ALLOWING EMPLOYEES TO WORK REMOTELY is a benefit that many organizations offer. If your organization provides remote access for employees, that means aspects of your network are remote as well. The corporate network now extends to employees' homes, coffee shops, hotels, airports, and other remote locations. Extending the network introduces new security concerns. With the evolution of dial-up connections, virtual private networks, and wireless network capabilities, network security and solutions have changed to meet demand. We will discuss many of these solutions in this chapter.
The rapid growth of consumer and business technologies has forever changed the traditional work place. The introduction of computers and the Internet increased employee efficiency and productivity. Desktop computers were an important part of this new productivity, but they were expensive and used only at the corporate office. When prices came down and people were able to purchase them for home use, more people began bringing work home. They used media such as floppy diskettes to transfer data between computers. Over time, computers got smaller and more portable. Laptops quickly became available to the majority of corporate employees. Dial-up access allowed employees to connect to the corporate network remotely. Eventually, new connectivity options such as virtual private networking and high-speed Wi-Fi and mobile broadband replaced dial-up as the primary means of accessing networks remotely.
Today, armed with a laptop and anytime, anywhere access, many people no longer have to face a long commute to work. You can work from home, in an airport, in a coffee shop, or from your car between appointments. This capability has been highly beneficial to sales representatives, field engineers, consultants, and installation and repair engineers. For example, a sales representative no longer needs to return to the office to update the sales manager on a sales deal. Instead, the sales rep can handle status updates remotely and move on to the next customer. More and more, sale representatives can be based anywhere the customer is located, even working within a customer site and feeling confident that confidential data is not being shared with or seen by the customer. Organizations foster this confidence by deploying secure remote access technologies. We will review a variety of these technologies in this chapter.
Implementing a system that provides anytime, anywhere access is critical for a growing mobile work force. Organizations must consider the following factors when planning a remote access environment:
Do remote workers need access from various locations, such as hotels, airports, customer sites, coffee shops, and so on?
Will network access be granted only to employer-owned computer resources, or will employees be allowed access when using personal, customer-owned, or publicly available resources as well?
Will every employee be allowed to have a laptop for remote access? How will the data on the laptop be protected if it's lost or stolen?
Do employees need to use mobile phones, smartphones, and personal digital assistants (PDAs)? Do they need to access the organization's network with these devices?
How will remote employees access organizational resources? Will virtual private network (VPN) access be required, or will Web access to the organization's resources be sufficient?
What level of authentication will be required for remote access?
Having the correct systems in place to ensure that remote employees are able to work as if they were in a corporate office is called "remote access." Whenever transactions occur between a remote worker and the corporate environment, both entities want to ensure that security is implemented. Remote workers need to know their data is not shared with outside entities. IT security personnel need to know the correct person is gaining access to the internal network, and that the correct access is being provided once those users are on the network. Implementing identification, authentication, and authorization for remote access assists in this protection.
Implementing various technologies and addressing remote access concerns ensures your systems and data are protected. Some of the technologies used in remote access are RADIUS, RAS, TACACS+, and VPN. You will learn about these technologies and their benefits throughout this chapter. First, it's important to understand the concerns associated with remote access:
Remote access connections usually remain open for an unspecified period of time. This causes a security problem. Leaving connections open allows attackers to gain easy access. It is best to close connections automatically after some time, such as 24 hours.
Remote access solutions, such as VPNs, do not protect the computer system. An employee may use a business laptop to do personal activities such as surfing the Web and shopping online while he or she is on a public, unsecured network, such as a hotel's wireless network. While the employee is using the unsecured connection, malware may infect the system. The next time the employee connects to the corporate network via a VPN connection, the malware can spread to the corporate network. It is essential that mobile computer systems are protected with antivirus software and appropriate controls. The software and controls help protect the system when it is both on and off the corporate network.
Whenever transactions or communication occur on a network, it is important for users to provide identification and for organizations to ensure users are authenticated and authorized to perform actions, such as downloading data from the organization's intranet. Providing and proving these three components is called identification, authentication, and authorization (IAA). The following sections describe the components of IAA.
"Identification" is the process of uniquely distinguishing an individual. In most cases, identification needs to be provided prior to authenticating the user. Common forms of identification are a name or an account number. Identification can refer to a person, computer system, or program. Identification is important because, if everyone had the same bank account number for example, it would be almost impossible for a bank to know how much money you have in your account. In a network environment, a username is your unique identification. Some organizations also provide employees with a corporate identification number or a badge number as a separate identification mechanism.
"Authentication" is the process of verifying that users are who they say they are. Access and privileges should not be provided to a user unless verification has occurred. Authentication can take many forms when it is based on identity. Every form of authentication is based on "something you have," "something you are," or "something you know."
You can set up remote access authentication using authentication methods already covered in this book, such as multi-factor authentication. Most enterprises implement two-factor authentication, such as requiring a personal identification number (PIN) and token when connecting to the internal network via a VPN. This is necessary because the security concerns specifically associated with remote access are greater. Allowing a remote computer to directly access an organization's network poses a high risk. It is necessary to use stronger authentication methods so that identity verification is correct and is not being mimicked by an attacker. Remote access authentication can also be achieved through protocols that you will learn about later in this chapter. Some of these protocols are PAP, CHAP, and EAP.
Once authentication is completed, authorization can occur. Authorization is determining which actions are allowed or not allowed by a user or system. Although a user may have provided identification and was authenticated, this does not mean the user is authorized to access all systems or run all commands. Once the user performs an action, mechanisms such as an access control list are used to authorize or not authorize user actions. Although authorization is not necessarily tied to remote access, it is important to understand how the IAA systems work together and complement one another. Remote access is an important part of the infrastructure, and authorization provides a secondary layer to securing the network and data that resides on the network.
There are multiple ways an organization can provide remote access identification, authentication, and authorization through protocols. Some of these protocols add an additional component such as accounting. These protocols provide additional security for remote access connections and decrease the risk associated with them.
Authentication, authorization, and accounting (AAA) are network services that provide 1) security through a framework of access controls and policies, 2) enforcement of policies, and 3) information needed for billing purposes. The benefits associated with AAA are increased security, increased control over the network, and the capability of auditing your network. Employing an AAA framework within an organization enables communication between IT systems over multiple networks. Specific protocols can address the AAA framework as a combined AAA protocol or as separate entities. The framework provides the flexibility and control for AAA configuration, using standardized protocols, and allows for scalability. Many of these capabilities will be addressed through the specific protocols described in the following sections.
Authentication provides a way of identifying a user. As discussed in Chapter 10, there are multiple ways to authenticate users. As the method increases to two-factor and three-factor authentication, the options increase. Some examples of authentication are a user ID and password, PIN and token, and biometrics. Once a user enters his or her credentials, the authentication server compares them with the user's credentials stored in a database. Authentication is the first of the services provided in the AAA framework because you cannot limit or deny access without knowing who the user is.
Authorization is determining whether a user has the right to do certain actions. These actions may include commands or accessing internal resources. Authorization cannot occur unless the user has authenticated. Policies define authorization capabilities. Policies based on services or user access requests determine whether the resulting actions are denied or allowed.
Accounting provides the ability of the system to collect statistics on networks or users for auditing and billing purposes. Accounting enables tracking of system usage, start and stop times of resources, number of data packets, as well as other metrics that identify what was used and for how long.
The AAA is a framework that multiple protocols are based on. Protocols may ensure that all or some components of the AAA framework are available in the construct of the protocol. The entities of the framework may work together or separately or may not be included at all. For example, the RADIUS protocol uses the AAA framework to provide the three AAA components, but supports authentication and authorization separately from accounting. If a network administrator does not want to employ accounting, he or she has this flexibility. Next you will review several of these protocols whose foundation is focused around this AAA framework.
Remote Authentication Dial In User Service (RADIUS) is a client/server protocol that provides authentication and authorization for remote users. RADIUS also provides accounting capabilities. Livingston Enterprises developed RADIUS for its network access server product. The standards related to RADIUS are:
RADIUS—RFC 2865
RADIUS accounting—RFC 2866
RADIUS is a network protocol that provides communication between a network access server (NAS) and an authentication server. Enterprises use the protocol to provide network authentication for their remote users. Internet service providers (ISPs) use the protocol to authenticate users and to grant access to the Internet. ISPs and internal corporate departments also use RADIUS for billing purposes by tracking the start and stop times of sessions. For example, an internal corporate department may charge other departments for use of its infrastructure. RADIUS can be used to provide the chargeback to the departments. RADIUS provides configuration information, authentication, and authorization between the NAS and RADIUS server. The communication information provided identifies the type of service delivered to the client. A simplified RADIUS infrastructure is shown in Figure 12-1.
RADIUS can manage a large number of users through a single source. The users' configuration information and user IDs and passwords are stored in a database, text file, or Lightweight Directory Access Protocol (LDAP) server. Verification of the user ID and password is a part of the RADIUS protocol. RADIUS also supports Extensible Authentication Protocol (EAP). EAP is an authentication framework that supports multiple authentication mechanisms. EAP will be discussed later in this chapter.
The RADIUS protocol works as follows:
A user provides authentication credentials such as a user ID and password to a RADIUS client such as a NAS, remote access server, or VPN server. The RADIUS client creates an "access request" containing the user ID and password. Optional information that can be provided in the "access request" are the ID of the client and port ID that the user is accessing. Passwords are protected using Message Digest 5 (MD5).
The access request is sent to the RADIUS server. If no response is returned, the request will be sent again. If the primary server is down, the request can be sent to backup RADIUS servers.
When the RADIUS server receives the access request, it validates the client through a shared secret. If the RADIUS server does not have a shared secret from the client, the request is discarded.
Once the RADIUS client is authenticated via the shared secret, the RADIUS server reviews the database, text file, or LDAP server to authenticate the user. The user entry specifies what must be met in order to allow access. This includes verification of the password but can also include the client or port the user is allowed to access.
If the specifications are met and the RADIUS server wants to issue a challenge to the user, the RADIUS server sends an "access-challenge" response. An example of a challenge is a Short Message Service (SMS) message that the user must enter into the client. For example, a third-party SMS messaging provider can be incorporated into the process. The SMS message provider sends a word, set of numbers, or phrase to the user's previously identified phone. The user then enters this word, set of numbers, or phrase into the client to be verified. If the specifications are not met, the RADIUS server sends an "access-reject" response. The response indicates that the user request is invalid.
After the client addresses the access-challenge request, the RADIUS client resends the original access request with a new request ID and the encrypted response. The response takes the place of the user ID and password in the original access request. The RADIUS server can respond to the new access request with an access-accept, access-reject, or another access challenge.
When all conditions are met, lists of configuration values for the user are placed in the access-accept response. This response includes the type of connection that can be made and values needed to deliver the services, such as Transmission Control Protocol/Internet Protocol (TCP/IP) or Point-to-Point Protocol.
Authentication and authorization are combined in RADIUS. When the user ID and password are found in the database, text file, or LDAP server, the RADIUS server returns the access-accept response. This response acknowledges the user is authenticated. Authentication usually only includes verification of the password, but it can also include a list of requirements that must be met including the port number of the RADIUS client. The RADIUS server also provides authorization to the RADIUS client via an access list. Independent of authentication and authorization, RADIUS accounting provides the start and end time of individual sessions. As stated, this data can be used by an organization to determine the amount of time and data that was used during a session.
In the preceding example, SMS messaging was discussed as a challenge-response authentication method. It is important to know that two-factor authentication is often used for challenge-response authentication. An example of this is the PIN and token combination discussed in Chapter 10. If the client receives a request for this information, the user enters in the appropriate PIN and token, resulting in a passcode. The second access request sends the passcode and additional data to the RADIUS server. The RADIUS server verifies the passcode against the authentication server. If a match occurs, the RADIUS server sends an access-accept response to the client.
Although RADIUS was originally developed for dial-in access, the protocol is currently used for supporting VPNs, wireless, and other access management needs. For example, RADIUS provides authentication capabilities for wireless access points. Using the previous RADIUS communication example, the wireless access point is the RADIUS client, which sends the request with the credentials to the RADIUS server. The RADIUS server also determines the level of access a user has on a network by comparing the authenticated user against the ACLs.
A remote access server (RAS) provides authentication for remote access in an Internet and dial-up scenario. A user connects to the RAS, and his or her credentials are compared against the database. If the credentials match, authentication has occurred and the user is granted access to the network. Users and systems use remote access for gaining access to a specific network. It is necessary to implement strong security when using a RAS. Often, organizations forget that modems are connected to servers or assume that other safeguards such as firewalls will protect access. This is not always the case, and therefore you should implement the following rules for remote access servers:
No inappropriate or unknown access should be provided through the remote access server.
Authentication must occur for all users before access to the network or computer system is provided.
Authorization of the user must occur, which ensures the user or computer system is not performing tasks on the network they are not authorized to do.
Terminal Access Controller Access Control System (TACACS) is a client/server protocol that was developed to control who could use dial-up lines. A dial-up network consists of end nodes, routing nodes, and links. Routing nodes can connect dedicated lines or accept dial-up lines. A "TIP" is a routing node that accepts a dial-up line. The TACACS protocol was formed to allow a TIP to accept a username and password and send a query to the TACACS authentication server. The authentication server either accepts or denies the request and sends the response back. The TIP allows access or denies it based on the response. The determination of who is allowed or denied access is determined by the administrator of the TACACS authentication server. For example, an administrator may allow access to users only between 8:00 a.m. and 5:00 p.m., Monday through Friday. The administrator who manages the TACACS daemon defines this access control in the system.
Note
A "daemon" is a program that runs in the background.
Note
TACACS was developed in the 1980s by the U.S. Department of Defense and BBN Planet Corporation for the U.S. military portion of the Internet (MILNET). TACACS is described in RFC 1492 but only for informational purposes. It is not an Internet standard.
TACACS combines authentication and authorization over a TCP/IP network. A user may enter a user ID and password to achieve authentication. Authorization determines what the user may access and when. TACACS is not a secure protocol because user IDs and passwords are transmitted in clear text through a User Datagram Protocol (UDP) packet or a Transmission Control Protocol (TCP) data stream.
Extended TACACS (XTACACS) is a client/server protocol developed in 1990 by Cisco. XTACACS is an extension of TACACS. XTACACS separates authentication, authorization, and accounting. Separating the AAA methods means that they can be achieved individually; one method does not rely on another. For example, a user named Jackie normally authenticates with her user ID and password before authorization to a system is determined. If there is separation between authentication and authorization, authorization can occur without Jackie having to authenticate first. Joining the two would achieve a more secure environment but it is not needed.
Terminal Access Controller Access Control System Plus (TACACS+) is a Cisco-proprietary protocol developed to provide access control for routers, network access servers, and other network devices via one or more centralized servers. TACACS+ utilizes TCP, ensuring the delivery of the message. TACACS+ is an extension of TACACS but differs by separating the authentication, authorization, and accounting architecture and allowing for additional methods of authentication. TACACS+ also encrypts the communication, unlike TACACS. TACACS+ uses a client/server model. The following information defines how AAA is achieved with TACACS+:
Authentication—A means of identifying that users are who they say they are. TACACS+ supports a variety of authentication methods such as a user ID and password, PIN and token, and challenge-response devices.
authorization—Identifies what a user is allowed to do. Authentication provides stronger system security but is not required. Therefore, the authorization controls determine if a particular user is authorized to run specific commands or perform specific actions on a network.
accounting—Logs what a user has and is doing at a particular time. A TACACS+ accounting record includes accounting-specific information and resource usage data, and information used in the authorization record. With the information that the record contains, TACACS+ uses accounting for billing of services or for auditing for security purposes. The three accounting records supported by TACACS+ are:
A start record, which indicates a service is beginning
A stop record, which indicates a service has ended
An update record, which indicates a service is still being performed
TACACS+ authentication has three packet types: start, continue, and reply. The TACACS+ daemon always sends reply packets, and the client always sends start and continue packets. When an authentication request is made, the client sends a start packet to the TACACS+ daemon. This packet contains the type of authentication to be performed (such as PAP or CHAP) and authentication data. In response, the daemon responds with a reply packet, indicating when it is finished or if additional information is needed. If additional information is required, the client obtains this data and responds with it in a continue packet. TACACS+ is the only one of the three protocols—TACACS, XTACACS, and TACACS+—currently being used because it is the only one that's secure.
Note
Although TACACS+ is based on TACACS, the two are not compatible.
The TACACS+ protocol is responsible for communications between the NAS and the TACACS+ daemon. The protocol also provides confidentiality by encrypting communications between the NAS and the TACACS+ daemon.
RADIUS and TACACS+ are both client/server protocols providing AAA capabilities. It is important to understand how the two approaches differ, ensuring the best protocol is provided for a particular system.
RADIUS and TACACS+ both use TCP/IP. RADIUS uses UDP as its transport protocol and TACACS+ uses TCP. UDP is a connectionless protocol and therefore packet drops are not detected by the network. TCP is a connection-oriented protocol and therefore an acknowledgement is sent after a request has been received. To make up for the deficiency with UDP, RADIUS must use supplemental code to provide lost packet detection.
RADIUS and TACACS+ both use encryption. RADIUS encrypts the password only. Therefore, additional information such as the user ID, authorized services, and accounting are available in clear text and can be viewed by an attacker. TACACS+ encrypts the entire body of the packet. When implementing RADIUS, you need to use additional security measures to prevent data from being read by an attacker.
RADIUS and TACACS+ both provide authentication, authorization, and accounting. RADIUS is sometimes not considered a pure AAA architecture because authentication and authorization were standardized in one RFC and accounting was standardized in a separate RFC. RADIUS combines the authentication and authorization capabilities, and separation of the two cannot occur. TACACS+ separates authentication, authorization, and accounting. The advantage is that TACACS+ provides flexibility for network administrators by implementing AAA components in stages as opposed to all at once.
Table 12-1 summarizes differences between TACACS+ and RADIUS.
When implementing RADIUS and TACACS+, authentication protocols may be used in conjunction with the system. You have learned about a few of the remote authentication protocols available. Some additional protocols worth discussing are PAP, CHAP, and EAP. Password Authentication Protocol (PAP) is a data-link protocol that provides authentication over PPP. Point-to-Point Protocol (PPP) allows an Internet connection to occur over a phone line. Transmission of TCP/IP traffic over telephone lines is available through PPP. PAP provides identification and authentication of users when using a remote server to access a network. PAP establishes identification with a peer, using a two-way handshake. The authentication server receives a user ID and password from the client after the establishment of a link. These credentials are sent in clear text, creating a security risk. The authentication server database compares credentials with those that are already in the system.
Warning
Most security professionals avoid the use of PAP because of the risk associated with passwords sent in clear text.
Standardization of Challenge Handshake Authentication Protocol (CHAP) occurred in 1996 and is defined in RFC 1994. CHAP provides authentication over PPP. A three-way handshake is used to verify the identity of the client. Description of the handshake is as follows:
The authenticator sends a "challenge" message to the client when the link is established. This challenge is unique to the session.
The client responds with a value. This value was created using a one-way hash function on combined fields of the challenge.
The authenticator compares the response with the value of its own calculation of the hash. If the values match, authentication occurs. If the values do not match, the connection is terminated.
Table 12-2 compares PAP and CHAP.
Extensible Authentication Protocol (EAP) is a framework that enables multiple authentication mechanisms over a wireless network or PPP connection. Standardization of EAP occurred in 1998 and is defined in RFC 2284. EAP sits inside a PPP authentication protocol such as RADIUS and provides the framework for the authentication method. Unlike PAP and CHAP, EAP specifies the authentication mechanism at the authentication phase. The authenticator can specify the use of additional authentication methods such as Kerberos, one-time passwords, biometrics, and other authentication tools.
In an EAP over RADIUS environment, the RADIUS client communicates with the system requesting authentication using EAP and with the RADIUS server using RADIUS. This communication is shown in Figure 12-2 and works as follows:
Table 12-2. PAP and CHAP comparison.
CRITERIA | PAP | CHAP |
|---|---|---|
Handshake method | Two-way handshake | Three-way handshake |
Password | Clear text | Hash value |
The client computer initiates a connection to the RADIUS client, and the two systems agree upon the use of EAP.
The RADIUS client requests the client computer to identify itself by sending an EAP-Request/Identity message, and the client computer responds with an EAP-Response/Identity message.
The RADIUS client creates an Access-Request message containing the client computer's identity and sends it to the RADIUS server.
The RADIUS server responds with an Access-Challenge message that contains an EAP-Message requesting the client computer to authenticate.
The RADIUS client removes the RADIUS details from the Access-Challenge message and passes the EAP-Message to the client computer.
The client computer responds to the authentication request by passing an EAP-Message through the RADIUS client to the RADIUS server in a similar fashion.
The RADIUS server replies with either an Access-Accept or an Access-Reject message, allowing or denying the connection.
EAP over LAN (EAPOL) is the encapsulation of EAP over wired and wireless LANs and is defined in IEEE 802.1X. EAPOL is a delivery mechanism for authentication types and therefore, when used for authentication, an authentication type such as EAP-TLS (EAP-Transport Layer Security) must be chosen. The encapsulation of EAP messages is often used in a wireless LAN. The following are the steps used during this process:
If the wireless access point (AP) detects a new client associating to it, the wireless AP transmits an EAP-Request/Identity message to the wireless client. Another option is when the wireless client associates with a new wireless AP and an EAP-Start message is transmitted. When the wireless AP receives an EAP-Start message from a wireless client, the EAP-Request/Identity message is sent to the wireless client.
An EAP-Response/Identity containing the wireless client's username is sent. The wireless AP sends the EAP Request-Identity message to the RADIUS server in the form of a RADIUS Access-Request message.
The RADIUS server sends a RADIUS Access-Request challenge message containing an EAP-Request message with the EAP type set to EAP-TLS. A request to start the authentication process occurs. The wireless AP sends the EAP message to the wireless client.
The wireless client sends an EAP-Response message with the EAP type set to EAP-TLS. This indicates the TLS client Hello.
The RADIUS server sends a RADIUS Access-Challenge message containing an EAP-Request message with the EAP type set to EAP-TLS. The RADIUS server's certificate is also included. The wireless AP forwards this EAP message to the wireless client.
The wireless client sends an EAP-Response message with an EAP type of EAP-TLS and includes the wireless client's certificate. The wireless AP forwards the EAP message to the RADIUS server in the form of a RADIUS Access-Request message.
The RADIUS server sends an EAP-Request message with the EAP type set to EAP-TLS and includes the cipher suite and an indication that TLS authentication messages are complete. The wireless AP forwards the EAP message to the wireless client.
The wireless client sends an EAP-Response message with EAP type set to EAP-TLS to the wireless AP. The wireless AP forwards this EAP message to the RADIUS server in the form of a RADIUS Access-Request message.
The RADIUS server derives the client unicast session key and the signing key from the keying material that is a result of the EAP-TLS authentication process. The RADIUS server sends a RADIUS Access-Accept message containing an EAP-Success message and the MPPE-Send-Key and MPPE-Recv-Key attributes to the wireless AP. The wireless AP uses the key encrypted in the MS-MPPE-Send-Key attribute as the client's unicast session key for data transmissions to the wireless client. The wireless AP uses the key encrypted in the MS-MPPE-Recv-Key as a signing key for data transmissions to the wireless client that requires signing.
The wireless AP derives the multicast/global encryption key by generating a random number or by selecting it from a previously set value. The wireless AP sends an EAPOL-Key message to the wireless client that contains the multicast/ global key that is encrypted using the per-client unicast session key. When the wireless client receives the EAPOL-Key message, it uses the client unicast session key to verify the signed portions of the EAPOL-Key message and decrypts the multicast/global key. The wireless LAN network adapter driver indicates the client unicast session key, the client unicast signing key, and the multicast/global key to the wireless LAN network adapter. When the keys are indicated, the wireless client will begin protocol configuration using the wireless adapter.
During the handshake process over PPP, both systems determine the authentication protocol to use. Other factors are also determined, such as connection parameters and the speed of data. Authentication occurs using the most secure protocol. If one of the systems does not have EAP capabilities, CHAP is attempted. If one of the systems does not have CHAP capabilities, PAP is used unless otherwise specified by the administrator. The administrator may choose to use PAP but because of the security risk, it is advised that PAP is not used.
As discussed in Chapter 11, VPNs are a way for remote access employees to gain secure access to corporate networks. It is a secure connection over an unsecure network—the Internet. Communication security over the VPN is provided through encryption. VPNs can also be used for secure communication between two network devices or two users. A connection, VPN software, appropriate protocols, and the same encryption methods are required for a VPN connection.
A VPN establishes a private network over a public network such as the Internet. Instead of dialing in over a telephone line, a VPN uses an Internet connection that the systems have already established. As previously discussed, remote users may benefit from Internet connections provided in public locations such as hotels, coffee shops, and airports. This connection is beneficial when you want to do personal work such as checking personal e-mail or browsing social networking sites. Organizations, however, are not inclined to leave their infrastructure open. Organizations want to ensure that their intranet is available only to employees and that corporate resources are protected. Implementing a VPN environment provides many of the same benefits an employee experiences when connected directly to the corporate network within a corporate infrastructure.
Organizations can also employ VPN capabilities for internal wireless networks. Although you may be able to connect directly to a corporate access point, a VPN connection may be required for you to access internal corporate resources. This implementation ensures security for you and the organization, even when you are still in the organization's building.
Virtual private networking requires a tunnel. Some of the tunneling protocols that are used for VPN connections are as follows:
Point-to-Point Tunneling Protocol (PPTP) was developed by a group of vendors and standardized in 1999 under RFC 2637. PPTP allows PPP to be tunneled over an IP network. PPTP does this by encapsulating PPP packets. PPTP does not change PPP but defines a way to carry it. PPTP relies on Generic Routing Encapsulation (GRE) to build the tunnel between the communicating entities. PPTP allows remote users to set up the PPP connection and then secure a VPN connection. PPTP can only work over IP networks.
Layer 2 Tunneling Protocol (L2TP) provides the same functionality as PPTP but on networks other than IP networks. When combined with IPSec, L2TP provides encryption and authentication. L2TP sets up a connection between two communication entities over PPP.
The Internet Protocol Security (IPSec) protocol provides the method for establishing a secure channel. In a VPN, IPSec secures communications between the computer system and the corporate network. It is often used in the VPN configuration because it provides flexibility to the organization. Because it is an open framework, an organization can use different configurations to achieve the appropriate level of security.
IPSec provides authentication and encryption through two security protocols. Authentication Header (AH) is the authentication protocol. Encapsulated Security Payload (ESP) provides authentication and encryption. AH is used to prove the identity of the sender and ensure the data is not tampered with. ESP encrypts the IP packets and ensures their integrity. IPSec can work in two modes, transport mode or tunnel mode. In transport mode the message payload is protected. This ensures the messages cannot be read if the traffic is collected. In tunnel mode, the payload and routing and header information are protected. ESP provides greater security than AH because it protects the routing and header information.
A security association (SA) is used for each device during each VPN connection. The SA is the record of the configuration that the device needs to support an IPSec connection. When the two systems agree on the parameters used for communication, the data is stored in the SA. The SA may contain the authentication and encryption keys, algorithms, key lifetime, and source IP address. When the system receives the packet over the IPSec protocol, the SA will determine how to decrypt the packet, how to authenticate the source packet, the encryption key to use, and if necessary, how to replay the message. A different SA is used for inbound and outbound traffic.
Internet Key Exchange (IKE), as defined in RFC 2409, provides identification to communication partners via a secure connection. IKE is the de facto standard for IPSec. It is a combination of Internet Security Association and Key Management Protocol (ISAKMP) and OAKLEY. The OAKLEY protocol carries out the negotiation process, and ISAKMP provides the framework for the negotiation. This includes the negotiation for the algorithm, protocol, modes, and keys. The partners can authenticate through a shared secret or public key encryption. Once this is determined, the SAs are established.
Web authentication is ensuring users are who they say they are through a Web application. Web authentication is needed in situations where virtual private networking is not available. This may occur if a user has to use a secondary system such as a customer's computer or a computer kiosk provided at a hotel. Implementation of the Web authentication mechanism is determined by the risk associated with what is being accessed.
A user ID and password is the basic form of authentication that you have seen multiple times in this chapter. High-risk applications should not use a user ID and password combination because it is not a form of strong authentication. For example, an online banking tool should provide stronger authentication for access into a user's account because a password can easily be compromised. This authentication can include multi-factor authentication as well as knowledge-based authentication.
One-time password authentication is a form of two-factor authentication. It is based on "something you know" such as a PIN and "something you have" such as an authenticator. Combining the PIN and information that is displayed on the authenticator provides a one-time password. This one-time password is unique to the user, and it is difficult for an attacker to compromise this information.
Digital certificates are electronic documents assigned to a user or system. A digital certificate contains information about the user or system. A third party, known as a certificate authority, creates the digital certificate. A digital certificate is unique to the user or system. When a user makes a request to the Web application and verification of his or her identity is required, the user's application sends a digital certificate to the Web application. The Web application verifies the digital certificate with the certificate authority. The user accessing the Web site can also verify the identity of the site via the Web server's digital certificate. You will learn more about digital certificates in Chapter 13.
KBA is an identification or Web authentication mechanism used in real time as a question-and-answer process. These questions and answers are obtained from public records or private data warehousing firms such as credit bureaus. The questions consist of information such as "What is the license plate number of your 1998 green Toyota Camry?" or "What is the house number where you lived in 1979?" These questions are used to prove that you are who you say you are. They can also be used as an authentication tool before a user establishes his or her challenge-response questions.
These types of questions are set up by the user. Examples of questions are, "What is your favorite book?" or "What is the name of your second grade teacher?" KBA is beneficial for Web authentication because it does not require an additional item such as an authenticator or certificate. It is commonly used in situations where the user does not have access to other credentials, such as establishing an account for the first time or gaining access to an account after the user forgets his or her password.
Remote access controls for remote workers is not a new concept; they have been used by many organizations for years. Some best practices regarding remote access controls are as follows:
Determine the security risk associated with remote access—Understanding who will be working remotely and what tasks will occur assist in determining the security risk. Will the employees be accessing highly confidential material? Will the employees need access 24 hours a day, every day? Will data need to be downloaded to the remote computer systems? Will employees be executing programs remotely? Do the employees need read access or read and write access? These questions and other questions pertaining to the access will define whether this implementation is low, medium, or high risk.
Select a remote access option that addresses security needs—Once you have determined the risk associated with a remote access implementation, you must decide which remote access options will address the level of risk. Is encryption required for the full communication or only certain parts of the communication? Is encryption required at all? Does the remote access need to be available 24/7, or is some downtime acceptable when associated with a system failure or maintenance?
Determine the appropriate level of authentication based on the security risk—The level of risk associated with the system will determine the level of authentication required to keep the systems safe. Can a user ID/password combination be used for authentication, or is multi-factor authentication needed? Will the required type of authentication result in additional hardware for the remote employees? For example, if you want to employ a biometrics solution, how will remote access users get a biometrics reader? Will the biometrics reader be built into the computer system or external to the system?
Ensure the systems that are accessing the network meet the security policies of the organization—How will the remote workers access the network? Will employees use employer-provided systems or will they use their own computers? If employees use their own systems to access the corporate network, will the personal computer systems have the appropriate software and patches installed? Will employees use hotel or airport kiosks to access the network? If so, which safeguards are in place?
Ensure protection of the systems that remote workers access—After determining the level of risk associated with remote access and choosing the solutions, you must protect the systems that will be accessed. Giving employees remote access means possibly allowing attackers access as well. Know what resources will be accessed, who will access them, how they will be accessed, and at what times will help you set up appropriate access controls. You also need to test the access controls that are already implemented and ensure they are functioning correctly.
There are various methods for proving the identity of, authenticating, authorizing, and auditing remote access users. The following case studies help you learn how some of these tactics are used in the real world to ensure the communication is secure and the access granted does not compromise the organization.
Many companies are contemplating the use of VPN versus authentication to applications via the Web. The Miller Corporation is no different. Miller Corporation is a small organization with approximately five sales representatives located throughout the United States. There are no remote offices available for the sales reps. Four of the five sales reps work from home or on the road exclusively. One of the sales reps has a work area in the corporate office but the majority of her time is spent on the road.
Jeff, the network administrator, configured remote access so that each user had a unique user ID/password combination for dial-in access to the network and unique user IDs and passwords for each application on the network. Passwords expired every 90 days. The sales representatives began reporting that this method was cumbersome and wanted to know if another solution was available.
Jeff decided to look into VPN access for the sales representatives. Jeff found that a VPN was the best option compared to Web authentication and dial-in access because of the security that remote access virtual private networking provided. A remote access VPN would provide a secure connection between the sales reps' computers and the corporate network. A remote access VPN would allow this secure communication over a wireless connection. The other solutions were not effective with this type of connection.
Jeff could manage remote access VPN configurations at a centralized location, rather than managing Web authentication for each application. Implementing the remote access VPN would also increase the productivity of the sales reps because they would no longer need to log on to multiple resources nor keep track of several passwords.
If Miller Corporation hired additional sales representatives, the VPN would scale better than any of the other options. Jeff could also seamlessly add a second level of authentication with the use of VPN, if needed. Jeff felt that a VPN solution was best for the sales representatives, and it would allow other employees to work remotely.
A major city government needed to ensure its departments were complying with appropriate remote access security policies and regulatory requirements. It also needed to better account for remote access usage of the citywide network by each department for budgeting purposes. The city's chief information security officer (CISO) requested security metrics and usage data from each department. This data indicated system-wide remote access security lapses and weaknesses, and it was apparent that the departments were unable to provide accurate usage figures without going to great effort.
The CISO decided to employ security and auditing through the AAA framework. AAA provides the flexibility and scalability that is needed for the city to meet policy and regulatory requirements. While implementing the framework, access controls were added to every component of the city's network infrastructure to meet authorization requirements. With the accounting component, administrators could more accurately report the resources each user consumed while using the network, and they could use the data for trend analysis and capacity planning. Implementing the authentication, authorization, and accounting components addressed current needs and future concerns.
An AAA framework is important for any organization that needs to standardize its practices based on security. It gives an organization a starting point and assists in future growth. It helps administrators understand what needs to be accomplished and why.
Kelly, a network administrator for a gas distribution company, needs to implement a secure dial-in infrastructure for a group of financial employees. She wants to ensure authentication, authorization, and accounting capabilities are provided. Kelly has finalized her decision to TACACS+ or RADIUS, but is not sure which of the two is best for the environment.
Kelly is concerned that TACACS+ is not an IETF standard. She feels comfortable with the notion that RADIUS has been standardized and therefore all vendors who support RADIUS will support this standardization. Kelly appreciates the scalability of a centralized authentication service that is offered with both systems. If the implementation proves successful, the technology may be rolled out to additional employees. However, she is concerned about using RADIUS in a large infrastructure because it uses UDP. Implementing TACACS+ will resolve this issue because TCP is used, but there is a lot of network overhead associated with TCP. If each request results in an acknowledgment, network traffic will increase.
Kelly's main concern is encryption, however. Encrypting only the user's password is a risk that Kelly does not want to take. The users employing this service are in the finance department, and Kelly feels that every data packet should be encrypted in its entirety for security reasons. Weighing all of the pros and cons of each solution, Kelly feels that the security of the company's data is the most important concern. Therefore, Kelly decided to move forward with implementing TACACS+.
This chapter focused on the technologies and security considerations of remote access solutions. There are many security risks associated with these implementations, which can be addressed with the right protocols and access controls. Employing the AAA framework can help ensure a network is configured to support the chosen protocols appropriately. Employing these capabilities will create access control solutions to make an organization more secure and productive for all remote workers.
The appropriate solution, such as RADIUS or TACACS+, depends on the risk associated within the environment. You must identify the needs and requirements of your organization, and compare them against available protocols, to choose the best solution for your environment.
Accounting
Authentication Header (AH)
Authentication, Authorization, and Accounting (AAA)
Challenge Handshake Authentication Protocol (CHAP)
Encapsulated Security Payload (ESP)
Extensible Authentication Protocol (EAP)
Generic Routing Encapsulation (GRE)
Internet Key Exchange (IKE)
Internet Protocol Security (IPSec)
Internet Security Association and Key Management Protocol (ISAKMP)
Layer 2 Tunneling Protocol (L2TP)
Message Digest 5 (MD5)
Network access server (NAS)
OAKLEY
Password Authentication Protocol (PAP)
Point-to-Point Protocol (PPP)
Point-to-Point Tunneling Protocol (PPTP)
Remote access server (RAS)
Remote Authentication Dial In User Service (RADIUS)
Security association (SA)
Terminal Access Controller Access Control System (TACACS)
Terminal Access Controller Access Control System Plus (TACACS+)
Unicast
RADIUS uses TCP.
True
False
AAA stands for_______.
Which of the following best describes the act of verifying that users are who they say they are?
Identification
Authentication
Authorization
Auditing
Which of the following are authentication protocols used with PPP? (Select three.)
CHES
CHAP
EAP
MAP
PAP
TACACS+ encrypts the entire data packet.
True
False
What portion of TACACS+ provides AAA capabilities?
NAS
Client
TACACS+ daemon
XTACACS
What are examples of Web authentication? (Select three.)
Knowledge-based authentication
Identification
Certificates
User ID/password
Remote access server
MD5 is a cryptographic _______ function.
Cisco developed the TACACS+ and XTACACS protocols.
True
False
Which of the following is used to validate the communication between a RADIUS server and a RADIUS client?
NAS
TACACS daemon
RAS
Shared secret
PAP is a _______ handshake.
CHAP is a _______ handshake.
What is a program that runs in the background?
RAS
Encryption
Daemon
PAP
What is the de facto standard for IPSec key exchange?
OAKLEY
IKE
ISAKMP
RADIUS