Security pages‎ > ‎

Remote Access Facts

Remote access (RAS) refers to communication with a remote host through a dial-up (and recently, a wireless) connection. Typically, clients connect to a remote access server to gain access to remote resources or a remote network. The necessary functions of a RAS solution are two-fold:

  1. Establish a solid connection
  2. Authenticate the user

The two main protocols that have been used to establish a dial-up connection are:

Protocol Description
The Serial Line Interface Protocol (SLIP) SLIP is an older remote access protocol used to establish a remote connection. SLIP was implemented on UNIX dial-in servers to connect to a TCP/IP network through phone lines. It did not support encryption or the use of DHCP to automatically assign client IP addresses. For this reason, the following transmission parameters usually had to be configured manually:
  • IP addresses
  • Data compression
  • Maximum transmission unit (MTU)
  • Maximum receive unit (MRU)
Point-to-Point Protocol (PPP) PPP was designed as a replacement for SLIP. It is now the most widely-used protocol service for establishing connections. Some important things to know about PPP are:
  • It is a wide area network protocol that allows any system to contact another system through a serial link with a direct serial connection or through a modem.
  • It can negotiate communication parameters including IP addressing, compression, and encryption.
  • It supports multiple protocol suites through Network Control Programs (NCP) such as TCP/IP, IPX/SPX, and AppleTalk. 

After a connection has been established, authentication credentials are submitted to the authentication server by the network access server (NAS). The authentication server then validates or denies the credentials. When using dial-up connections, implement the following protocols to authenticate users.

Protocol Characteristics
Password Authentication Protocol (PAP) The Password Authentication Protocol (PAP) is the weakest form of authentication.
  • The username and password are sent in clear text for authentication.
  • The password can be easily intercepted through packet sniffing and viewed with a simple traffic analyzer.
  • Use only when no other form of authentication is supported.
  • PAP protocols are supported by multiple platforms, including Microsoft and Linux.
Shiva Password Authentication Protocol (SPAP) The Shiva Password Authentication Protocol (SPAP) is used to connect to a Shiva LAN Rover.
  • The password used for authentication is encrypted.
  • Password encryption is easily reversible.
Challenge Handshake Authentication Protocol (CHAP) Challenge Handshake Authentication Protocol (CHAP) encrypts both the password and the username. CHAP:
  • Uses a three-way handshake (challenge/response).
  • Periodically verifies the identity of a peer using a three-way handshake.
  • CHAP is the only remote access authentication protocol that periodically and transparently re-authenticates during a logon session by default.
  • Uses MD-5 hashing of the shared secret for authentication.
Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1) Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1) is Microsoft's implementation of CHAP.
  • MS-CHAP v1 uses a three-way handshake (challenge/response).
  • The server authenticates the client (the client cannot authenticate the server).
  • The secret used for authentication is encrypted.
Microsoft Challenge Handshake Authentication Protocol version2 (MS-CHAP v2) Similar to MS-CHAP v1, MS-CHAP v2, uses a challenge/response mechanism for authentication. MS-CHAP v2 allows both the client and the server to authenticate each other (mutual authentication).
Extensible Authentication Protocol (EAP) Extensible Authentication Protocol (EAP) is a set of interface standards that allows you to use various authentication methods.
  • EAP supports multiple authentication methods (smartcards, biometrics, and digital certificates).
  • Using EAP, the client and server negotiate the characteristics of authentication.
  • EAP is an extension of the Point to Point Protocol (PPP).
  • Protocols enabled by EAP are:
    • Transport Layer Security (TLS) is a very strong form of mutual authentication using digital certificates.
    • Tunneled Transport Layer Security (TTLS) allows for a minimum of a digital certificate on the server side and passwords on the client side. This can be upgraded to having digital certificates on both sides.
Protected Extensible Authentication Protocol (PEAP) Protected Extensible Authentication Protocol (PEAP) provides authentication, including passwords, to wireless LAN clients. When using PEAP, select one of the following two options:
  • PEAP-EAP-TLS. This method uses certificates (either on the local system or on a smart card).
  • PEAP-MS-CHAP v2. This method uses certificates on the server, but passwords on the client. Use this method when the client does not have a certificate.
Light-weight Extensible Authentication Protocol (LEAP) Light-weight Extensible Authentication Protocol (LEAP) is a Cisco-proprietary technology. LEAP:
  • Requires a Cisco RADIUS server and Cisco software on the client's side.
  • Requires the minimum of a digital certificate on the server side and passwords and Cisco drivers on the client side. This can be upgraded to having digital certificates on both sides.

Additional features that can be used with remote access to reduce cost and improve performance are:

Feature Description
Caller ID With caller ID, the remote access server uses caller ID to verify the phone number of the remote access client. With caller ID, the server can allow access only to approved calling numbers.
Callback With callback, the remote access clients connects briefly to the remote access server and authenticates. The call is then terminated, and the server calls the client back to establish the remote session. The server can use the following criteria in calling back the client:
  • The server calls back to a specific number provided by the client.
  • The server calls back to the number used by the client to dial in (requires caller ID).
Callback can be used to increase security or to reduce long-distance charges for remote clients.