Remote Access Configuration and Security

 

Clients and Servers.  In order for remote access to work someone needs to be able to configure the clients and servers appropriately.  The typical steps for configuring a client are written below.
  1. Install the proper hardware
    1. modem
    2. ISDN adapter
    3. cable modem
    4. etceteras
  2. Install and configure the software drivers
  3. Connect the device to the appropriate line
    1. phone
    2. ISDN
    3. cable
    4. etceteras
  4. Set the properties
    1. number to be dialed
    2. username and password
    3. PPP or SLIP for connection

Many operating systems require other options to be set, but they may also provide things such as wizards to help you configure.

The typical steps for configuring a server are written below.

  1. Install the proper hardware
    1. modem
    2. ISDN adapter
    3. cable modem
    4. etceteras
  2. Install and configure the software drivers
  3. Connect the device to the appropriate line
    1. phone
    2. ISDN
    3. cable
    4. etceteras
  4. Set the properties and other configuration settings
    1. what will be used for authentication
    2. whether to accept Multilink PPP connections
    3. whether to use BAP to control bandwidth usage
    4. whether to establish IP routing
    5. whether to establish connection to the network as a whole or specific aspects such as servers
    6. if assigning IP addresses determine how

Security Issues.  Obviously, remote access capabilities in a network are going to be some of the most accessible to security threats.  By design, they are developed to be available to offsite users.  The following outline surveys several ways remote access security can be improved.

  • Callback security
  • RADIUS
  • Remote Access Policies
  • Account Lockout
  • Security Hosts

Callback Security.  Remote access servers can be configured to restrict access to particular phone numbers.  Other options include the capability to hang up and dial a particular number to make certain where it is originating from.

The following diagram represents the basic steps in the process.

 

 

The steps are given in the following outline.

  • a preset telephone number along with the user's account is entered into the remote access server
  • when the user dials the server they are prompted for a username and password
  • this verifies the identity of the user and verifies if they are configured for callback security
  • the server breaks the connection and immediately dials back to the preset telephone number on file
  • if the user is actually at this number then the server enables appropriate access to resources

This process helps ensure the identity of the user.

RADIUS.  RADIUS is a protocol for authenticating dial in users.  It has become an industry standard, particularly for ISPs. 

The dialup server needs to be configured as a RADIUS client.  Then the dialup client's username and password are sent to the RADIUS server by the remote e access server for authentication.

The RADIUS server provides centralized authentication by using protocols such as the following.

  • PAP
  • CHAP and MS-CHAP
  • EAP
  • DNIS - Dialed Number Identification Service
    • based on the number called by the user
  • ANI - Automatic Number Identification Service
    • based on the number the user is calling from

RADIUS also enables the logging of audit and usage information.  It also enables management of remote access servers.  Specifications for RADIUS are provided in RFC 2138 and RFC 2139.

It might be apparent that such an approach allows remote access servers to be distributed across a large number of regions, possibly to ensure potential users can almost always make local calls regardless of their location.  But RADIUS ensures that each server doesn't need to have authentication information for every potential user.

Remote Access Policies.  As should be expected, it is important to develop policies that help govern the usage of remote access.  Whether or not users can gain access is likely to need to depend on things such as the following.

  • time of day
  • day of the week
  • group membership
  • type of remote connection

A lot of other issues also need to be considered, but these are policy issues more likely to be associated with remote access.

Account Lockout.  If the sys admins determine that unauthorized users are gaining access from having somehow obtained a valid password it is likely to be necessary to lockout the user and/or session.  This is most likely to be done based on the number of attempts someone makes to gain access.  After a particular number of attempts the account is locked out and the access server won't accept any more attempts.

This sort of feature can be configured in many ways.  Two of the most frequently used ways are in the following list.

  • Preset the number of failed attempts before lockout
    • users might accidentally mistype so there needs to be some leeway
    • a most typical setting is for three attempts
  • It can also be important to set how long it take before the account automatically resets.
    • the legitimate user might actually attempt to login

Security Hosts.  A security host is a device used to authenticate users.  These resources are used in addition to the remote access server's security measures. 

These security hosts are actually installed between the remote access client and the server.

Sometimes these security hosts require the user to provide an additional username and password for its own purposes.