Remote Authentication Technologies
+ Remote Access Service
Remote Access Service (RAS) began as a service that enabled dial-up connections from remote clients.
One of the best things you can do to secure a RAS server is to deny access to individuals who don’t require it. And monitor the logs that list who connect on a daily basis.
The next most important precaustion is to set up RAS authentication. One secure way is to use the challenge-handshake authentication protocol (CHAP), which is an authentication scheme used by th Point-to-point protocol (PPP). It uses a challenge-response mechanism with one-way encryption. CHAP use DES and MD5 encryption types. Microsoft developed its own version of CHAP known as MS-CHAP. Notice that this particular configuration shows that encryption is required, and that the only protocol allowed is MS-CHAPv2. you also have the option to enable EAP for the dial-up connection. Other RAS authentication protocols include SPAP which is of lesser security, and PAP, which sends usernames and passwords in clear text.
Microsoft RAS connections are encrypted by the RSA RC4 algorithm.
+ Vitual Private Networks
Virtual Private Network (VPN) is a connection between two or more computer or devices not on the same private network. Generally, VPNs use the Internet to connect one host to another. A “tunnel” is created through any LANs and WANs that might intervence, this tunnel connects the two VPN devices together. Every time a new seesion is initiated, a new tunnel is created, which makes the connection secure.
VPNs normally use one of two tunneling protocol:
- Point-to-Point Tunneling Protocol (PPTP)- This is the more commonly used tunneling protocol but the less secure solution of the two listed here. PPTP generally includes security mechanisms and no additional software or protocols need to be loaded. A VPN device or server must have inbound port 1723 open to enable incoming PPTP connections. PPTP works within the PPP that is also used for dial-up connections.
- Layer 2 Tunneling Protocol (L2TP)- This is quickly gaining popularity due to the inclusion of IPSec as its security protocol. Although this is a seperate protocol and L2TP doesn’t have any inherent security, L2TP will be considered the more secure solution because IPSec is required in most L2TP implementations. A VPN device or server must have inbound port 1701 open to enable incoming L2TP connection.
VPN client will have a standard IP address to connect to its own LAN. However, it will receive a second IP address from the VPN server or a DHCP device. The VPN address is encapsulatd within the logical IP address.
A Microsoft VPN can be set up on a Standard Windows Server by configuring Routing and Remote Access Service. Remote access policies can be created from here that permit or deny access to groups of users for dial-in or VPN connection.
Note: VPN use either PPTP or L2TP and can also incorporate CHAP on the client side and RADIUS servers for authentication.
+ RADIUS Versus TACACS
RADIUS works with the AAA concept. RADIUS commonly uses port 1812 for authentication messages and port 1813 for accounting messages. In rarer case, it will use ports 1645 and 1646 for these message, respectively.
The Terminal Access Controller Access-Controll System (TACACS) is another remote authentication protocol used more often in UNIX network. TACACS+ was developed by Cisco and uses inbound port 49.
RADIUS uses UDP as its Transport Layer Protocol. TACACS+ use TCP as its Transport Layer Protocol. RADIUS combies the authentication and authorization functions together when dealing with users, TACACS+ seperates these two function into two seperate operates that introduce another layer of security. TACACS encrypts client-server dialogues whereas RADIUS does not. Finally, TACACS+ provides for more type of authentication requests than RADIUS.