Transcript Remote Access - York Technical College

Remote Access
Lecture 2
Security Protocols






IPSec
L2TP - Layer 2 Tunneling Protocol
SSL – Secure Socket Layers
Kerberos
SSH – Secure Shell
RADIUS – Remote Authentication Dialin Service
Encryption



Process of encoding data using a mathematical
algorithm that makes it difficult for unauthorized
users to read the data if they intercept it.
Encryption requires a key (math. Algorithm) to read
the data.
Two types of encryption



Symmetric – same key is used to encrypt/decrypt
Asymmetric – two keys – public key encrypts the message;
the private key decrypts.
Key – binary number made up of a large number of
bits


56 bit encryption – 256
128 bit encryption – 2 128 - used online
IPSec



LANs or WANs using TCP/IP only
Encrypts data
Provides





Verification – data is from intended source
Protection – an intermediary did not alter the
message
Privacy – unreadable by others
Operates at the network layer
Security operates at the higher layers
PPTP

Point to Point Tunneling Protocol


Dial-up
Provides secure tunnel



Other connectivity protocols like PPP can be
used inside the tunnel
PPTP control connection – between client
IP and server IP - created using TCP
Uses port 1723
L2F


Cisco proprietary protocol
Permits tunneling over insecure
networks
L2TP – Layer 2 Tunneling


Combination of PPTP and L2F
Two phase process






Operates at Layer 2
Protocol independent
Will not work with NAT
Requires digital certificate


Authenticates computer
Authenticates user
key attached to the message
Offers greater security than PPTP
SSL


Used on the Internet – HTTPS (port 443)
Three services

Server authentication


Client authentication


Client verifies server identity
Server verifies client identity
Encrypted Connection

Uses public key encryption
Kerberos




Provides client/server applications
w/authentication
Server and clients must prove identities
to one another
Each communicating party is issued a
“ticket” which is embedded in messages
and used to identify the user
Open source
SSH - Secure Shell



Secure replacement for Telnet
Entire session is encrypted
Provides interoperability between




LINUX
UNIX
Windows 9x/NT/200x
Macintosh
Freeware:
PuTTY
ICA – Independent Computing
Architecture




Allows clients to access and run
applications on a server using the
server’s resources. (dumb terminal)
Thin client – only a small piece of
software is needed on the client
system.
Platform independent
Example: Citrix
RADIUS – Remote Auth. Dialin User Service


Client/server protocol
Consists of

Central server

Database




Authentication – using PAP or CHAP – identifies users
Authorization – gives users’ access
Accounting – tracks user accesses, failed attempts,
time, etc.
One or more dial-in servers
Central
server has
database to
determine
user
RADIUS
RADIUS
Central
Server
RAS 1
Client dials in; could hit
remote access server 1 or 2
RAS 2
Types of Access

Dial-up




VPN





Modem to modem
Authentication
All O/S support
Provides low-cost (as compared to leased line) secure network
connection
Point to point dedicated link over a public IP network
Creates a connection between two computers
Uses PPP
VPN Sessions



VPN client initiates connection to server
Server authenticates VPN clients
Protocols – PPTP or L2TP