Remote access security
Centralized Password/Profile Databases:
The use of third-party password services allows a single database to be
used to store privileges and profiles on the local network. These databases
can contain access rights for local users on the network, as well remote
users. This eliminates the need for constructing, maintaining, and securing
multiple databases for network authentication.
RADIUS (Remote Authentication Dial In User Service) has emerged as a
common open IETF standard for centralized security implementations. RADIUS
offers robust functionality, flexibility and compatibility between vendors.
A RADIUS client is the remote access server that requests authorization
from a RADIUS server. RADIUS provides a single point of authentication
and configuration. When used in a stand-alone setup remote users are authenticated
by the RADIUS server, which also stores user privileges, and has the capability
to record session statistics. TACACS (Terminal Access Controller Access
Control System), although outdated, and TACACS+ are two other open standards
that provide similar functionality to RADIUS. TACACS is a query based
response protocol that allows the authentication to verify passwords based
on the remote severs request. TACACS lacks many of the features that TACACS+
and RADIUS offer, and should no longer be deployed in new installations.
Virtual Private Networks (VPNs)
VPNs were designed to support telecommuting, remote offices, and on-the-road
mobile applications by providing end to end security between remote users
and private networks. VPNs employ the PPP (point to point tunneling protocol)
transport protocol to establish as secure connection, or tunnel, through
the company firewall. This method may employ the use of PKI (public key
infrastructure) digital certificate technology to authenticate remote
users, which helps to add access control security. The use of digital
certificates in a VPN environment allows administrators to keep a close
eye on what people are doing on the network. However, many IT managers
have declined using digital certificates because of the difficulty of
administering these systems. It has also been difficult to find employees
with a sufficient amount of digital certificate experience. An InternetWeek
survey (summer 2000) found that only about 1/3 of the 200 IT managers
surveyed used digital certificates, mainly because of the lack of in-house
expertise.
These private networks support a wide range of protocol options, such
as PAP, CHAP, MS-CHAP, L2TP (Layer 2 Tunneling Protocol), IPSec (IP Security),
and also support RADIUS and token-based authentication. VPNs are increasingly
being used as a solution to provide dedicated and secure remote access.
VI. Logging and Monitoring
Monitoring (Accounting) involves tracking, auditing, and reporting remote
access activity. This is important to determine usage patterns, identify
unusual network activity, and help to measure the effectiveness of your
remote access system. Logging user sessions should be a mandatory process
for all remote access systems.
Ease of log file administration should be considering, in order to ensure
that it is performed. It is somewhat uncommon for companies to outsource
the administration and monitoring of the remote access system, because
of the critical business strategy and security issues that accompany the
system. Logging can be done at the remote access server, authentication
server, or firewall.
Logging at the remote access server:
In this situation the server can log session initiation and termination,
as well as management functions such as the addition or deletion of any
remote users.
Logging at the authentication server:
In certain situations significant logging at the remote server is inconvenient
or impossible. These type of situations require the use of an authentication
server that can log every transaction. In most instances organizations
will control the use and administration of the authentication server.
This usually makes it an easier process than using the remote server,
which the organization may or may not control.
Logging at the firewall:
Firewalls can offer significant control and logging for all remote user
sessions. Logging at this layer can provide extensive information about
successful sessions and failed intrusions. In most cases using a firewall
generates much better log reports and monitoring than remote access servers.
However, using a firewall for logging purposes introduces another whole
level of complexity to the remote access equation, which many are unwilling
to conquer.
This paper has provided a brief introduction into the world of remote
access security. Obviously there are many topics beyond the scope of this
paper that should be addressed to fully understand the complexities involved
with provided reliable and secure remote access. The increasing need for
remote access by employees will continue to fuel the necessity for advanced
security systems. As remote access technologies begin to offer more advanced
applications, such as high-speed wireless, administrators will have to
tailor their security systems and access policies to these new applications.
Page: 1 | 2
| 3
|
