Designing a Remote Access Infrastructure

As we stated in Chapter 5, "Creating the Logical Design for a Network Services Infrastructure," it's very important to continue to provide users with access to their files and folders on our network even when the users aren't in the office. The productivity of most companies depends on the ability to provide this access. In Chapter 5, we discussed the logical components of providing remote access while maintaining security. In this section, we discuss the physical components used for the same goals.

The physical components used to provide secure remote access include the following:

Remote access servers
Internet authentication servers
Screened subnets

We now discuss each of these components and the relation of each to the physical design of our network.

Remote Access Servers

Remote access servers are specifically designed to provide a link between the services and protocols used by wide area networks (WANs) and those used by our local area network (LAN). These servers enable users to connect to the network from wherever they happen to be provided that they have the proper credentials to authenticate the connection.

You can use the Routing and Remote Access tool on Windows Server 2003 to configure two main types of remote access. These include

Dial-up access
Virtual private network (VPN)

We now examine each of these types of remote access and the relationship of each to the physical design of our network infrastructure.

Dial-up Access

Remote access servers can use regular telephone lines, which are often referred to as the public switched telephone network (PSTN) or the plain old telephone service (POTS). In this case, a modem at the receiving end answers the modem at the sending end. In other words, the user's computer calls in and the other computers answer the call. This original method of remote access service is still used by many companies today; however, this method has some significant drawbacks.

First, dial-up access requires one modem for each simultaneous conversation. In a large network, with many remote access users, this can present a physical problem. Some companies have used integrated circuits that emulate many modems to overcome this physical limitation, but there is still a limit to what any device can provide. In addition, although some encryption can be used, the information transfer cannot be considered secure. Finally, dial-up through the PSTN is limited to a bandwidth of 53Kbps. Even though this might be fast enough to check email, we'll experience its limitations if we attempt to transfer large files!

Virtual Private Network

As its name implies, a virtual private network (VPN) is a secure communication channel through an inherently nonsecure medium, the Internet. To use a VPN, a user first makes a connection to an Internet service provider and then uses that connection to connect to the remote access server. Our remote access server is configured with virtual ports that receive the communication and forward it to the appropriate resources in our network. Figure 6.7 illustrates the use of virtual ports.

Figure 6.7. You can use virtual ports for remote access connections.

graphics/06fig07.gif

To provide a secure communication channel through a nonsecure medium, we overlay one protocol on top of another. This is called encapsulation or tunneling. There are two main tunneling protocols that can be used to provide this security:

Point-to-point tunneling protocol (PPTP)
Layer two tunneling protocol (L2TP)

These two tunneling protocols have some similarities, but many differences. PPTP is the oldest tunneling protocol and will probably be replaced by L2TP at some point in the future. L2TP offers many advantages over PPTP, including more flexibility, more efficient data transfer, and tunnel authentication (checking the other side) before each transmission. The only disadvantage of LT2P is that by default it cannot be used by clients earlier than Windows 2000 Professional. Because this will affect your decision as to whether to replace older clients, it should be considered part of the physical design of your network. Table 6.2 illustrates the similarities and differences of these two tunneling protocols.

Table 6.2. Comparison Chart of PPTP and L2TP Tunneling Protocols
PPTP	L2TP
Internetwork must be IP based	Internetwork can be IP, Frame Relay, X.25, or ATM based
No header compression	Header compression for more efficient data transfer
No tunnel authentication	Tunnel authentication on each transmission
Built-in PPP encryption	Uses newer IPSec encryption
Can be used by all Microsoft clients	By default, can be used only by Windows 2000 Professional and newer clients

You should know the main advantages and disadvantages of the two main tunneling protocols (PPTP and L2TP) for the test.

Internet Authentication Servers

In a network with many remote access servers, we can potentially have many remote access policies. As we discussed in Chapter 5, these policies can be centralized to one server. This Internet authentication server (IAS) should be physically located between the remote access servers (its clients) and a domain controller. This allows the IAS to contact the domain controller for authorization without disrupting other network components. Keeping the IAS physically close to a domain controller also ensures that it can communicate with the domain controller over a fast reliable link.

Screened Subnets

Many organizations use a combination of firewalls to create an area of the network that is neither completely on the inside nor completely on the outside. This area is referred to as a screened subnet, as illustrated in Figure 6.8. Servers that provide resources for clients on the inside as well as the outside are often placed into the screened subnet. Doing so means they are physically and logically closer to remote access users than they would be if they were all the way behind the firewalls. Servers that are sometimes placed into screened subnets include DNS, Web, FTP, email, and many others.

Figure 6.8. Multiple firewalls create a screened subnet.

graphics/06fig08.gif

Servers that have vital information about the internal network, such as domain controllers, are not typically placed into a screened subnet. DNS servers in a screened subnet may contain an incomplete database as well. In other words, they might not have all the Active Directory records that the DNS servers on the inside of all of the firewalls have.

The multiple firewalls used with screened subnets enable you to control the traffic flow to and from all levels of the network. For example, FTP traffic can be allowed into and out of the first firewall, where the FTP server is located, but completely blocked on the second firewall. This type of control gives you many options as a remote access administrator.

Many companies use a firewall with multiple network interfaces to provide the same screened subnet. For example, a firewall with three NICs would be connected to the Internet with one interface and connected to the internal LAN with another, leaving the third interface connected to its own subnet. Servers placed on this subnet are accessible from the Internet (controlled by the firewall), but at the same time are protected without being on the internal network. Fewer and fewer sites are utilizing multiple firewalls for this purpose.