Designing Remote User Connectivity


Designing Remote User Connectivity

Remote users could be employees who are connecting to the network from their homes or hotel rooms, or they could be business partners who need to access specific resources within your organization. In any case, you need to make sure that the users are able to gain access to the resources they require while at the same time guaranteeing the safety of the data.

As we look at the options for remote user access, we will discuss considerations you should take into account, the connection types that are available, Internet and extranet considerations, and how to control and account for remote user access.

Identifying Remote User Access Considerations

Whenever you open up your network so that users can gain access from remote locations, you are endangering the data, resources, and computers that are part of your internal network. Prior to implementing a remote access solution, you should consider the effect that access to your network could have and assess any vulnerabilities in your infrastructure.

By allowing access to your network to external users you are possibly opening up the following vulnerabilities:

Exposure of network information     Any data that is accessible from a client on the network could be accessed from a remote client if not properly safeguarded. Make sure all of the network resources are secured; otherwise an outside entity could discover information that should be held in confidentiality.

Lack of control over infrastructure     Once you open up the network to the outside world, if you have not secured the infrastructure, you could be allowing too much access to outside attackers. If this is the case, the network could be modified in ways that allow the attackers to have control over your resources.

Exposure of computers to attack     As pathways to your network are opened, if you have not taken the appropriate steps to safeguard your computers, they are open to attacks such as denial of service attacks. Make sure that all of the appropriate security patches and precautions are in place before allowing any type of remote access into your network.

Organizations do not go to the trouble, nor do they take on the expense, to implement remote access if they do not have a good reason to do so. Employees may need to access the network from an outside location so that they can do their job. Partner companies may need to share information in order to work together. No matter what the reason for building a remote access solution, you should identify the following criteria:

  • What functions do remote employees perform when connecting?

  • What functions do remote non-employees perform when connecting?

  • How long do they remain connected?

  • How many users can connect concurrently?

  • What types of clients are used when connecting?

  • What type of encryption is required?

  • What portion of the network do the remote users need access to?

The answers to these questions will aid you when you are trying to decide how to secure your infrastructure. If all of the remote users are employees in your company, you could mandate the use of a specific client that will support the encryption and authentication mechanisms you want to use. However, if you are working with another organization, you may not have the clout required to mandate that they upgrade their client systems to support a higher security level.

Identifying Connection Options

You have a choice of several connection options when you are designing a remote access infrastructure. One of the first things you need to consider is the amount of data that will be sent across the connection and the speed at which the connection can send the data. You also need to decide on whether or not you will use VPN connections.

Connection Types

Administrators who wish to interconnect remote locations and allow users to connect to resources or allow systems to interoperate have several options to choose from. Depending on the requirements and the budget that the organization wishes to use, you can use efficient highspeed connections, or you can choose slower connections if the connections do not need to have fast transfer speeds or support many users. The following are some of the connection types that are available for connecting locations and partner organizations together:

  • Circuit Switched: Modem and ISDN

  • Leased Lines: Broadband (T1, T3, etc.), DSL (ADSL, IDSL, SDSL)

  • Packet/Frame Switched: X.25, Frame Relay, ATM

  • Virtual: VPN technologies

When selecting the connection type, you should take the following information into account:

  • Leased lines should be used for dedicated high traffic WAN links.

  • Packet switching should be used for intermittent traffic

  • Dial-up circuit switched lines should be used for secondary paths or connections that have minimal traffic.

These options are available to domestic administrators, but when interconnecting organizations that have offices outside of the United States, you need to take other criteria into account, the first of which is the interoperability of the connections. Will you be able to communicate effectively between the overseas connection and the domestic connection? And if they are compatible, what is the cost of the connection? You may find it prohibitive to maintain a high-speed connection in some locations and will be forced to use another slower method of connecting.

Make sure you are making decisions based on the business requirements of the organization. Although it may be nice to have a T3 connection to the Internet and other locations within your organization, you really need to define the bandwidth requirements. Paying for bandwidth that will not be used is not an efficient use of your company s financial resources. At the same time, if you are using dial-up to gain access to remote locations, the users may not be able to work with the resources that they need. You need to make a trade-off between cost and user productivity.

Before deciding on a connections type, determine what VPN options are available to you. If the connections are not secure and you are not able to implement a VPN connection, you may want to determine if another transmission media is more suited to your endeavor. Finally, if the connection is vital and you need to maintain it, you may want to determine what fault-tolerance options are available to you within the budget you have to work with.

VPNs

Using the Internet as an extension of an organization s network is an efficient and inexpensive way to connect locations. However, the Internet has never been a secure environment. Data that travels across the Internet is subject to capture by any number of disreputable users who could take advantage of the data they discover. Organizations that want to safeguard their data while taking advantage of the Internet use VPN technologies to encrypt the data.

There are pros and cons to using VPN technologies. You need to weigh each to determine if a VPN is the right solution for your organization s needs. Table 9.1 lists both the pros and cons.

Table 9.1: Advantages and Disadvantages to Using VPNs

Advantages

Disadvantages

The existing infrastructure can still be utilized.

You encounter extra overhead when using a tunnel.

An expensive private connection is not necessary.

The same protocol must be supported on both devices.

Will scale better than a dial-up solution.

Additional support is required to maintain VPN technologies.

 

Packets could still be intercepted on the Internet.

Your VPN of choice will be limited to the clients that you allow to connect. Some earlier workstation clients are not able to take advantage of some of the newer technologies without having additional software added to them. This is a time where you may need to put your foot down and dictate which client operating systems can be used through a VPN to connect to your internal network. If you want to restrict VPN access to Layer 2 Tunneling Protocol (L2TP) “ capable clients using IPSec encryption, you need to make sure that all of the remote workstations have the appropriate software. Windows 2000, Windows XP, and Windows Server 2003 have native L2TP/IPSec support, but other clients may need to have the additional software applied to them.

If you have to support Point-to-Point Tunneling Protocol (PPTP), make sure that the clients are using the most secure level of data encryption. The major drawback to PPTP is that it does not support mutual authentication of the client and server. Because L2TP does support mutual authentication, all of the packets passing between the client and the server are verified for authenticity. PPTP does not support this level of security.

Guidelines for Remote User Authentication and Accounting

As users connect to the remote access server, whether they connect through a dial-up connection or a VPN connection, they need to be authenticated before they are allowed to connect to network resources. You should also make sure you have a method of accounting for the users who connect to the network and the resources for which they gain access. Microsoft Routing and Remote Access Server (RRAS) can be used to authenticate users as they connect. If you employ a Remote Authentication Dial-In User Service (RADIUS) solution, not only will the users authenticate, but the RADIUS infrastructure will provide accounting for the users accessing data on the network.

Note  

RRAS has both authentication and routing capabilities built into it. You can configure the service to provide one or the other, or both. We discuss the router options in the section Designing Remote Site Connectivity.

A RADIUS-based infrastructure allows you to place servers close to the users who are attempting to authenticate to your network as well as the domain controllers that are used to authenticate the users. In a Windows Server 2003 network, the RRAS service that provides RADIUS server functionality is Internet Authentication Service (IAS). This is the service that accepts the user s credentials as they are passed from the RADIUS client, and authenticates the user by passing the credentials to the nearest domain controller. The RADIUS client is the RRAS server that has been configured to use a RADUIS server for user authentication.

You do not have to use IAS to have a RADIUS server, but there are some advantages of doing so. If you use the IAS as the RADIUS server, IAS will contact a domain controller in order to authenticate the user. If you use a third-party RADIUS server, you have to configure that server to either work with Active Directory as the account provider, or you have to maintain two authentication databases and determine how to keep them synchronized. With that being said, Microsoft RRAS servers have the ability to become RADIUS clients to third-party RADIUS servers; IAS also has the ability to interoperate with third-party RADIUS clients.

start sidebar
Design Scenario ”Controlling User Access

Jessica has been evaluating her current environment in order to determine how she is going to design her network infrastructure to support her remote clients. All of the users who need to access the internal network have accounts within her domain. Of the 14 users, 10 have the same Internet Service Provider (ISP). This ISP supports UNIX RADIUS clients for other organizations; Jessica is interested in taking advantage of that.

  1. Question: If Jessica wants to take advantage of the ISP s RADIUS clients, what services would she need to implement? Answer: The IAS server could be installed on a Windows Server 2003 system that will act as the RADIUS server.

  2. Question: If the remainder of the remote users will access the network using a dial-up account, what service should Jessica add to her design? Answer: As long as the IAS server is not overloaded, it will be able to handle the additional traffic from the four remote users that need to dial in to the server. Jessica should configure a separate policy for these users.

end sidebar
 

One major advantage to using RADIUS is that it can centralize the remote access policies on the IAS server. If you are not using a RADIUS solution, or if you are not using IAS as your RADIUS server, you need to configure the remote access policies for each RAS server individually. This could be a time-consuming process, and if you make a change to a policy, you need to guarantee that each of the RAS servers have been updated correctly. Once you have IAS in place, you can store a remote access policy on the IAS server and all of the RAS servers acting as the RADIUS clients will use the master policy.

The same is true for monitoring the RADIUS implementation. The RADIUS clients can report auditing information to the RADIUS server so that an administrator can view the accounting information that was generated due to user access. If you are not taking advantage of the accounting feature that is built into RADIUS, you need to monitor your RAS servers using another tool such as the RAS Monitor, rassrvmon.exe, from the Windows Server 2003 Resource Kit.

In the Controlling User Access Design Scenario, you will make decisions on how to configure a RADIUS infrastructure.




MCSE
MCSE: Windows Server 2003 Active Directory and Network Infrastructure Design Study Guide (70-297)
ISBN: 0782143210
EAN: 2147483647
Year: 2004
Pages: 159
Authors: Brad Price, Sybex

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net