Remote Access Protocols and Services


Today, there are many ways to establish remote access into networks. Some of these include such things as virtual private networks (VPNs) or plain old modem dial-up access. Regardless of the technique used for remote access or the speed at which access is achieved, certain technologies need to be in place in order for the magic to happen. These technologies include the protocols to allow the access to the server and to secure the data transfer after the connection is established. Also necessary are methods of access control that make sure only authorized users are using the remote access features.

All the major operating systems include built-in support for remote access. They provide both the access methods and security protocols necessary to secure the connection and data transfers.

Remote Access Service (RAS)

RAS is a remote access solution included with Windows Server products. RAS is a feature-rich, easy-to-configure, and easy-to-use method of configuring remote access.

In Windows 2000, Microsoft renamed the RAS service Routing and Remote Access Service (RRAS). The basic RAS functionality, however, is the same as in previous versions of Windows.


Any system that supports the appropriate dial-in protocols, such as PPP, can connect to a RAS server. Most commonly, the clients are Windows systems that use the dial-up networking feature; but any operating system that supports dial-up client software will work. Connection to a RAS server can be made over a standard phone line, using a modem, over a network, or via an ISDN connection.

RAS supports remote connectivity from all the major client operating systems available today, including all newer Windows OSs:

  • Windows 2000 Professionalbased clients

  • Windows XP Homebased clients

  • Windows XP Professionalbased clients

  • UNIX-based\Linux clients

  • Macintosh-based clients

Although the system is called RAS, the underlying technologies that enable the RAS process are dial-up protocols such as Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP).

SLIP

SLIP was designed to allow data to be transmitted via Transmission Control Protocol/Internet Protocol (TCP/IP) over serial connections in a UNIX environment. SLIP did an excellent job, but time proved to be its enemy. SLIP was developed in an atmosphere in which security was not an overriding concern; consequently, SLIP does not support encryption or authentication. It transmits all the data used to establish a connection (username and password) in clear text, which is, of course, dangerous in today's insecure world.

Clear text simply means that the information is sent unencrypted, and anyone can intercept with a packet capture program and read the data with his or her favorite word processor.


In addition to its inadequate security, SLIP also does not provide error checking or packet addressing, so it can be used only in serial communications. It supports only TCP/IP, and log in is accomplished through a terminal window.

Many operating systems still provide at least minimal SLIP support for backward capability to older environments, but SLIP has been replaced by a newer and more secure alternative: PPP. SLIP is still used by some government agencies and large corporations in UNIX remote access applications, so you might come across it from time to time.

PPP

PPP is the standard remote access protocol in use today. PPP is actually a family of protocols that work together to provide connection services.

Because PPP is an industry standard, it offers interoperability between different software vendors in various remote access implementations. PPP provides a number of security enhancements compared to regular SLIPthe most important being the encryption of usernames and passwords during the authentication process. PPP allows remote clients and servers to negotiate data encryption methods and authentication methods and support new technologies. PPP even gives administrators the ability to choose which particular local area network (LAN) protocol to use over a remote link. For example, administrators can choose among NetBIOS Extended User Interface (NetBEUI), NWLink (Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)), AppleTalk, or TCP/IP.

PPP can use a variety of LAN protocols to establish a remote link.


During the establishment of a PPP connection between the remote system and the server, the remote server needs to authenticate the remote user and does so by using the PPP authentication protocols. PPP accommodates a number of authentication protocols, and it's possible on many systems to configure more than one authentication protocol. The protocol used in the authentication process depends on the security configurations established between the remote user and the server. PPP authentication protocols include CHAP, MS-CHAP (2), EAP, SPAP, and PAP. Each of these authentication methods is discussed later in this chapter in the section on authentication protocols.

Macintosh users can dial in to a Windows 2000 server by using PPP over AppleTalk Control Protocol (ATCP). ATCP is installed when the AppleTalk protocol is installed, or it can be installed separately.


If you are working on a network that uses SLIP and run into connectivity problems, try upgrading to PPP, as it is more flexible and secure.


PPPoE (Point-to-Point Protocol over Ethernet) is a protocol used for connecting multiple network users on an Ethernet local area network to a remote site through a common device. For example, using PPPoE it is possible to have all users on a network share the same link such as a DSL, cable modem, or a wireless connection to the Internet. PPPoE is a combination of PPP and the Ethernet protocol, which supports multiple users in a local area network. Hence the name. The PPP protocol information is encapsulated within an Ethernet frame.

With PPPoE, a number of different users can share the same physical connection to the Internet, and in the process, PPPoE provides a way to keep track of individual user Internet access times. Because PPPoE allows for individual authenticated access to high-speed data networks, it is an efficient way to create a separate connection to a remote server for each user. This strategy allows Internet access and billing on a per-user basis rather than a per-site basis.

Users accessing PPPoE connections require the same information as required with standard dial-up phone accounts, including a username and password combination. As with a dial-up PPP service, an Internet service provider (ISP) will most likely automatically assign configuration information such as the IP address, subnet mask, default gateway, and DNS server.

There are two distinct stages in the PPPoE communication processthe discover stage and the PPP session stage. The discovery stage has four steps to complete to establish the PPPoE connection: initiation, offer, request, and session confirmation. These steps represent back and forth communication between the client and the PPPoE server. Once these steps have been negotiated, the PPP session can be established using familiar PPP authentication protocols.

PPTP

The function of the Point-to-Point Tunneling Protocol (PPTP) is to create a secure transmission tunnel between two points on a network. The tunneling functionality that PPTP provides forms the basis for creating multi-protocol virtual private networks (VPNs), which allow users to access remote networks through a secure connection. PPTP works in conjunction with PPP and, as such, uses PPP authentication methods including PAP, CHAP, and MS-CHAP.

PPTP uses tunneling to provide secure data transmissions over a public network. In many cases, PPTP is used to create a VPN across the Internet.


To establish a PPTP session between a client and server, a TCP connection known as a PPTP control connection is required to create and maintain the communication tunnel. The PPTP control connection exists between the IP address of the PPTP client and the IP address of the PPTP server, using TCP port 1723 on the server and a dynamically assigned port on the client. It is the function of the PPTP control connection to pass the PPTP control and management messages used to maintain the PPTP communication tunnel between the remote system and the server. Once the PPTP connection is made, it provides a secure channel, or tunnel, using the original PPP connection between the devices.

Virtual Private Networks

VPNs are one of the most popular methods of remote access. Essentially, a VPN extends a LAN by establishing a remote connection, using a public network such as the Internet. A VPN provides a point-to-point dedicated link between two points over a public IP network.

VPN encapsulates encrypted data inside another datagram that contains routing information. The connection between two computers establishes a switched connection that is dedicated to the two computers. The encrypted data is encapsulated inside the PPP or IPSec protocols and that connection is used to deliver the data.

A VPN allows anyone with an Internet connection to use the infrastructure of the public network to dial in to the main network and access resources as if he or she were logged on to the network locally. It also allows two networks to be connected to each other securely. Once connected, data can be exchanged between networks. In this way, VPNs create a WAN.

Many elements are involved in establishing a VPN connection, including the following:

  • A VPN client The VPN client is the computer that initiates the connection to the VPN server.

  • A VPN server The VPN server authenticates connections from VPN clients.

  • An access method As mentioned, a VPN is most often established over a public network such as the Internet; however, some VPN implementations use a private intranet. The network that is used must be IP based.

  • VPN protocols Protocols are required to establish, manage, and secure the data over the VPN connection. PPTP and L2TP are commonly associated with VPN connections.

VPNs have become very popular because they allow the public Internet to be safely used as a wide area network (WAN) connectivity solution.

VPNs support analog modems and ISDN, as well as dedicated broadband connections such as cable and DSL. You should remember this for the exam.


Remote Desktop Protocol

In a Windows environment, Terminal Services provides a way for a client system to connect to a server, such as Windows server 2000/2003, and by using the Remote Desktop Protocol (RDP) run programs on the server as if they were local client applications. Such a configuration is known as thin client computing, whereby client systems use the resources of the server instead of their local processing power.

Originally, Terminal Services was available in remote administration mode or application server mode. Today, in Windows Server 2003, Terminal Services remote administration mode is no more as it has been replaced with the Remote Desktop feature.

Windows Server 2003 and XP Professional have built-in support for Remote Desktop Connections. The underlying protocol used to manage the connection is RDP. RDP is a low bandwidth protocol used to send mouse movements, keystrokes, and bitmap images of the screen on the server to the client computer. RDP does not actually send data over the connectiononly screenshots and client keystrokes.



    Network+ Exam Cram 2
    Network+ Exam Cram 2
    ISBN: 078974905X
    EAN: N/A
    Year: 2003
    Pages: 194

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net