Remote Access Protocols and Services

• Define the function of the following remote access protocols and services:

  • Remote Access Service (RAS)

  • Point-to-Point Protocol (PPP)

  • Point-to-Point Tunneling Protocol (PPTP)

  • Independent Computing Architecture (ICA)

Protocols and services are needed for establishing remote connections. The following sections discuss these protocols and services:

• Remote Access Service (RAS)

• Serial Line Internet Protocol (SLIP)

• Point-to-Point Protocol (PPP)

• Point-to-Point Tunneling Protocol (PPTP)

• Independent Computing Architecture (ICA)

Each of these protocols and services has advantages, disadvantages, and limitations, but each has a place in establishing remote connectivity.

This chapter begins its discussion of remote access technologies by looking at the remote access mechanism used on Windows Server platforms: the RAS, which is the most popular form of remote connectivity.

Remote Access Service (RAS)

RAS is a full-featured remote access solution that is included with Windows Server products. The popularity of RAS has a lot to do with the popularity of Windows, but RAS is also feature rich, easy to configure, and easy to use. As a result of this ease of use, many companies that previously had not used remote access now embrace it. (The fact that RAS is included with Windows has probably also had something to do with its popularity.)

Any system that supports the appropriate dial-in protocols can connect to a RAS server. Most commonly, the clients are Windows systems that use the dial-up networking feature; but any operating system that supports dial-up client software will work. Connection to a RAS server can be made over a standard phone line, using a modem, over a network, or via an Integrated Services Digital Network (ISDN) connection.

When a connection is made to the RAS server, the client is authenticated and the system that is dialing in becomes a part of the network, although it is connected over a slow link. Depending on the configuration of the RAS server, the client is then able to access just the RAS server or the entire network. The number of RAS connections is normally limited by the number of dial-in connections the system can physically accommodate, but there are also some limits built in to the software. Windows NT 4 Server, for example, supports up to 256 remote connections, whereas workstation products such as Windows NT Workstation and Windows 2000 Professional support only a single RAS connection. Figure 8.1 shows an example of remote access through a RAS server.

RAS Client Support

RAS supports remote connectivity from all the major client operating systems available today, including the following:

• Windows for Workgroups–based clients

• LAN Manager–based clients

• Windows 95–based clients

• Windows NT Workstation–based clients

• Windows NT Server–based clients

• Windows 2000 Professional–based clients

• Unix-based/Linux clients

• Macintosh-based clients

• OS/2-based clients

Although the system is called RAS, the underlying technologies that enable the RAS process are dial-up protocols such as PPP and SLIP.

Serial Line Internet Protocol (SLIP)

In the 1970s, students at the University of California, Berkley, developed SLIP. SLIP was designed to allow data to be transmitted via Transmission Control Protocol/Internet Protocol (TCP/IP) over serial connections in a Unix environment. SLIP did an excellent job, but time proved to be its enemy. SLIP was developed in an atmosphere in which security was not an overriding concern; consequently, SLIP does not support encryption or authentication. It transmits all the data used to establish a connection (username and password) in clear text, which is, of course, dangerous in today's insecure world.

SLIP also does not provide error checking or packet addressing, so it can be used only in serial communications. It supports only TCP/IP, and login is accomplished through a terminal window. You can avoid the terminal window logon by utilizing scripts, but doing so can be difficult as well.

Is SLIP a bad protocol? No, in its day, it performed its intended duties perfectly; it is just not a match for today's computing environment or the new dial-up protocols that are available.

Many operating systems still provide at least minimal SLIP support for backward capability to older environments, but SLIP has been replaced by a newer and more secure alternative: PPP. SLIP is still used by some government agencies and large corporations in Unix remote access applications, so you might come across it from time to time.

Point-to-Point Protocol (PPP)

PPP, which is described in RFC 1661, is the standard remote access protocol in use today. PPP is actually a family of protocols that work together to provide connection services. PPP provides solutions to most of SLIP's shortcomings.

Because PPP is an industry standard, it offers interoperability between different software vendors in various remote access implementations. PPP provides a number of security enhancements compared to SLIP, the most important being the encryption of usernames and passwords during the authentication process. PPP allows remote clients and servers to negotiate data encryption methods and authentication methods and support new technologies. PPP even gives administrators the ability to choose which particular local area network (LAN) protocol to use over a remote link. A Windows 2000 administrator can choose among NetBIOS Extended User Interface (NetBEUI), NWLink (Internetwork Packet Exchange/ Sequenced Packet Exchange [IPX/SPX]), AppleTalk, or TCP/IP.

PPP Authentication Protocols

During the establishment of a PPP connection between the remote system and the server, the remote server needs to authenticate the remote user and does so by using the PPP authentication protocols. PPP accommodates a number of authentication protocols; the protocol used in the authentication process depends on the security configurations established between the remote user and the server. The following are some of the common authentication protocols used by PPP:

• Challenge Handshake Authentication Protocol (CHAP)— CHAP is an authentication system that uses the MD5 encryption scheme to secure authentication responses. CHAP is a commonly used protocol, and as the name suggests, anyone trying to connect is challenged for authentication information. When the correct information is supplied, the systems “shake hands,” and the connection is established.

• Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)— MS-CHAP was developed to authenticate remote Windows-based workstations. There are two versions of MS-CHAP; the main difference between the two is that MS-CHAP version 2 offers mutual authentication. This means that both the client and the server must prove their identities in the authentication process. Doing so ensures that the client is connecting to the expected server.

• Password Authentication Protocol (PAP)— PAP is the least secure of the authentication methods that use unencrypted passwords. PAP is often not the first choice of protocols used; rather, it is used when more sophisticated types of authentication fail between a server and a workstation.

• Extensible Authentication Protocol (EAP)— EAP is an extension made to standard PPP. EAP has additional support for a variety of authentication schemes. It is often used with VPNs to add security against brute-force or dictionary attacks.

• Shiva Password Authentication Protocol (SPAP)— SPAP is an encrypting authentication protocol used by Shiva remote access servers. SPAP offers a higher level of security than other authentication protocols such as PAP, but it is not as secure as CHAP.

The PPP Dial-up Sequence

The following specific steps are performed when a remote connection is established:

1.	To allow communication between devices to occur, framing rules are established between the client and the server.
2.	The remote client system is authenticated by the authentication server, using one of the PPP authentication protocols: CHAP, MS-CHAP, EAP, or PAP.
3.	Network control protocols (NCPs) configure the remote client for the correct LAN protocols, TCP/IP, and so on.

After these steps are successfully completed, the server and the client can begin to exchange data.

PPTP

PPTP, which is documented in RFC 2637, is often mentioned together with PPP. Although it's used in dial-up connections as PPP is, PPTP provides very different functionality: It creates a secure tunnel between two points on a network, over which other connectivity protocols, such as PPP, can be used. This tunneling functionality is the basis for VPNs, which are discussed later in this chapter.

VPNs are created and managed by using the PPTP protocol, which builds on the functionality of PPP, making it possible to create dedicated point-to-point tunnels through a public network such as the Internet. Figure 8.2 shows an example of a PPTP connection through a public network.

To establish a PPTP session between a client and server, a TCP connection known as a PPTP control connection is required to create and maintain the communication tunnel. The PPTP control connection exists between the IP address of the PPTP client and the IP address of the PPTP server, using TCP port 1723. It is the function of the PPTP control connection to pass the PPTP control and management messages used to maintain the PPTP communication tunnel between the remote system and the server. Examples of these control and management messages are included in Table 8.1.

Table 8.1. PPTP Call Control and Management Messages

PPTP Control Message	Function
Start Control Connection Request	The initial message sent by the client to create the PPTP control connection. To establish a PPTP tunnel, this control connection must be initiated before any other PPTP messages can be sent.
Start Control Connection Reply	The response sent by the server, acknowledging the client's request.
Outgoing Call Request	The request sent by the client to establish the PPTP tunnel.
Outgoing Call Reply	The server's reply to the Outgoing Call Request message.
Call Clear Request	The request sent by the PPTP client, indicating the termination of the tunnel.
Call Disconnect Notify	The message sent by the server in response to the Call Clear Request message.
Stop Control Connection Request	The request sent by either the PPTP client or the PPTP server to indicate that the control connection is being terminated.

PPTP uses the same authentication methods as PPP, including MS-CHAP, CHAP, PAP, and EAP.

Independent Computing Architecture (ICA)

The Citrix ICA protocol allows client systems to access and run applications on a server, using the resources of the server, with only the user interface, keystrokes, and mouse movement being transferred between the client and server computers. In effect, although you are working at a remote computer, the system functions as if you were physically sitting at the server itself. Such technology is often referred to as thin client because only a very small piece of software is need on the client system.

Because ICA requires only minimal traffic back and forth between the client and the server, the connection is not bandwidth intensive, allowing clients to simultaneously use ICA. In addition, processing is performed on the server rather than on the client workstation. This enables client systems to use applications they would not normally be able to run. For example, using ICA, it would be possible for a user on a 486 computer with only 16MB of RAM to run the latest Office suite or a complex graphics system. Doing so would be impossible using only the resources of the client system.

ICA is platform independent. It provides client software for all the major operating systems, including Windows, Macintosh, and Linux, and it even supports handheld devices.