Remote Access Solution Components
Remote access to the corporate network is provided through the interaction of different network services and client software to allow remote clients to connect securely to the corporate network. Remote access solution components include the following:
Authentication protocols
VPN protocols
Client software
Server services and software
Authentication Protocols
When a remote access client connects to the network, the user authenticates with the remote access server by providing credentials. These credentials can include the user s name, password, and the domain in which their user account exists. When a user connects to a remote access server, authentication is performed by using Point-to-Point Protocol (PPP) authentication methods. The authentication methods supported by RRAS include the following:
Although supported by almost all dial-up network services, PAP transmits user credentials to the remote access server as plaintext, offering no protection against password determination and replay attacks.
Provides support for Shiva remote access clients. SPAP uses a reversible encryption method called base64 encoding, which is stronger than the protection offered by PAP. However, SPAP is still susceptible to replay attacks.
Provides a stronger form of authentication by sending a hash of the password and a challenge string to the server. The remote access server identifies the user, obtains the password from the directory, and performs the same hashing algorithm against the password and challenge string. If the results match, the user is authenticated. This form of authentication provides protection against replay attacks.
CHAP authentication requires that the user s password be stored in a reversibly encrypted format at the domain controller for comparison purposes. This weakens password security at the domain controller and requires stronger physical security of the domain controller. In addition, the password is not stored in a reversibly encrypted format until the next time the user changes the password after this attribute is enabled.
Differs from CHAP in that the remote access client creates the challenge/response by encrypting the challenge string and MD4 hash version of the user s password. User passwords, by default, are stored in the directory in an MD4 hashed form. Encryption keys for Microsoft Point-to-Point Encryption (MPPE) are derived from the MS-CHAP authentication process. MPPE is used as the encryption algorithm for PPP payloads for dial-up and remote access connections based on Point-to-Point Tunneling Protocol (PPTP) .
When a remote access client authenticates by using MS-CHAPv2, the remote access client sends a challenge/response based on a challenge from the remote access server, and the remote access server sends a challenge/response based on a challenge from the remote access client. This is known as mutual authentication. For MS-CHAPv2, the remote access client and remote access server prove to each other that they have knowledge of the user s password. In addition, MS-CHAPv2 derives stronger MPPE encryption keys and uses two different encryption keys: one for sending data and one for receiving data.
Provides an extensible architecture for advanced PPP authentication methods, such as two-factor authentication. EAP-MD5 CHAP is the CHAP authentication method using EAP. EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) is used for public key certificate based authentication and provides mutual authentication and secured MPPE key exchange between the remote access server and the remote access client.
VPN Protocols
If remote access clients connect to the corporate network by using VPN connections, two protocols are supported:
A tunneling protocol supported by all Microsoft operating systems since Microsoft Windows NT 4.0. PPTP uses MPPE to encrypt transmitted data by using a 40-bit, 56-bit, or 128-bit encryption key. PPTP is often used because it supports legacy clients and can cross most network address translation (NAT) devices.
A tunneling protocol natively supported by Microsoft Windows 2000 and Microsoft Windows XP and supported by Microsoft Windows 98, Microsoft Windows Me, and Microsoft Windows NT 4.0 Workstation clients running Microsoft L2TP/IPSec VPN client. L2TP does not provide native encryption but uses IP Security (IPSec) with Encapsulating Security Payload (ESP) in transport node, which implements either Data Encryption Standard (DES) with a 56-bit key or 3DES encryption using three 56-bit keys. Because of IPSec encryption, L2TP/IPSec VPN connections cannot pass through NAT devices.
RRAS in Windows 2000 does not support NAT traversal, but drafts proposing methods for NAT traversal are being evaluated by the Internet Engineering Task Force (IETF). The proposed solutions are implemented by the Microsoft L2TP/IPSec VPN client for Windows 98, Windows Me, and Windows NT 4.0 Workstation. The solution is also implemented in the beta versions of Microsoft Windows Server 2003. Microsoft has plans to implement this solution for Windows 2000 and Windows XP computers functioning as remote access clients.
Client Software
Microsoft operating systems since Windows 95 have supported PPP-based remote access connectivity software, either in the base OS or in software freely distributed from the Microsoft Web site, such as the Microsoft Dial-Up Networking client software. Windows 2000 includes the Connection Manager Administration Kit (CMAK) and the Connection Point Server (CPS) to ease client remote access configuration and deployment.
The CMAK provides the ability to define remote access connectivity software packages that are preconfigured with your company s remote access settings. For example, if your company requires that a client implement the corporate virus detection software for remote connectivity, the CMAK package can be configured to run a preconnection script that ensures that the virus detection software is installed.
CPS provides the ability to download an updated list of ISP dial-in numbers, referred to as the phone book, to remote access clients. The phone book provides the latest local access phone numbers for Internet connectivity so that clients always have updated phone book information and do not have to manually input phone numbers for Internet connectivity.
Server Services and Software
Remote access solutions require that services and software be configured at the server to accept remote access connections and, possibly, at servers that reside between the remote access clients and the remote access server if deploying VPN solutions. When deploying remote access solutions, you might need the following services:
As mentioned earlier, this service allows you to provide both dial-up and VPN connectivity to the corporate network. RRAS can use the Active Directory directory service, the local Security Account Manager (SAM) database of the server, or a centralized account database provided by a Remote Authentication Dial-In User Service (RADIUS) server. To provide additional security to remote access connections, you can define remote access policies that outline constraints and configuration settings that must be implemented before remote client connectivity is allowed.
This service provides RADIUS authentication for remote access connections. Rather than each server running RRAS to authenticate remote access clients, remote access servers can forward authentication requests to the IAS server by using the RADIUS protocol. In addition to authentication, the IAS server provides centralized accounting and authorization via remote access policies to the remote access servers.
In addition to these services, you can implement Internet Security and Acceleration (ISA) Server as a firewall between the remote clients and the remote access server, or you can actually deploy it on the computer running RRAS. ISA Server provides the ability to filter connections so that authorized VPN protocols are allowed to connect to the remote access server.
