Remote access became very popular partly due to the Remote Access Service (RAS) on Microsoft's Windows NT. It allows remote clients to dial-in and connect and logon to network as if they were sitting in the office and locally connected. Nowadays the acronym RAS is used to define many types of remote dial-in solutions.

Point-To-Point Protocol (PPP)


PPP is today's most widely used RAS protocol and is supported by virtually every network system because it is part of the TCP/IP suite. In addition to point-to-point dial-up connections over POTS and ISDN, PPP is also used for router-to-router connections in WANs. PPP operates at the Data Link layer of the OSI model and consists of two types of control protocols:

  • Link Control Protocol (LCP) - establishes, configures, maintains, and terminates the point-to-point connection.
  • Network Control Protocol (NCP) – Provides an interface for various upper-layer Network protocols such as IP, IPX, AppleTalk, and NetBEUI, and is used to encapsulate the upper-layer protocols' data and transfers it over the link created by the LCP. Multiple protocols, such as IP and IPX, can use the link simultaneously.

PPP supports several authentication protocols including MS-CHAP, EAP, the older Password Authentication Protocol (PAP), and the Challenge Handshake Authentication Protocol (CHAP). After the remote client is authenticated, the PPP connection is rather insecure because the transmitted data is not encrypted. Several other protocols are available to encrypt the transmitted data and to secure the authentication process. Examples of such protocols are PPTP and IPSec, which are discussed later on in this chapter.

A very useful extension to PPP is Multilink PPP, which allows multiple physical connections to be combined in one logical connection. A typical example of this is bundling the 2 B-channels in an ISDN BRI connection.

PPP is the successor of the Serial Line Internet Protocol ( SLIP) , an older dial-up protocol, used primarily in UNIX environments and still supported by some ISPs. Major differences with PPP are that SLIP lacks authentication, compression, and multilink capabilities.

Point-to-Point Protocol over Ethernet (PPPoE)


As its name indicates, PPP over Ethernet (PPPoE) allows encapsulation of PPP packets in Ethernet frames. PPP is designed for point-to-point connections rather than a shared broadcast medium like Ethernet. But when DSL, cable and other broadband connections became available, which that could provide access to multiple hosts on a shared Ethernet network, ISPs wanted to maintain the same functionality provided by PPP to manage, and charge for, individual client connections. PPPoE basically provides the functionality of PPP, such as LCP, NCP, and its authentication methods, but for Ethernet. It allows multiple Ethernet hosts to establish a unique PPP session with the provider through a bridging device such as a cable modem.

Remote Desktop Protocol (RDP)


The Remote Desktop Protocol (RDP) is used by remote control software such as Microsoft’s Remote Desktop to transfer mouse/keyboard input and screen output over a TCP/IP connection. For example, an administrator can manage a server remotely, without having to walk to the server room, and work with the server as if she was sitting in front of it. Desktop support staff can solve client problems without going to the user’s office. This is obviously very convenient for both IT staff and users as it can save both a lot of time and effort. RDP is also used for Microsoft’s Terminal Services, which allow clients to run applications on a remote server. This allows a computer with a minimal configuration to run applications that would normally not run on the computer due to hardware limitations. This concept is known as thin client and allows multiple users to use different applications simultaneously, in their own private workspace on the terminal server. In addition to keyboard input, mouse input, and screen output, clients can use their local disks and printers from applications running on the remote server. RDP was introduced in Windows, but RDP servers and clients are now also available for Linux and other operating systems. RDP uses port 3389.

Virtual Private Network (VPN)


A Virtual Private Network (VPN) is a private connection over a public network such as the Internet. VPNs can save a company a lot of money because they can use their Internet connection, instead of expensive long-distance point-to-point connections such as dial-up, ISDN, and leased lines, to allow remote networks and remote employees to connect to the corporate network. The first main type of VPN is a connection between two networks and is known as a site-to-site or LAN-to-LAN VPN. It is typically used for connecting branch offices of a single organization or for creating an extranet for business partners. When the VPN is established, a private virtual point-to-point connection, called a tunnel, is created over the Internet between two routers or firewalls. The clients and servers in the networks on both sides of the VPN connection are unaware of the VPN. The following network diagram shows a simple example of a site-to-site VPN. The green line depicts the virtual connection.



The second main type of VPN, called remote access VPN, is especially useful for remote and mobile users who need to access the corporate network. Whether they are in a hotel, at a business partner’s office, or on a business trip to the other side of the planet, all they need is an Internet connection and a VPN client. The VPN client software is installed on the client operating system and establishes a tunnel to the corporate network after a connection with a local ISP is established. This type of VPN is referred to as remote access VPN and is depicted in the following network diagram. The remote access connection from the client to the Internet can be anything from a dial-up to a cable connection as long as it supports PPP. The router in the following network diagram can be a firewall or a VPN hardware appliance.



Tunneling refers to encapsulating a packet into another packet. There are at least three types of protocols involved in a tunnel. The first is the carrier protocol, for example IP on the public Internet. The second is the tunneling protocol, for example PPTP, L2TP, and IPSec. The third is the encapsulated protocol, such as IP, IPX, NetBEUI and AppleTalk. The following three sections cover the tunneling protocols.

Point to Point Tunneling Protocol (PPTP)


The Point to Point Tunneling Protocol (PPTP) is a tunneling protocol creat ed primarily by Microsoft. It is an extension of PPP and encapsulates PPP packets to transfer them through a tunnel over a public IP network. The encapsulated protocol can be IP as well, but also IPX, AppleTalk, and other protocols support ed by PPP. PPTP relies on the authentication protocols in PPP, such as MS-CHAP, and relies on a protocol called Microsoft Point-to-Point Encryption (MPPE) to provide data encryption. PPTP itself does not provide any actual security because it does not encrypt the encapsulated packets, it merely tunnels (encapsulates) them. PPTP operates at the Data-Link layer of the OSI-model and uses TCP port 1723.

Layer Two Tunneling Protocol (L2TP)


The Layer 2 Tunneling Protocol (L2TP) is an IETF standard developed to replace PPTP. It is the result of combining the technology of Microsoft’s PPTP with Cisco's Layer 2 Forwarding (L2F) tunneling protocol. In addition to IP networks, L2TP supports tunneling through various other types of point-to-point networks including Frame Relay, X.25, and ATM. The encapsulated protocol can be IP, but also IPX, AppleTalk, and other protocols support ed by PPP (even though they are transmitted as IP packets). Just as with PPTP, L2TP does not actually encrypt data, nor does it authenticate individual messages. To overcome these shortcomings, L2TP is often us ed in conjunction with IPSec. This combination provides an additional layer of authentication and encryption because the L2TP packets are encapsulated in IPSec packets at the Network layer. L2TP operates at the Data-Link layer of the OSI-model and uses UDP port 1701.


Internet Protocol Security (IPSec)


IPSec is a popular and complete encryption framework for IP networks that provides end-to-end security at the Network layer by employing a variety of protocols and encryption techniques. IPSec is often us ed in conjunction with tunneling protocols such as L2TP to offer a higher level of security in VPNs. Besides VPNs, IPSec is also used in LAN environments for client/server connections, router-to-router connections in WANs, and for secure RAS connections. A primary advantage of IPSec is that it is transparent to the user and can be easily implemented because most modern operating systems and network devices support it natively.

IPSec can run in two different modes: Transport mode or Tunnel mode. In transport mode, only the payload of an IP packet is protected. In tunnel mode, the payload and the header are protected. If the original header is encrypted, a new header with the basic IP address information is added to the encrypted packet, so routers and network devices can still read the information they need in order to transport the packet. IPSec and its protocols use port 50, 51, and 500.

Secure Sockets Layer (SSL)


Secure Sockets Layer (SSL) is a protocol develop ed by Netscape to allow for secure HTTP communication. Now at version 3.0, SSL has come a long way since its introduction. It is still us ed primarily in combination with HTTP but it can be us ed for other application layer Internet protocols as well. It provides a secure session between a client and a server, server to client authentication, and optionally, an SSL server can require the client to authenticate itself. The server is typically a web server as the most common use of SSL is HTTPS (Hypertext Transfer Protocol over Secure Sockets Layer), which is discussed later on in this chapter.

As with many protocols, SSL employs several sub-protocols to perform tasks such as key exchange, negotiating encryption schemes, and performing the actual data encryption. These protocols operate between the Application and Transport layer of the OSI model. One of the primary protocols is the SSL handshake protocol, which is in charge of establishing a secure connection. A main difference between SSL and IPsec is that the latter can be us ed to protect any IP connection and SSL can only be used if the application supports it, such as a web browser and web server software. SSL uses either TCP or UDP port 443.

802.1x


The IEEE 802.1x protocol provides authenticat ed access to wir ed Ethernet networks and wireless 802.11 networks. It allows for port-based access control at the Data Link layer (layer 2) for clients connected to switches and wireless access points. When an 802.1x client connects to a physical port on a switch, or associates with a wireless access point, it needs to authenticate itself before it can use other protocols and access network services. The following diagram depicts the three components of a typical 802.1x setup. The supplicant in the diagram is the client requesting access to the network. The authenticator is the switch or WAP to which the supplicant connects, and is responsible for exchanging authentication information between the supplicant and the authentication server. The authentication server is usually a RADIUS server.



In large networks with multiple switches and access points, all authentication requests can be sent to a single RADIUS server providing centralized user administration. The RADIUS server can be used in conjunction with Windows Active Directory, and other major network operating systems. In wireless networks, 802.1x is particularly useful for providing dynamic key management for WEP keys. Although WEP itself does not offer strong security, using 802.1x to issue unique dynamic keys and to change them frequently during a session can dramatically increase security.

No comments:

Post a Comment