This lesson will cover remote access and how to better secure data transmissions. Remote access methods describe how a client connects to the local area network (LAN) remotely. In order for the client to access the LAN, they have to be authenticated through a remote access server.
Network protection is a topic that is directly associated with remote access. Remote access also involves connecting over wireless networks, so this lesson will also touch on different wireless protocols used to secure data.
By the end of this lesson, you will be able to:
- Describe the encryption and tunneling protocols related to remote access security.
- Explain the different type of network security appliances and methods.
- Identify and select appropriate wireless security measures.
Types of Tunneling and Encryption
Tunneling involves using protocols to encapsulate or encrypt data packets so that will pass through the Internet in a secure fashion. Think of encapsulation and tunneling like peas in a pod. The peas are the data packets (unencrypted) and the pod encapsulates or encrypts the peas so they cannot be seen. Review the following types of tunneling and encryption.
1. A Virtual Private Network (VPN) enables secure remote access between distant network nodes. This secure data transmission between end points of a VPN connection is made available through a process called “Tunneling.” When establishing a VPN connection, the connection can be classified as Site-to-Site or Client-to-Site. Site-to-Site VPN connects multiple wide area network (WAN) sites. Note: VPN tunneling operates at Layer 2 of the OSI model.
For instance, if a company’s WAN link between locations in New York, Los Angeles and Chicago, then it is consider Site-to-Site.
Data transmitted between these locations are encrypted by a VPN gateway at each site; all hosts at each site have their data encrypted by their respective VPN Gateway.
Client-to-Site VPN connects a remote host, to a site VPN gateway. In order to establish a Client-to-Site VPN connection, the client (or remote host) must have VPN software installed, that is configured to communicate with the site VPN gateway.
2. Point-to-Point Tunneling Protocol (PPTP) is a Microsoft protocol used to encrypt data. Both client and the VPN Gateway or RRAS communicate using PPTP which operates over TCP port 1723. This protocol can be used by various platforms such as Unix, Linux, Windows, and Apple, to connect to a Virtual Private network.
3. Layer 2 Tunneling Protocol (L2TP) is an encryption protocol that is vendor (Cisco, Juniper, etc.) independent. It is more secure and preferred over Point-to-Point Tunneling Protocol (PPTP).
L2TP uses Internet Protocol Security (IPSec) to encrypt data over UDP port 1701. IPSec like the Public Key Infrastructure discussed earlier, use keys to determine authentication. IPSec uses Internet Key Exchange (IKE) to process authentication keys and establish session between nodes. Note: IPSec operates at Layer 3 of the OSI Model.
The Internet Security Association and Key Management Protocol (ISAKMP) verify the identity and encryption method nodes will use for transmitting data to one another. After shared keys and encryption methods are agreed upon, IPSec uses the Encapsulation Payload Protocol (ESP) to encrypt data payload through the use of public keys.
4. Secure Socket Layer (SLL) offers a secure connection, but the main benefit is that no configuration is needed on the client. Unlike with IPSec which requires software to be configured on the client, SSL VPN is more simplified to configure. SSL VPN operates over port 443 which is usually open on a corporate firewall.
There are various ways in which VPN’s encrypt traffic including using Secure Socket Layer (SLL). A handshake protocol is when a client initiates a SSL connection with another node (i.e. VPN Gateway) by sending a “client hello” message. This message contains data that will tell the router or VPN Gateway how to negotiate a common encryption method.
The VPN Gateway responds with a “server hello” message that confirms client information and agrees to negotiated encryption method. Once this process is complete the client and server (VPN Gateway) can exchange data.
5. Transport Layer Security (TSL) is an improvement over Secure Socket Layer (SSL). TSL addresses some of the known SSL vulnerabilities as it is an encryption and data integrity protocol operating at Layer 4 (Transport) Layer of the OSI model. TLS 1.2 is the latest version of the protocol which improves upon TLS 1.0 and TLS 1.1.
Here is a high level example (Figure 1) of how a remote host can connect to an internal corporate network which can be referred to when reviewing the types of remote access solutions: Remote Access Service (RAS), Point-to-Point over Ethernet (PPPoE), Remote Desktop Protocol (RDP), Independent Computing Architecture (ICA), and Secure Shell (SSH).
Figure 1 Remote Access – High Level Example
1. Remote Access Service (RAS) and the more comprehensive RRAS are remote access packages provided by Microsoft. The server that either RAS or RRAS is running on manages the remote connections. RAS is commonly associated with PSTN’s and older versions of the Microsoft Operating Systems such as Windows 95 to Windows 2000. RRAS is associated with newer Microsoft Operating Systems, post Windows 2000, and can be used on other transmission paths other than PSTN’s such as DSL and Cable T1. RRAS can also be configured to function as a router, redirecting inbound data packets to destination network segments.
2. Point-to-Point over Ethernet (PPPoE) is used to provide security features found in PPP, over an Ethernet connection. This protocol came about after Internet customer’s made the switch from Dial-up, to DSL and cable connections. PPPoE encapsulates PPP data frames inside of Ethernet data frames.
Point to Point Protocol (PPP) replaced the less functional Serial Line Internet Protocol (SLIP).
3. Remote Desktop Protocol (RDP) enables a user to control a PC or server from a remote system or workstation. RDP can be run from a workstation-based mode or server-based mode, through the use of terminal services. The server-based mode is highly scalable and manages the remote sessions of all connected users. RDP is an Application Layer Protocol.
4. Independent Computing Architecture (ICA) is software developed by Citrix that allows clients to connect to a remote access server. This Remote Access Server presents a workstation or server view of a remote system. ICA Citrix and Remote Desktop offer similar functionality.
5. Secure Shell (SSH) is an improvement over TELNET and both are used to provide a remote connection to a host. SSH encrypts both authentication data (username and password) and data transmitted during the session. SSH is very common in Unix/Linux environments.
Network Intrusion & Protection
An Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) are network security appliances that can be host-based, network-based or a combination of both.
IDSs and IPSs have to be configured and tuned to function correctly. When going through the tuning process there will be a lot of “False Positives,” which means the system is alerting to an issue when there is none. This aspect of IDSs frustrates some Network Administrators and they will tend to not go through this configuration or tuning process, because they want the alerts to stop.
By not going through the proper steps, growing pains, Network Administrators are reducing the effectiveness of this network security tool and allowing potential vulnerabilities to be exposed.
Host-based Intrusion Detection System (IDS) is security software installed on a standalone host that has a direct connection to the Internet. The protection only applies to the machine the software is installed on. Network-based IDSs are installed on the perimeter network and monitor all data traffic for known security patterns and trends.
Known security patterns are defined as “signatures.” Signature based IDSs function a lot like anti-virus software. A network administrator has to keep updating the IDS to stay current. If a new signature or pattern comes out and the IDS does not have that new updated signature, then the IDS will not detect it.
Alternatively behavior based IDSs create a baseline from “normal” activity on a network and when that baseline is exceeded, it either alerts the network administrator or tries to mitigate or correct the behavior.
An Intrusion Prevention Systems (IPS) is an extension of Intrusion Detection System (IDS). IDSs are commonly referred to as passive, while IPSs are referred to as active.
When either a known signature is found in data packets or the baseline is exceeded, the IPS will initiate steps to correct it. An easy way to remember the difference in these two intrusion detection systems is that IPS actually does something to fix an issue and IDS just alerts to an issue.
Network Security Traps
A honeypot is a computer host that has been set up to attract hackers to learn what tactics they are using to infiltrate a network. It monitors their movements and gives a network administrator insight to where future attacks may come from.
Multiple honeypots are referred to as a honeynet. Just like honey bees are attracted to the queen bee, the idea of the honeypot is to attract the hackers to something they want – a vulnerable system.
A Network Mapper (Nmap) creates a map by identifying the host and services found on a computer. This scanner runs scripts to identify security concerns and the service detection.
Another tool, Nessus, is a more in-depth tool than NMAP. It is referred to as a penetration-testing tool because it can reveal security flaws within a network. It is held as one of the most popular vulnerability scanner tools on the market.
Remote network access introduced more security measures to protect data transmissions. You should now be familiar with the various remote access solutions and their methods. Network security is further enhanced with tunneling protocols and access control list.