Hardening Communications and Remote Access
Remote connections can present additional security challenges. You need the ability to evaluate several attributes of a connection request’s source before granting access to your network. Define different access profiles based on your policies to meet the needs of different types of network users. Network access control (NAC) is a solution that defines and implements a policy that describes the requirements to access your network. NAC defines the rules a connecting node must meet to establish a secure connection with your network. It also allows you to proactively interrogate nodes that request a connection to your network to ensure they don’t pose a risk. Use NAC to classify connecting nodes based on the level of compliance with your access rules. NAC allows you to evaluate node attributes such as these:
Anti-malware protection
Firewall status and configuration
Operating system version and patch level
Node role and identity
Custom attributes for enterprise configuration
NAC solutions enable you to exert control over which nodes can connect to your networks and what rights you’ll grant to them once they connect. NAC provides a formal method to establish relationships with several types of security controls and helps you minimize threats from malware, increase LAN-to-WAN availability, and provide proof of compliance through NAC-related auditing data. NAC is a method of controlling network access that several vendor products support. TABLE 11-4 lists some vendors that provide NAC software.
TABLE 11-4 NAC Software Products |
|
|---|---|
| PRODUCT | WEBSITE |
| PacketFence (Open source) | http://www.packetfence.org/en/home.html |
| Sophos Network Access Control | http://www.sophos.com/en-us/your-needs/features/nac.aspx |
| Symantec Endpoint Protection | http://www.symantec.com/endpoint-protection |
| McAfee Endpoint Protection | http://www.mcafee.com/us/products/endpoint-protection/index.aspx |
| Checkpoint Advanced Endpoint Protection | https://www.checkpoint.com/products/advanced-endpoint-threat-prevention/ |
| Cisco Network Access Control | https://www.cisco.com/c/en/us/products/security/what-is-network-access-control-nac.html |
| SecureTrust Network Access Control | https://www.securetrust.com/solutions/compliance-technologies/network-access-control/ |
| ExtremeApplications ExtremeControl | https://www.extremenetworks.com/product/extremecontrol/ |
| Aerohive A3 | https://www.aerohive.com/products/a3/ |
© Jones & Bartlett Learning. |
|
You can choose from many products to implement NAC. NAC software alone won’t secure your networks, but it gives you the ability to define and enforce policies that can get you closer to your security goals.
Authentication Servers
Once remote computers are authorized to connect, you’ll need to authenticate the remote user as well. You have many ways to authenticate remote users, but three main approaches are common. The first two, RADIUS and TACACS+, rely on centralized authentication databases and servers to handle all remote users. Either of these approaches works well when there are a large number of remote users or you need to manage remote users from a central location. The third option is to use a virtual private network (VPN).
RADIUS
Remote Authentication Dial In User Service (RADIUS) is a network protocol that supports remote connections by centralizing the management tasks for authentication, authorization, and accounting for computers to connect and access a network. RADIUS is a popular protocol that many network software and devices support and is often used by Internet service providers (ISPs) and large enterprises to manage access to their networks.
RADIUS is a client/server protocol that runs in the Application Layer—Layer 7 in the Open Systems Interconnection (OSI) Reference Model or Layer 4 in the TCP/IP Reference Model—and uses the User Datagram Protocol (UDP) to transport authentication and control information. Servers with RADIUS support that control access for remote users and devices communicate with the RADIUS server to authenticate devices and users before granting access. In addition to just granting access and authorizing actions, RADIUS records network services used for accounting.
TACACS+
Terminal Access Controller Access-Control System Plus (TACACS+) is another network protocol. TACACS+ was developed by Cisco. TACACS+ has roots back to an earlier protocol, TACACS, but is an entirely different protocol. TACACS+ provides access control for remote networked computing devices using one or more centralized servers. TACACS+ is similar to RADIUS in that it provides authentication, authorization, and accounting services, but TACACS+ separates the authentication and authorization information. TACACS+ also uses the TCP protocol for more reliability.
One difference between RADIUS and TACACS+ is important to security. RADIUS only encrypts the password when sending an access request packet to the server. TACACS+ encrypts the entire packet. That makes it a little harder to sniff data from a TACACS+ packet.
VPNs and Encryption
VPNs are one of the most popular methods to establish remote connections. A VPN appears to your software as a regular network connection. It is actually a virtual connection, also called a tunnel, which uses a regular WAN connection of many hops but looks like a direct connection to your software. Most VPNs offer the option to encrypt traffic using different modes to meet different needs.
The concept of tunneling is central to most VPNs. Tunneling allows applications to use any protocol to communicate with servers and services without having to worry about addressing privacy concerns. Applications can even use protocols that aren’t compatible with your WAN. Here’s how tunneling works:
Your application sends a message to a remote address using its Application Layer protocol.
The target address your application used directs the message to the tunnel interface. The tunnel interface places each of the packets from the Application Layer inside another packet using an encapsulating protocol. This encapsulating protocol handles tunnel addressing and encryption issues.
The tunnel packet interface then passes the packets to the layers that handle the WAN interface for physical transfer.
On the receiving end, the packets go from the WAN to the remote tunnel interface where the packets are decrypted and assembled back into Application Layer packets and then passed up to the remote Application Layer.
This arrangement provides excellent flexibility and security. Depending on your VPN solution, you can choose from several encapsulating protocols, including:
OpenVPN—An open source VPN protocol used on a variety of operating systems. Although generally slower than other protocols, OpenVPN enjoys wide acceptance and is generally considered one of the most secure VPN protocols.
IPSec—A protocol suite designed to secure IP traffic using authentication and encryption for each packet.
Layer 2 Forwarding Protocol (L2FP)—A tunneling protocol developed by Cisco Systems to establish VPNs over the Internet. L2FP does not provide encryption— it relies on other protocols for encryption.
Point-to-Point Tunneling Protocol (PPTP)—A protocol used to implement VPNs using a control channel over TCP and a Generic Routing Encapsulation (GRE) tunnel for data. PPTP does not provide encryption.
Layer 2 Tunneling Protocol (L2TP)—A tunneling protocol used to implement a VPN. L2TP is a newer protocol that traces its ancestry to L2FP and PPTP. Like its predecessors, L2TP does not provide encryption itself.
Secure Socket Tunneling Protocol (SSTP)—SSTP is fully integrated with the Windows operating system. It was developed by Microsoft and provides an easy to use VPN when communicating with other Windows computers. SSTP operates over SSL/TLS and provides an easy way to use a VPN even through a firewall that may block other VPN traffic. SSTP also supports Linux and Berkeley Software Distribution (BSD) clients, and mobile device operating systems can connect using third-party clients.
Internet Key Exchange Version 2 (IKEv2)—Like SSTP, IKEv2 is a protocol developed jointly by Microsoft and Cisco. IKEv2 only provides tunneling services, and is often paired with other protocols, such as IPSec, to provide authentication and encryption.
The VPN you select depends on several factors. Some VPN solutions are vendor specific and rely on one type of hardware. Other types of VPNs are operating system specific. For example, SSTP is only available for the Windows operating system. SSTP is Microsoft’s attempt to provide a solution that works on any networking hardware. SSTP uses a Secure Sockets Layer (SSL) to transport Point-to-Point Protocol (PPP) or L2TP traffic. Using SSL removes many of the firewall and NAT issues some other protocols encounter.
Regardless of the remote authentication method you choose to use, ensure that you configure each server and client to establish connections only using your preferred method.