Remote Access

The first area of focus within the communications security realm involves providing remote or mobile clients the ability to connect to necessary resources. Remote access might include a wireless fidelity (Wi-Fi) link supporting a small office or home office network using modern 802.11-compliant wireless networking equipment, or perhaps allowing employees in a mobile sales force to be authenticated as they dial in to a central office using telephony carriers .

We focus on several specific areas of concern regarding remote access, including the following:

• 802.11 x wireless networking

• Virtual Private Network (VPN) connections using Layer 2 Tunneling Protocol (L2TP) or Point-to-Point Tunneling Protocol (PPTP) connections

• Dial-up authentication using the Remote Authentication Dial-In User Service (RADIUS) or the Terminal Access Controller Access Control System (TACACS and TACACS+)

• Secure terminal connections using the Secure Sockets Layer (SSL) interface

• Packet-level authentication of VPN connections using the Internet Protocol Security (IPSec) standard

The exam contains many acronyms specifying security terminology. Make sure you are comfortable with the common acronyms, and pay particular attention to similar acronyms, such as PPP (Point-to-Point Protocol), which is used by L2TP, and PPTP (Point-to-Point Tunneling Protocol), which is an alternative to L2TP connectivity.

802.11x Wireless Networking

The 802.11 x specification establishes standards for wireless network connectivity. When an 802.11 x -compliant connection is attempted, a wireless client tries to contact a wireless access point (WAP), which then authenticates the client through a basic challenge/response method and opens ports allowed for a wireless connection to the network. This one-way authentication process, broadcast using radio waves, is susceptible to several security concerns:

• Radio traffic detection 802.11 x transmissions generate detectable radio-frequency traffic in all directions. Although intervening material and walls may affect the functional distance, these radio-frequencies may be used for normal network connectivity. Someone can "sniff" the data transmitted over the network using many solutions to increase the distance over which detection is possible, including the use of reflective tube waveguides (such as the popular Pringles can) flying overhead to increase detection range without interference from building structures.

• Clear data Without the use of some type of encryption standard, data transacted over an 802.11x wireless link is passed in clear-text form. Additional forms of encryption are being integrated, such as the Wired Equivalent Privacy (WEP) and Advanced Encryption Standard (AES), but current implementations suffer from the fact that a determined listener can easily obtain enough traffic data to calculate the encoding key in use. New standards that involve time-changing encryption keys may help with this, such as the Temporal Key Integrity Protocol (TKIP) standard.

• Session hijacking Because the authentication mechanism is one-way, it is easy for a hijacker to wait until the authentication cycle is completed and then generate a signal to the client that causes the client to think it has been disconnected from the access point, while at the same time beginning to transact data traffic, pretending to be the original client.

• Man-in-the-middle attacks Because the request for connection by the client is an omnidirectional open broadcast, it is possible for a hijacker to act as an access point to the client, and as a client to the true network access point, thus allowing the hijacker to follow all data transactions and modify, insert, or delete packets at will.

• War-driving and war-chalking Coordinated efforts are underway aimed at the identification of existing wireless networks, the SSIDs used to identify these wireless networks, and any known WEP keys. A popular pastime known as war-driving involves driving around with a laptop system configured to listen for open 802.11 x access points. Several Web sites provide central repositories for identified networks to be collected, graphed, and even generated against city maps for the convenience of others looking for open access links to the Internet. A modification of early "hobo signs" is also being used to mark buildings , curbs, and other landmarks indicating the presence of available access points and their connection details. This so-called war-chalking utilizes a set of symbols and shorthand details to provide the specifics needed to connect using these access points.

Virtual Private Network (VPN) Connections

When data must pass across a public or unsecured network, one popular method of securing the data involves the use of a Virtual Private Network (VPN) connection. VPN connections provide a mechanism for the creation of a secured tunnel through a public network such as the Internet, which then encapsulates data packets to prevent sniffing over the public network.

This technology allows for a secure, authenticated connection between a remote user and the internal private network of an organization. Additional security may be gained through the use of encryption protocols and authentication methods , such as using the IPSec protocol over the VPN connection. VPN connections may be used to create secured connections between remote offices to allow replication traffic and other forms of intersite communication to occur, without incurring the cost of expensive, dedicated leased circuits or modem bank solutions. Two of the more common protocols used in VPN solutions are PPTP and L2TP. You will learn more about these protocols next .

VPN connections are also used to connect Remote Access Service (RAS) servers located within an organization's demilitarized zone (DMZ) through a secure conduit to a Remote Authentication Dial-In User Service (RADIUS) server. The RADIUS server is located within an organization's private network and provides a secured channel for the authentication of dial-in users connecting to RAS servers located within the semiprivate DMZ.

Point-to-Point Tunneling Protocol (PPTP) Connections

One common Virtual Private Network encapsulation protocol, proposed initially by a group of companies including Microsoft, is the Point-to-Point Tunneling Protocol (PPTP). Connections between remote users and sites may be made using this encapsulation protocol, which creates a secured "tunnel" through which other data can be transferred.

Layer 2 Tunneling Protocol (L2TP) Connections

The Layer 2 Tunneling Protocol (L2TP) is an extension of the earlier PPTP and Layer 2 Forwarding (L2F) standards. Proposed by the Cisco Corporation and its partners , this protocol is rapidly replacing PPTP as the standard encapsulation protocol used for VPN connections. L2TP connections are created by first allowing a client to connect to an L2TP access concentrator, which then tunnels individual Point-to-Point Protocol (PPP) frames through a public network to the network access server (NAS), where the frames may then be processed as if generated locally.

Remember that the L2TP protocol is gaining widespread acknowledgement as the successor to the more obsolete PPTP-based VPN connection.

Dial-Up User Access

Although broadband solutions such as cable modems and Digital Subscriber Line (DSL) connections are becoming increasingly available, the use of an acoustic modem (short for modulator /demodulator) over normal telephone lines remains a common means of remote connectivity. Client systems equipped with a modem can connect using normal dial-up acoustic connections to a properly equipped RAS server, which then functions as a gateway through which the remote user may access local resources or gain connectivity to the Internet.

Most Internet Service Providers (ISPs) still offer dial-up network connectivity for their users, although many organizations still maintain the use of RAS servers to provide direct connectivity for remote users or administrators and to provide failover fault-tolerant communications in the event of WAN connectivity loss. Demand-dial solutions involving the use of modem technology may even provide on-demand intersite connectivity for replication or communications, without requiring a continuous form of connection between the remote sites.

The authentication protocols often found in dial-up infrastructures are TACACS, RADIUS, and TACACS+. The authentication and/or transport services that these protocols offer are discussed in more depth next.

Terminal Access Controller Access Control System (TACACS)

The Terminal Access Controller Access Control System (TACACS) protocol is an early authentication mechanism used by Unix-based RAS servers to forward dial-up user logon and password values to an authentication server. TACACS does not provide authentication itself but rather is an encryption protocol used to send the logon information to a separate authentication service.

Remote Authentication Dial-In User Service (RADIUS) and TACACS+

Modern solutions, including the Remote Authentication Dial-In User Service (RADIUS) and TACACS+ protocols, provide for both user authentication and authorization. A RADIUS server functions to authenticate dial-in users using a symmetric key (private key) method and provides authorization settings through a stored user profile.

Authentication is managed through a client/server configuration in which the RAS server functions as a client of the RADIUS server, passing dial-in user access information to the RADIUS server, often through a VPN connection between the two systems.

Remember that in RADIUS-based authentication, the RAS server is the RADIUS client, not the system initiating the dial-up connection to the RAS server.

The TACACS+ protocol is an extension of the earlier TACACS form, adding authentication and authorization capabilities similar to the RADIUS authentication method. One important difference between these two is that the TACACS+ protocol relies on Transmission Control Protocol (TCP) connectivity, whereas RADIUS uses the User Datagram Protocol (UDP).

Secure Shell (SSH) Connections

As a more secure replacement for the common command-line terminal utility telnet , the Secure Shell (SSH) utility establishes a session between the client and host computers using an authenticated and encrypted connection. SSH utilizes the asymmetric (public key) Rivest-Shamir-Adleman (RSA) cryptography method to provide both connection and authentication.

Data encryption is accomplished using one of the following algorithms:

• International Data Encryption Algorithm ( IDEA ) The default encryption algorithm used by SSH, which uses a 128-bit symmetric key block cipher.

• Blowfish A symmetric (private key) encryption algorithm that uses a variable 32- to 448-bit secret key.

• Data Encryption Standard ( DES ) A symmetric key encryption algorithm that uses a random key selected from a large number of shared keys. Most forms of this algorithm cannot be used in products meant for export.

The Secure Shell suite encapsulates three secure utilities: slogin , ssh , and scp , derived from the earlier nonsecure Unix utilities rlogin , rsh , and rcp . SSH provides a large number of available options that you may be at least somewhat familiar with (see Figure 4.1).

Like telnet , SSH provides a command-line connection through which an administrator may input commands on a remote server. SSH provides an authenticated and encrypted data stream, as opposed to the cleartext communications of a telnet session. The three utilities within the Secure Shell suite provide the following functionalities:

• Secure Login ( slogin ) A secure version of the Unix Remote Login ( rlogin ) service, which allows a user to connect to a remote server and interact with the system as if directly connected

• Secure Shell ( ssh ) A secure version of the Unix Remote Shell ( rsh ) environment interface protocol

• Secure Copy ( scp ) A secure version of the Unix Remote Copy ( rcp ) utility, which allows for the transfer of files in a manner similar to the File Transfer Protocol (FTP)

Some versions of SSH, including the Secure Shell for Windows Server, include a secure version of the File Transfer Protocol (SFTP) along with the other common SSH utilities.

Internet Protocol Security (IPSec)

The Internet Protocol Security (IPSec) authentication and encapsulation standard is widely used to establish secure Virtual Private Network communications. Unlike most security systems that function within the Application layer of the Open Systems Interconnection (OSI) model, the IPSec protocol functions within the Network layer.

The OSI model is a logically structured model that encompasses the translation of data entered at the Application layer through increasingly more abstracted layers of data, resulting in the actual binary bits passed at the Physical layer. This process of adding data at different layers is referred to as encapsulation . At the other end of a data transfer, the individual packets of data are ordered and reassembled by passing back through the layers of operation of the OSI model until the original data is reproduced at the Application layer on the receiving system.

Here are the layers of the OSI model:

7. Application layer

6. Presentation layer

5. Session layer

4. Transport layer

3. Network layer

2. Data Link layer

1. Physical layer

You should be thoroughly familiar with the OSI model as well as the common protocols and network hardware that function within each level.

IPSec provides authentication services as well as encapsulation of data through support of the Internet Key Exchange (IKE) protocol.

IPSec Services

The asymmetric key standard defining IPSec provides two primary security services:

• Authentication Header ( AH ) Provides authentication of the data's sender

• Encapsulating Security Payload ( ESP ) Supports authentication of the data's sender as well as encryption of the data being transferred

Internet Key Exchange (IKE) Protocol

IPSec supports the Internet Key Exchange (IKE) protocol, which is a key-management standard used to specify separate key protocols to be used during data encryption. IKE functions within the Internet Security Association and Key Management Protocol (ISAKMP), which defines the payloads used to exchange key and authentication data appended to each packet.

Be sure you are familiar with common key-exchange protocols such as Oakley and SKEME; standard encryption algorithms, including asymmetric key solutions such as the Diffie-Hellman Key Agreement and the Rivest-Shamir-Adleman (RSA) standards; symmetric key solutions such as the International Data Encryption Algorithm (IDEA) and the Digital Encryption Standard (DES); and hashing algorithms such as Message Digest 5 (MD5) and Secure Hash Algorithm (SHA).