Transcript remote accessx

Unit 4: Remote access
Remote access is the ability to get access to a computer
or a network from a remote distance. In corporations,
people at branch offices, telecommuters, and people who
are travelling may need access to the corporation's
network.
Remote access can be set up using a local area network
(LAN), wide area network (WAN) or even a virtual private
network (VPN) so that resources and systems can be
accessed remotely.
Remote access is also known as remote login.
Remote access can be established via a line that runs between a
computer and a company's local area network (LAN). A connection
can also be established between a company's LAN and a remote
LAN using a dedicated line. This type of line provides faster speeds
but has the drawback of being more expensive.
Another method for performing remote access is by establishing a
VPN, a network that usually uses the Internet to connect remote
sites and users together. This type of network uses encryption and
tunneling to access a company's network.
This can be a great choice for a relatively small organization. Other
means of establishing remote access include the use of an
integrated services digital network, wireless network, cable modem
or digital subscriber line.
Identify the components of and security considerations for
different remote access and VPN technologies
Client configuration
Dial-up connections
VPN connections
Remote Access Server
DHCP Relay Agent
Authenticating Server
Integrated Services Digital Network (ISDN)
X.25 Packet Switched networks allow remote devices to communicate with each other .
These devices connect to a Packet Assembler/Disassembler (PAD)
Client configuration
User name and password
A remote access client typically requires a valid user name and password
to attempt a connection to a remote access server. However, as a result of
a remote access connection attempt using user name and password
credentials, the client does not actually log on to the network.
Credentials used for remote access only provide a connection to the
network of the remote access server. Each time the client attempts to
access a network resource, it will be challenged for credentials, such as
the user name and password. If it does not respond to the challenge with
acceptable credentials, the access attempt will fail.
Phone number, IP address, and domain name
• In dial-up connections, you can specify the phone numbers that are
used to make a remote access connection. Additionally, you can
configure the phone number details with country code, area code,
and established dialing rules. Dialing rules help accomplish tasks,
such as setting up an automatic process that dials phone numbers in
sequence until you find a modem that answers.
.
• You can also configure the connection to use multiple phone
numbers using the Alternate Phone Numbers option in the
remote access connection properties dialog box.
• In a VPN connection, the host name or IP address specifies the
name of the destination server to which the client will be
connecting. The host name is resolved to the IP address of the
VPN server using the Internet Domain Name System (DNS) at
the time of connection
Authentication and encryption settings
Default settings for dial-up connections allow for insecure passwords
and connections to be established without data encryption.
You can choose to require secure authentication with the use of smart
cards or authentication protocols like, Challenge Handshake
Authentication Protocol (CHAP), Microsoft Challenge Handshake
Authentication Protocol (MS-CHAP), Microsoft Challenge Handshake
Authentication Protocol version 2 (MS-CHAP v2), EAP-MD5 CHAP,
and EAP-TLS.
EAP- extensible authentication protocol message digest algorithm
EAP-TLS- transport layer security
Dial-up connections
The properties of a dial-up connection provide all the parameters
required to dial the connection, negotiate password and data handling
rules, and provide remote network connectivity. When you create a dialup connection, the default settings include the following:
A standard modem, capable of 56 kilobits per second (Kbps), for dialing.
A phone number to dial.
A secure authentication protocol. Your computer will negotiate with the
server to decide whether to use CHAP, MS-CHAP, or MS-CHAP v2.
The TCP/IP protocol is enabled, configured to obtain addresses
automatically.
When you double-click this connection, it dials the number by using the
specified modem. The connection completes successfully if the remote
access server uses one of the specified encrypted authentication
methods, and if the remote access server agrees to encrypt data. When
connected, the remote access server assigns the remote access client an
IP address.
Modems and remote access connectivity
Modems make it possible for computers to connect over conventional
telephone lines. Dial-up analog lines require analog modems to
establish a remote access connection with other computers whereas
dial-up digital lines, such as Integrated Services Digital Network [ISDN],
require digital modems.
• If the modems involved in a remote access connection do not
function as they are intended to, the connection fails.
If the remote access client is not able to access the remote access
server, one of the first few components that you need to check is
the modem.
VPN connections
• A virtual private network (VPN) is the extension of a private
network that encompasses links across shared or public
networks like the Internet. With a VPN connection, you can send
data between two computers across a shared or public network
in a manner that emulates a point-to-point private link. Virtual
private networking is the act of creating and configuring such a
virtual private network.
• To emulate a point-to-point link, data is encapsulated, or
wrapped, with a header that provides routing information,
which allows the data to traverse the shared or public network
to reach its endpoint. To emulate a private link, the data is
encrypted for confidentiality. Packets that are intercepted on
the shared or public network are indecipherable without the
encryption keys. The link in which the private data is
encapsulated and encrypted is a virtual private network (VPN)
connection.
The following illustration shows the logical equivalent of a VPN connection.
Types of VPN connections
There are two types of PPP-based VPN technologies in the Windows 2000 Server family:
Point-to-Point Tunneling Protocol (PPTP)
PPTP enables the secure transfer of data from a remote computer to
a private server by creating a VPN connection across IP-based data
networks. PPTP supports on-demand, multiprotocol, virtual private
networking over public networks, such as the Internet. PPTP uses
user-level Point-to-Point Protocol (PPP) authentication methods and
Microsoft Point-to-Point Encryption (MPPE) for data encryption.
Layer Two Tunneling Protocol (L2TP) with Internet Protocol security
(IPSec)
L2TP/IPSec uses user-level PPP authentication methods and computerlevel authentication using either certificates or a preshared key. IPSec
provides data encryption, data integrity, data origin authentication,
and replay protection. L2TP/IPSec is a more secure VPN protocol than
PPTP, but is more difficult to deploy. In addition, L2TP/IPSec cannot
carry multicast or non-IP communications.
IP connectivity between server and client
For VPN connections, the VPN client and server must have IP
connectivity; they must be able to send and receive IP packets to
each other across the Internet. Normally, you troubleshoot IP
connectivity with the Ping and Tracert TCP/IP tools.
These tools use ICMP(Internet Control Message Protocol) Echo and
Echo Reply messages and the default packet filter configuration of
the VPN server is to only allow PPTP and L2TP traffic. Therefore, to
use these tools on a Windows 2000 VPN server, you must
temporarily modify the IP packet filters on the Internet interface of
the VPN server to allow ICMP traffic.
Integrating VPN servers and firewalls
A VPN server can be positioned in one of several ways to operate with the Internet.
Firewalls outside the internal network and their role in remote access
A firewall employs IP packet filtering to allow or disallow the flow of specific types of
network traffic. IP filtering is the ability to define what traffic is allowed into and out of each
interface based on filters defined by the values of source and destination IP addresses, TCP
and UDP port numbers, ICMP types and codes, and IP protocol numbers.
IP packet filtering provides a way to define precisely what IP traffic is allowed to cross the
firewall and plays a key role in connecting private intranets to public networks like the
Internet.
When setting up a firewall with a VPN server, you can use one of the following two layouts:
The VPN server is placed outside the firewall and attached directly to the Internet.
The VPN server is placed inside the firewall, which in turn is attached to the Internet.
Remote Access Server
Server settings – general
With Windows 2000 remote access, remote access clients connect to remote access
servers and are transparently connected to the network to which the remote access
server is attached. This transparent connection allows remote access clients to dial in
from remote locations and access resources as if they were physically attached to the
network. The position of a remote access server in a network can affect the bandwidth
available to the network and remote access clients.
Authentication protocols
To authenticate the user who is attempting to create a PPP connection, Windows
2000 supports the following PPP authentication protocols:
• Password Authentication Protocol (PAP)
• Challenge-Handshake Authentication Protocol (CHAP)
• Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
• MS-CHAP version 2 (MS-CHAP v2)
• Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)
• Extensible Authentication Protocol-Transport Level Protocol (EAP-TLS)
https://msdn.microsoft.com/en-us/library/bb742492.aspx
DHCP Relay Agent
A Windows 2000 remote access server can function as an RFC 1542-compliant DHCP
relay agent relaying Dynamic Host Configuration Protocol (DHCP) messages between
DHCP clients and DHCP servers on different IP networks. For Windows 2000 and
Windows XP remote access clients, the remote access server forwards the DHCPInform
message sent by remote access clients to the DHCP server. The response is sent back to
the remote access client, providing additional configuration information.
Authenticating Server
Depending on the configured authentication provider, the authenticating server can be the
remote access server (Windows Authentication) or a RADIUS server (RADIUS
Authentication).
Remote Access Server
When Windows Authentication is configured, the remote access server performs
authentication by validating the credentials of the remote access client using:
The local account database, if the remote access server is a member of a workgroup or a
stand-alone computer.
A domain account database located on a domain controller, if the remote access server is a
member of a domain.
Windows 2000 uses Kerberos security as the default authentication method for Active
Directory domains.
Identify the features and vulnerabilities of remote connection protocols, including the
Point-to-Point Tunnelling Protocol (PPTP), Layer 2 Tunnelling Protocol (L2TP), Internet
Protocol Security (IPSec) and Secure Sockets Layer (SSL)/Transport Layer Security
(TLS).
Point-to-Point Tunnelling Protocol (PPTP),
 The "point-to-point" part of the term refers the connection created
by PPTP.
 It allows one point (the user's computer) to access another specific
point (a remote network) over the Internet.
 The "tunneling" part of the term refers to the way one protocol is
encapsulated within another protocol.
 In PPTP, the point-to-point protocol (PPP) is wrapped inside
the TCP/IP protocol, which provides the Internet connection.
 Therefore, even though the connection is created over the
Internet, the PPTP connection mimics a direct link between the
two locations, allowing for a secure connection.
Layer 2 Tunnelling Protocol (L2TP)
• The Layer 2 Tunneling Protocol (L2TP) is a standard protocol for
tunneling L2 traffic over an IP network.
• Its ability to carry almost any L2 data format over IP or other L3
networks makes it particularly useful.
• But L2TP remains little-known outside of certain niches(slot), perhaps
because early versions of the specification were limited to carrying PPP
-- a limitation that is now removed.
• Layer 2 Tunneling Protocol (L2TP) is a computer networking
protocol used by Internet service providers (ISPs) to enable virtual
private network (VPN) operations.
• L2TP is similar to the Data Link Layer Protocol in the OSI reference
model, but it is actually a session layer protocol.
• A User Datagram Protocol (UDP) port is used for L2TP communication. Because it
does not provide any security for data such as encryption and confidentiality, an
encryption protocol such as Internet Protocol security (IPsec) is often used with
L2TP.
Internet Protocol Security (IPSec)
• IPsec (Internet Protocol Security) is a framework for a set
of protocols for security at the network or packet processing
layer of network communication.
• Earlier security approaches have inserted security at
the Application layer of the communications model.
• IPsec is said to be especially useful for implementing virtual
private networks and for remote user access through dial-up
connection to private networks.
• A big advantage of IPsec is that security arrangements can be
handled without requiring changes to individual user computers.
Cisco has been a leader in proposing IPsec as a standard
• IPsec provides two choices of security service:
• Authentication Header (AH), which essentially allows
authentication of the sender of data, and Encapsulating
Security Payload (ESP), which supports both authentication of
the sender and encryption of data as well.
Secure Sockets Layer (SSL)/Transport Layer Security (TLS).
• The Secure Sockets Layer (SSL) is a computer
networking protocol that manages server authentication, client
authentication and encrypted communication between
servers and clients.
• SSL uses a combination of public-key and symmetrickey encryption to secure a connection between two machines,
typically a Web or mail server and a client machine, communicating
over the Internet or an internal network.
Symmetric-key algorithms are algorithms for cryptography that use the same
cryptographic keys for both encryption of plaintext and decryption of ciphertext.
• The Transport Layer Security (TLS) protocol evolved from SSL and
has largely superseded it, although the terms SSL or SSL/TLS are
still commonly used; SSL is often used to refer to what is actually
TLS.
• The combination of SSL/TLS is the most widely deployed security
protocol used today and is found in applications such as Web
browsers, email and basically any situation where data needs to be
securely exchanged over a network, like file
transfers, VPN connections, instant messaging and voice over IP.