13.9 Remote Access Security

With an increasingly decentralized and mobile workforce, organizations are coming to rely on LANs that provide remote access through a communications server that can be reached with a toll-free number or a series of local dial numbers. From time to time, telecommuters, traveling executives, salespeople, and remote offices all need access to the various resources that reside on headquarters’ LANs and subnets. This calls for appropriate security measures to prevent unauthorized access to the corporate network.

13.9.1 Security Measures

Depending on the size of the network and the sensitivity of the information that resides there, one or more of the following security methods can be employed:

• Authentication: This involves verifying the remote caller by user ID and password, thus controlling access to the server. Security is enhanced if ID and password are encrypted before going out over the communications link.

• Access restrictions: This involves assigning each remote user a specific location (i.e., directory or drive) that can be accessed on the server. Access to specific servers also can be controlled.

• Time restrictions: This involves assigning each remote user a specific amount of connection time, after which the connection is dropped.

• Connection restrictions: This involves limiting the number of consecutive connection attempts and/or the number of times connections can be established on an hourly or daily basis.

• Protocol restrictions: This involves limiting users to a specific protocol for remote access.

Among the most popular remote-access security schemes is the RADIUS. Under this scheme, users are authenticated through a series of communications between the client and server. When the client initiates a connection, the communications server puts the name and password into a data packet called the authentication request, which also includes information identifying the specific server sending the authentication request and the port that is being used for the connection. For added protection, the communications server, acting as a RADIUS client, encrypts the password before passing it on to the authentication server.

When an authentication request is received, the authentication server validates the request and decrypts the data packet to access the user name and password information. If the user name and password are correct, the authentication server sends back an authentication acknowledgment that includes information on the user’s network system and service requirements. The acknowledgment can even contain filtering information to limit the user’s access to specific network resources.

13.9.2 Callback Security Systems

Callback security systems, which are commonly used with password/ID security schemes, control remote dial-up access to hosts and LAN servers via modems. Typically, these systems use an interactive process between a sending and receiving modem. With callback security, the answering modem requests the caller’s identification, disconnects the call, verifies the caller’s identification against the user directory, and then calls back the authorized modem at the number matching the caller’s identification.

Callback security ensures that data communication occurs only between authorized devices. The degree of security that callback modems provide is questionable due to the widespread use of telephone functions such as call forwarding. It is also possible for a knowledgeable intruder to stay on-line and intercept the return call from the answering modem. In addition, some data security centers may find callback security inappropriate for their networks, since it assumes that users always call from the same telephone number. Traveling employees and users who must connect to the LAN through a switchboard cannot use this technique.

Many popular modems can generate acoustic signals to indicate to the callback modem that a call was received and correctly linked. Administrators can also add callback modems to an established security system without disrupting existing procedures. Neither passwords nor callback modems provide complete security for remote communications, however. The difficulties inherent in remote authentication make a combined security method imperative. As a result, administrators often find using two identification methods (e.g., callback modems combined with data encryption) more effective than using a single method.

Other techniques are in use to enhance the security of modem access. Among them is the use of an ASCII password that is typically entered from a remote keyboard or automated logon file. This method offers minimal security, since it is easy for computer hackers to crack the code using random-number generators and launch attacks on system dictionaries. Moreover, it is limited to relatively slow asynchronous communications. The modems must establish the connection and enter the “pass data” mode, which typically takes 4 to 12 seconds on high-speed modems, before passwords can be verified.

A more reliable approach combines password security with the callback feature. With this technique, the password is verified and the inbound call is disconnected. The security system then calls the remote user at a predetermined telephone number to enter the “pass data” mode. If a hacker breaks the password, the security system will call back a secure location, thereby denying the hacker access. This system is effective, but very slow, and is limited to a finite number of stored telephone numbers.

These approaches rely on establishing links to a central site device such as a front-end processor or communications controller. In all cases, security is implemented via ASCII passwords or dual tone multifrequency (DTMF) tones after the modem handshake. A tenacious hacker will eventually break the security codes. To prevent this, security procedures can be implemented before the modem handshaking sequence, rather than after it. This effectively eliminates the access opportunity from potential intruders. In addition to saving time, this method uses a precision high-speed analog security sequence that is not even detectable by advanced line-monitoring equipment.

With callback, the remote client’s call is accepted, the line is disconnected, and the server calls back after checking that the phone number is valid. While this works well for branch offices, most callback products are not appropriate for mobile users whose locations vary on a daily basis. However, there are products on the market that accept roving callback numbers. This feature allows mobile users to call into a remote access server or host computer, type in their user ID and password, and then specify a number where the server or host should call them back. The callback number is then logged and may be used to help track down security breaches.

To safeguard very sensitive information, there are third-party authentication systems that can be added to the server. These systems require a user password and also a special credit card-sized device that generates a new ID every 60 seconds, which must be matched by a similar ID number-generation process on the remote user’s computer.

In addition to callback and encryption, security can be enforced via IP filtering and log-on passwords for the system console and for Telnet and FTP server programs. Many remote-node products also enforce security at the link level using the Point-to-Point Protocol (PPP) with the Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP).

13.9.3 Link Level Protocols

When peers at each end of the serial link support the PPP suite, more sophisticated security features can be implemented. This is because PPP can integrally support the PAP or CHAP to enforce link security.

PPP is a versatile WAN connection standard for tying dispersed branch offices to the central backbone via dial-up serial links. It is actually an enhanced version of the older Serial Line Internet Protocol (SLIP). SLIP is recommended for an IP-only environment, while PPP is recommended for non-IP or multiprotocol environments. Since PPP is protocol-insensitive, it can be used to access both AppleTalk and TCP/IP networks, for example.

PPP framing defines how data is encapsulated before transmission over the WAN. It supports multiple network-layer protocols, including TCP/IP and IPX. PPP also offers remote protocol configuration, the capability to define the framing format over the wire, and password authentication. PAP uses a two-way handshake for the peer to establish its identity. This handshake occurs only upon initial link establishment. An ID-password pair is repeatedly sent by the peer to the authenticator until verification is acknowledged or the connection is terminated. However, passwords are sent over the circuit in text format, which offers no protection from playback by network intruders.

CHAP periodically verifies the identity of the peer using a three-way handshake. This technique is employed throughout the life of the connection. With CHAP, the server sends a random token to the remote workstation. The token is encrypted with the user’s password and sent back to the server. Then the server does a lookup to see if it recognizes the password. If the values match, the authentication is acknowledged; otherwise, the connection is terminated. Every time remote users dial in, they are given a different token. This provides protection against playback because the challenge value changes in every token.

Some vendors of remote-node products support both PAP and CHAP, while older, low-end products tend to support only PAP, which is the less robust of the two authentication protocols.